The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users was designed to create awareness of challenges in and best practices for accepting payments with a mobile device. The following are three key takeaways from the document:
- General-purpose mobile devices (i.e., smartphones, tablets, etc.) are designed with a primary goal of consumer ease-of-use; therefore, data security is not at the same level as traditional POS acceptance devices;
- There are specific steps merchants can take (found within the guidelines document) to ensure that the mobile payment acceptance service provider they’re evaluating will give them a strong mobile payment security posture; and
- Until mobile hardware and software deployments can meet stringent PCI guidelines, the best option is to encrypt cardholder data securely prior to using mobile devices to process transactions.
The following are our top 3 takeaways from the PCI DSS Cloud Computing Guidelines Information Supplement:
- Cloud security is not the sole responsibility of the CSP (Cloud Service Provider) nor its clients; It is truly a shared responsibility where each party should understand their roles and responsibilities for maintaining security and compliance;
- As with physical environments, security risk corresponds to whether the cloud environment is private or varying degrees of “open.” With increased access to the cloud environment comes increased exposure to risk; and
- There are 3 primary cloud service model platforms: Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS). The client’s level of control over their processes within the cloud environment varies significantly by service model.
The two new guideline documents can be accessed here:https://www.pcisecuritystandards.org/security_standards/documents.php
If you have any questions about the new SSC guidelines, or would like more information from the compliance and security professionals at ControlScan, just give us a call at 1-800-825-3301 x 2.