WAKEFIELD, Mass. — When it comes to payment security, retailers tend to think of the PCI (Payment Card Industry) standard that they are obliged to follow if they process credit and debit card transactions.
However, the security of payments made by consumers on their NFC-equipped smartphones falls outside of the PCI standard, said Troy Leach, chief technology officer, PCI Security Standards Council here, which oversees the standard. In effect, it’s the problem of the phone’s providers, not the retailer, and is governed by other standard bodies such as EMV (Europay, MasterCard and Visa) and GSMA (Groupe Speciale Mobile Association).
“The use of NFC within a mobile device is focused directly at the consumer rather than the merchant environment,” he said.
However, retailers who process card payments using their own mobile equipment will need to pay attention to PCI requirements, which are still under development for mobile applications.
“We currently have a taskforce in place that is exploring how to effectively secure cardholder data in this manner,” said Leach.
As part of that effort, last June the PCI Security Standards Council provided guidance on which mobile applications allow merchants to accept and process payments securely and support PCI compliance.
In addition, last fall, the Council updated its PIN Transaction Security (PTS) standard for POS equipment in connection with card readers (such as magnetic stripe reader plug-ins) used with mobile phones. This update covers data encryption at the point of interaction (before it reaches the device), as part of supporting point-to-point encryption (P2PE) technology.
This year, the Council will be releasing additional guidance for merchants “on how these requirements from two standards [PTS and P2PE] work together to create a secure mobile transaction,” said Leach.