OAKBROOK TERRACE, Ill. -- While the evolution of payments at retail marches slowly but steadily toward mobile phones, concerns arise with regards to data security and where breaches may occur.
Retailers such as Jenny Bullard, CIO for Waycross, Ga.-based Flash Foods, raised the issue at a recent CSP forum on risk management, saying security in general was a concern that “kept her up at night.”
To address those issues with regards to mobile payment, Dan Fritsche, managing director of application security at Coalfire Labs, a data security management firm based in Louisville, Colo., answered a few questions:
Q: What should retailers be concerned about with offering mobile payment?
A: First, a couple of definitions--consumer-based mobile payments (apps that run on a consumer’s device and only that cardholder is inputting their own card information, essentially mobile wallets) are not covered under payment-card industry (PCI) requirements that we typically deal with; however, we do strongly recommend an independent, third-party review to make sure [those apps are] following security best practices. For a merchant-based mobile applications (apps that run on the merchant’s device and have input from multiple cardholder credit cards, or a mobile point-of-sale), there are currently no standards from PCI for a mobile offering, but there are mobile guidelines. In order for them to be compliant, we again recommend an independent, third-party review.
Q: With those definitions in mind, what should a retailer be worried about?
A: Mobile security has several concerns in that the device itself is not as “hardened” as traditional PC or personal-computer operating systems. Secure memory is one concern when storing any sensitive data, whether it’s credit-card data, passwords or personal information. There’s also the ability for applications to access various functions across the mobile device, such as address books, physical location information, pictures or the camera. These are all unique areas of concern for many applications.
Q: What can retailers do about their customers’ phones?
A: Consumers’ phones cannot be hardened, so they pose a risk to any merchant who has an application that somehow interacts with their environment. Properly developed APIs [application programming interfaces] can help protect against these things, but as with any other security approach, defense in depth is critical here.
Q: What can retailers do to mitigate risk?
A: Apply standard security practices to mobile solutions, and then go beyond that to consider the unique risks mobile solutions introduce. As previously mentioned, utilize an independent, third party for review, penetration testing and security validation of mobile solutions. For merchant-based mobile solutions, harden the devices in use, and ensure developers are following secure SDLC [software development lifecycle] practices. Double check any claims from a mobile-solution provider you may use. Have they done everything to ensure the security of their solutions?
Q: Other advice?
A: Continually check on the latest information. This space is changing quickly, and there are often newer and better ways of managing these risks. Also, make sure you understand the risks you are introducing with any new payment solution. Treat any sensitive data as if the environment is already compromised. If that is true, are you protecting that data properly?
For more on mobile payments, look for the July issue of CSPmagazine and editor Angel Abcede’s monthly technology section.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.