On May 16, 2012, the PCI Security Standards Council’s (“PCI SSC’s”) Mobile Working Group published its “At a Glance: Mobile Payment Acceptance Security” fact sheet (the “Guidance”), which outlines best practices for securely accepting payments via mobile devices. The Guidance offers merchants practical advice for partnering with a Point-to-Point Encryption (“P2PE”) solution provider and satisfying their PCI Data Security Standard compliance requirements in the context of mobile payment acceptance. The Guidance includes recommendations for maintaining data security throughout the payment lifecycle, including securing account data at the point of capture and using an approved hardware accessory in combination with a validated P2PE solution.
In its Guidance, the PCI SSC advises merchants using off-the-shelf mobile payment acceptance solutions to select a validated and properly implemented P2PE solution that ensures cardholder data is encrypted before it enters the mobile device. The fact sheet indicates that validated solution providers are responsible for ensuring that card readers used with the P2PE solution have been deemed compliant with the appropriate PCI SSC security requirements. The PCI SSC advises merchants that build their own mobile acceptance solutions to employ additional technology, including an approved “point of interaction” device (e.g., PIN entry device or card reader), to safely capture and encrypt cardholder data.
The Guidance also notes that using validated and properly implemented acceptance solutions may reduce the scope of merchants’ PCI DSS compliance obligations.