Mobile devices that facilitate acceptance of credit card payments can provide added convenience to consumers and retailers. However, retailers and service providers must be sure to take security measures that protect sensitive cardholder information.
“There are existing security standards that apply to payments in general that would apply to mobile,” said Eduardo Perez, head of global payment system risk at Visa, San Francisco. “What we are doing is to provide guidance to solutions providers as they develop mobile acceptance solutions.”
Much of the focus on mobile payments is on enabling consumers to make purchases using their phones. However, many small and mid-sized businesses are also using mobile devices to process credit card payments.
To address the growth in mobile payments , Visa has introduced a set of guidelines for mobile acceptance service providers and retailers to help ensure they are taking adequate security measures.
There are important security considerations for mobile acceptance that go beyond those for traditional acceptance services because mobile devices and acceptance attachments are not designed to the same security requirements as traditional payment terminals, per Visa.
Also, merchants do not control the security of the network environments to which their acceptance devices connect wirelessly.
Visa’s guidelines lay out some of the more important security measures that should be taken, including encrypting all account data at the card-reader level and in transmission between the acceptance device and the processor.
Also very important is the need to enable truncation or tokenization of card numbers so merchants can identify cardholders without storing the full account data.
Other best practices suggested by Visa include the need for mobile acceptance service providers to provide the ability to track use and key activities within the mobile payment service and to ensure that account data electronically read from a payment card is protected against fraudulent use by unauthorized applications in a consumer mobile device.
The guidelines caution retailers to use mobile payment acceptance services only as originally intended and to limit access to mobile payment acceptance services.
Visa has put out security guidelines in the past related to other payment areas. This is first move by the company to try to provide guidelines in the mobile acceptance area.
Enhanced security for mobile acceptance can help foster consumer trust in mobile commerce as it continues to grow.
“The mobile security environment today is still nascent,” Mr. Perez said. “These guidelines will help ensure providers make it convenient for consumers to use mobile acceptance solutions in a safe and secure manner.”
In an announcement in conjunction with Visa’s Security Summit in Washington DC this week, the company has released security guidance for card payment acceptance devices that leverage mobile technology. The guidance indicates that tokenization and encryption at the data level of card data in mobile transactions is recommended. Mobile Commerce Daily has the story: