Identifying The Gaps In Mobile Payment Security

By Rob Bertke, senior VP for R&D, Sage Payment Solutions

Unfortunately, today, there are many questions regarding the security of mobile POS and payments. Mobile solutions cannot identify their IP, so they cannot be scanned for PCI in a traditional manner. At this time, scanning a mobile solution for PCI requires a unique certification (SAQ-CVT), which is not completely clear to those offering mobile solutions. Mobile solutions are also tightly coupled with the carriers used, and as mobile solutions move to other regions or countries, special considerations are required, posing a challenge. Another important component is encryption of sensitive information at the hardware level. Most modern smart phones use nearly desktop-strength operating systems, allowing software that reads attached hardware devices to be written. This exposes the potential of skimmed information from devices like card readers. Card readers implementing encryption techniques on the hardware itself prevent this skimming by software. So, the lesson here is if mobile is a key part of your environment, then work with processors that have tightly integrated mobile solutions.