After Square, Paypal, SalesVu ... innovative ways to accept mobile payments with a Smartphone or tablet, the PCI Council had to respond to the payment community. According to a new paper published recently, the PCI Council provides guidance to merchants that accept mobile payments via smartphone or tablet to use validated point-to-point encryption solution (P2PE).
The PCI Council has raised two scenarios:
- For merchants interested in utilizing an off-the-shelf mobile payment acceptance solution: the PCI Council recommends to partner with a validated P2P2 solution provider to ensure that the cardholder data (at least the PAN) is encrypted before it enters a mobile device. Using a validated P2PE solution by the PCI Council will highly reduce the risk of interception and use of the cardholder data by a third party or malicious person, reducing the impact of PCI DSS requirements on its information system. According to the PCI Council validated P2PE solution provider must ensure that any POI (point of interaction) used with the solution complies with the appropriate PCI SSC requirements including SRED (Secure Reading and Exchande of Data). The provider will also through the PIM (P2PE Instruction Manual) instructs merchants on how to protect and secure their mobile payment acceptance system. Also as part of the PCI DSS compliance validation the acquirer or cards brands may require to only complete the P2PE self-assessment questionnaire.
- For merchants interested in building their own mobile acceptance solution: The PCI Council recommends using at least an approved point of interaction (POI) and explains that Smartphone and tablet were not designed to securely store cardholder data. The PCI Council recommends merchants to use complementary technology for cardholder data encryption according to PCI DSS requirements. However this type of solution has a direct impact on merchants PCI DSS scope as the encrypted cardholder data is still in scope.