SlideShare a Scribd company logo

Mobile Best Practices

Neira Jones
Neira Jones

Visa Europe security best practice guidelines on Mobile Acceptance 27th April 2011

TechnologyBusiness
1 of 4
Download to read offline
VISA SECURITY BEST PRACTICES 27 April 2011 Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 1.0 The payment and mobile worlds are rapidly converging as merchants begin to use consumer mobile devices (such as smart phones and tablet computing platforms) to facilitate card payments both within and, increasingly, outside of the traditional retail environment. As with any new acceptance mechanism, there are security considerations that need to be addressed prior to use. For example, as part of a mobile acceptance solution a consumer mobile device may be used to facilitate face-to-face customer payments; however, these mobile devices have limited native security controls. Additionally, merchants that use a consumer mobile device (or a similar device) as part of an acceptance solution may not have direct control of the security of the environment in which the device is used. Therefore, a mobile acceptance solution must include adequate supplementary technical and procedural controls to limit a fraudster’s ability to steal sensitive account information. To promote the security and integrity of the payment system, Visa is committed to helping mobile payment acceptance solution vendors, merchants and acquirers better understand their responsibility to keep account data secure when using mobile payment acceptance solutions. Scope These best practices are intended for two distinct audiences: vendors that develop mobile payment acceptance solutions and merchants that use these solutions. For the purposes of this document, a vendor is any entity that develops mobile payment acceptance solutions, either in-house or on behalf of another organisation. Beyond these best practices, vendors, merchants and acquirers must follow all Visa requirements for magnetic stripe, chip and contactless acceptance (where supported) 1 . The mobile payment solution should also adhere to the principles set out in the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Although not in the scope of this document, acquirers must follow the practices outlined in Visa Operating Regulations and adopt the guidelines established in other related ancillary documents. In particular, acquirers must adhere to Visa Operating Regulations due diligence requirements when on-boarding and monitoring their merchants, and they must be in compliance with all local laws and regulations regarding merchants, including adequate Know Your Customer (KYC) and Anti-Money Laundering (AML) due diligence requirements. Definitions Consumer Mobile Device: Any electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance and that has the ability to wirelessly communicate account data (via GSM, GPRS, CDMA, etc.) for transaction processing. Mobile Payment Acceptance Solution: Consists of mobile payment application, a consumer mobile device and, where account data is electronically read from a payment card, a hardware accessory capable of reading account data. Solutions that do not electronically read account data may not be acceptable in all territories or may face some restrictions. Members must review local Visa Operating Regulations prior to providing mobile payment acceptance solutions to merchants. 1 For EMV acceptance, the device must (1) have a valid and current type approval, (2) have passed the Visa Acquirer Device Validation Toolkit (ADVT) for EMV contact, and (3) where contactless technology is used, have passed the Visa payWave Test Tool (VpTT). For PIN-based transactions, a consumer mobile device is not acceptable for PIN entry; Instead, an additional hardware accessory that is PCI PTS approved and that functionally supports the Secure Reading and Exchange of Data (SRED) module. 1
Best Practices for Mobile Payment Acceptance Solution Vendors Security Goals: 1. Design and implement secure mobile payment acceptance solutions. 2. Ensure the secure use of mobile payment acceptance solutions. 3. Limit exposure of account data that could be used to commit fraud. Goal Best Practices Design and 1. Provide payment acceptance applications and any associated implement updates in a secure manner with a known chain of trust. secure mobile A vendor should be able to provide assurance that the code within a payment payment application has not been tampered with or altered without acceptance authorisation. solutions. 2. Develop mobile payment acceptance applications based on secure coding guidelines. Poor software security coding practices can introduce vulnerabilities into the mobile consumer mobile device and expose customers to the risk of data compromise. 3. Protect encryption keys that secure account data against disclosure and misuse in accordance with industry-accepted standards. To keep cryptographic keys secure, robust key management standards should be followed. Symmetric and private keys should be protected against physical and logical compromise. Public keys should be protected from substitution, and their integrity and authenticity should be ensured. Any cryptographic implementation must make use of industry-accepted algorithms and appropriate key sizes, and, at a minimum, must be consistent with the key management principles included in the following: • PCI PIN and PCI PIN Transaction Security (PTS) • Payment Application Data Security Standards (PA-DSS) key management procedures Ensure the 4. Provide the ability to disable the mobile payment acceptance secure use of solution. mobile payment As a security precaution, the entity processing transactions on behalf of acceptance the merchant should be able to disable payment acceptance. For example, solutions. if a device were lost or stolen, the merchant mobile payment acceptance solution should be disabled. 5. Provide functionality to track use and key activities within the mobile payment acceptance solution. Event logs captured by the mobile payment acceptance solution should automatically be transferred to a centralised back-end system where they can be analysed for unusual or suspicious activity. Also, consider analysing information that originates from the consumer mobile device (such as the device ID or geo-location, where available) to supplement fraud detection engines. 2
Goal Best Practices Limit exposure of 6. Provide the ability to encrypt all public transmission of account data. account data that To maintain confidentiality and integrity, account data must be encrypted could be used to during transmission over wireless and/or public networks. All account data commit fraud. originating from a mobile payment acceptance solution sent to any other termination point must be encrypted in accordance with industry-accepted encryption standards using known algorithms and appropriate key sizes. 7. Ensure that account data electronically read from a payment card is protected against fraudulent use by unauthorised applications in a consumer mobile device. Visa recommends encryption at the electronic reader (e.g., magnetic stripe reader or PIN entry device) as a mature technology to meet this best practice. This is especially important when a merchant has limited or no direct control over the security of the environment in which the consumer mobile device is deployed. 8. Provide the ability to truncate or tokenise the Primary Account Number (PAN) after authorisation to facilitate cardholder identification by the merchant. For more information, refer to Visa Best Practices for Tokenisation and Visa Best Practices for Primary Account Number Storage and Truncation. 9. Protect stored PAN data and/or sensitive authentication data. If a consumer mobile device is temporarily unable to transmit account data to the acquirer (for example, due to a poor network connection), account data must be encrypted or otherwise protected until it can be securely sent to the acquirer. Any PANs that are retained after authorisation (e.g., in logs), must be truncated or tokenised (refer to best practice number 8, above). After authorisation, sensitive authentication data must be deleted from the merchant acceptance solution (even if encrypted). The solution should not include any debug functionality that might allow unauthorised access to account data by the merchant. 3
Best Practices for Merchants Security Goals: 1. Ensure the secure use of mobile payment acceptance solutions. 2. Limit the exposure of account data that may be used to commit fraud. 3. Prevent software attacks on consumer mobile devices Goal Best Practices Ensure the 1. Only use mobile payment acceptance solutions as intended by an secure use of acquiring bank and solution provider. mobile payment To prevent unintended consequences from the misuse of a mobile acceptance acceptance solution, ensure that the solution is used in a manner consistent with the solutions. guidance provided by an acquiring bank and solution provider. This includes ensuring that any software downloaded onto the consumer mobile device comes from a trusted source. PANs required after authorisation must be truncated or tokenised. Limit the 2. Limit access to the mobile payment acceptance solution. exposure of Ensure that only authorised users (i.e., designated employees) have physical / account data that logical access to the payment functionality of the solution. may be used to commit fraud. Merchants must have a valid agreement with the acquirer. Merchants may not process Visa transactions on behalf of other merchants. 3. Immediately report the loss or theft of a consumer mobile device and/or hardware accessory. Contact the acquiring bank immediately to report the loss or theft of a consumer mobile device and/or hardware accessory to help ensure the prompt implementation of any necessary actions. Prevent software 4. Install software only from trusted sources. attacks on Merchants should not circumvent any security measures on the consumer consumer mobile mobile device. To avoid introducing a new attack vector onto a consumer devices mobile device, install only trusted software that is necessary to support business operations and to facilitate payment. 5. Protect the consumer mobile device from malware. Establish sufficient security controls to protect a consumer mobile device from malware and other software threats. For example, install and regularly update the latest anti-malware software (if available). Best Practices Feedback As a leader in the payments industry, Visa has developed the first version of these best practices to support the growth of the emerging mobile acceptance channel. As such, Visa Europe welcomes any feedback on these best practices.To provide feedback or comments on these best practices, send an e- mail to datasecuritystandards@visa.com with "Mobile Payment Acceptance Best Practices" in the subject line. 4

Recommended

The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
EMV US whitepaper Bell ID
EMV US whitepaper Bell IDEMV US whitepaper Bell ID
EMV US whitepaper Bell IDNeira Jones
 
EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0Neira Jones
 
Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Neira Jones
 
Accourt press release neira jones joins accourt
Accourt press release neira jones joins accourtAccourt press release neira jones joins accourt
Accourt press release neira jones joins accourtNeira Jones
 
Visa Security Logging Factsheet June 2012
Visa Security Logging Factsheet June 2012Visa Security Logging Factsheet June 2012
Visa Security Logging Factsheet June 2012Neira Jones
 
Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Neira Jones
 
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Neira Jones
 

Recommended

The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
EMV US whitepaper Bell ID
EMV US whitepaper Bell IDEMV US whitepaper Bell ID
EMV US whitepaper Bell IDNeira Jones
 
EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0Neira Jones
 
Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Neira Jones
 
Accourt press release neira jones joins accourt
Accourt press release neira jones joins accourtAccourt press release neira jones joins accourt
Accourt press release neira jones joins accourtNeira Jones
 
Visa Security Logging Factsheet June 2012
Visa Security Logging Factsheet June 2012Visa Security Logging Factsheet June 2012
Visa Security Logging Factsheet June 2012Neira Jones
 
Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Neira Jones
 
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Neira Jones
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxnull - The Open Security Community
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Mobile Best Practices

  • 1. VISA SECURITY BEST PRACTICES 27 April 2011 Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 1.0 The payment and mobile worlds are rapidly converging as merchants begin to use consumer mobile devices (such as smart phones and tablet computing platforms) to facilitate card payments both within and, increasingly, outside of the traditional retail environment. As with any new acceptance mechanism, there are security considerations that need to be addressed prior to use. For example, as part of a mobile acceptance solution a consumer mobile device may be used to facilitate face-to-face customer payments; however, these mobile devices have limited native security controls. Additionally, merchants that use a consumer mobile device (or a similar device) as part of an acceptance solution may not have direct control of the security of the environment in which the device is used. Therefore, a mobile acceptance solution must include adequate supplementary technical and procedural controls to limit a fraudster’s ability to steal sensitive account information. To promote the security and integrity of the payment system, Visa is committed to helping mobile payment acceptance solution vendors, merchants and acquirers better understand their responsibility to keep account data secure when using mobile payment acceptance solutions. Scope These best practices are intended for two distinct audiences: vendors that develop mobile payment acceptance solutions and merchants that use these solutions. For the purposes of this document, a vendor is any entity that develops mobile payment acceptance solutions, either in-house or on behalf of another organisation. Beyond these best practices, vendors, merchants and acquirers must follow all Visa requirements for magnetic stripe, chip and contactless acceptance (where supported) 1 . The mobile payment solution should also adhere to the principles set out in the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Although not in the scope of this document, acquirers must follow the practices outlined in Visa Operating Regulations and adopt the guidelines established in other related ancillary documents. In particular, acquirers must adhere to Visa Operating Regulations due diligence requirements when on-boarding and monitoring their merchants, and they must be in compliance with all local laws and regulations regarding merchants, including adequate Know Your Customer (KYC) and Anti-Money Laundering (AML) due diligence requirements. Definitions Consumer Mobile Device: Any electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance and that has the ability to wirelessly communicate account data (via GSM, GPRS, CDMA, etc.) for transaction processing. Mobile Payment Acceptance Solution: Consists of mobile payment application, a consumer mobile device and, where account data is electronically read from a payment card, a hardware accessory capable of reading account data. Solutions that do not electronically read account data may not be acceptable in all territories or may face some restrictions. Members must review local Visa Operating Regulations prior to providing mobile payment acceptance solutions to merchants. 1 For EMV acceptance, the device must (1) have a valid and current type approval, (2) have passed the Visa Acquirer Device Validation Toolkit (ADVT) for EMV contact, and (3) where contactless technology is used, have passed the Visa payWave Test Tool (VpTT). For PIN-based transactions, a consumer mobile device is not acceptable for PIN entry; Instead, an additional hardware accessory that is PCI PTS approved and that functionally supports the Secure Reading and Exchange of Data (SRED) module. 1
  • 2. Best Practices for Mobile Payment Acceptance Solution Vendors Security Goals: 1. Design and implement secure mobile payment acceptance solutions. 2. Ensure the secure use of mobile payment acceptance solutions. 3. Limit exposure of account data that could be used to commit fraud. Goal Best Practices Design and 1. Provide payment acceptance applications and any associated implement updates in a secure manner with a known chain of trust. secure mobile A vendor should be able to provide assurance that the code within a payment payment application has not been tampered with or altered without acceptance authorisation. solutions. 2. Develop mobile payment acceptance applications based on secure coding guidelines. Poor software security coding practices can introduce vulnerabilities into the mobile consumer mobile device and expose customers to the risk of data compromise. 3. Protect encryption keys that secure account data against disclosure and misuse in accordance with industry-accepted standards. To keep cryptographic keys secure, robust key management standards should be followed. Symmetric and private keys should be protected against physical and logical compromise. Public keys should be protected from substitution, and their integrity and authenticity should be ensured. Any cryptographic implementation must make use of industry-accepted algorithms and appropriate key sizes, and, at a minimum, must be consistent with the key management principles included in the following: • PCI PIN and PCI PIN Transaction Security (PTS) • Payment Application Data Security Standards (PA-DSS) key management procedures Ensure the 4. Provide the ability to disable the mobile payment acceptance secure use of solution. mobile payment As a security precaution, the entity processing transactions on behalf of acceptance the merchant should be able to disable payment acceptance. For example, solutions. if a device were lost or stolen, the merchant mobile payment acceptance solution should be disabled. 5. Provide functionality to track use and key activities within the mobile payment acceptance solution. Event logs captured by the mobile payment acceptance solution should automatically be transferred to a centralised back-end system where they can be analysed for unusual or suspicious activity. Also, consider analysing information that originates from the consumer mobile device (such as the device ID or geo-location, where available) to supplement fraud detection engines. 2
  • 3. Goal Best Practices Limit exposure of 6. Provide the ability to encrypt all public transmission of account data. account data that To maintain confidentiality and integrity, account data must be encrypted could be used to during transmission over wireless and/or public networks. All account data commit fraud. originating from a mobile payment acceptance solution sent to any other termination point must be encrypted in accordance with industry-accepted encryption standards using known algorithms and appropriate key sizes. 7. Ensure that account data electronically read from a payment card is protected against fraudulent use by unauthorised applications in a consumer mobile device. Visa recommends encryption at the electronic reader (e.g., magnetic stripe reader or PIN entry device) as a mature technology to meet this best practice. This is especially important when a merchant has limited or no direct control over the security of the environment in which the consumer mobile device is deployed. 8. Provide the ability to truncate or tokenise the Primary Account Number (PAN) after authorisation to facilitate cardholder identification by the merchant. For more information, refer to Visa Best Practices for Tokenisation and Visa Best Practices for Primary Account Number Storage and Truncation. 9. Protect stored PAN data and/or sensitive authentication data. If a consumer mobile device is temporarily unable to transmit account data to the acquirer (for example, due to a poor network connection), account data must be encrypted or otherwise protected until it can be securely sent to the acquirer. Any PANs that are retained after authorisation (e.g., in logs), must be truncated or tokenised (refer to best practice number 8, above). After authorisation, sensitive authentication data must be deleted from the merchant acceptance solution (even if encrypted). The solution should not include any debug functionality that might allow unauthorised access to account data by the merchant. 3
  • 4. Best Practices for Merchants Security Goals: 1. Ensure the secure use of mobile payment acceptance solutions. 2. Limit the exposure of account data that may be used to commit fraud. 3. Prevent software attacks on consumer mobile devices Goal Best Practices Ensure the 1. Only use mobile payment acceptance solutions as intended by an secure use of acquiring bank and solution provider. mobile payment To prevent unintended consequences from the misuse of a mobile acceptance acceptance solution, ensure that the solution is used in a manner consistent with the solutions. guidance provided by an acquiring bank and solution provider. This includes ensuring that any software downloaded onto the consumer mobile device comes from a trusted source. PANs required after authorisation must be truncated or tokenised. Limit the 2. Limit access to the mobile payment acceptance solution. exposure of Ensure that only authorised users (i.e., designated employees) have physical / account data that logical access to the payment functionality of the solution. may be used to commit fraud. Merchants must have a valid agreement with the acquirer. Merchants may not process Visa transactions on behalf of other merchants. 3. Immediately report the loss or theft of a consumer mobile device and/or hardware accessory. Contact the acquiring bank immediately to report the loss or theft of a consumer mobile device and/or hardware accessory to help ensure the prompt implementation of any necessary actions. Prevent software 4. Install software only from trusted sources. attacks on Merchants should not circumvent any security measures on the consumer consumer mobile mobile device. To avoid introducing a new attack vector onto a consumer devices mobile device, install only trusted software that is necessary to support business operations and to facilitate payment. 5. Protect the consumer mobile device from malware. Establish sufficient security controls to protect a consumer mobile device from malware and other software threats. For example, install and regularly update the latest anti-malware software (if available). Best Practices Feedback As a leader in the payments industry, Visa has developed the first version of these best practices to support the growth of the emerging mobile acceptance channel. As such, Visa Europe welcomes any feedback on these best practices.To provide feedback or comments on these best practices, send an e- mail to datasecuritystandards@visa.com with "Mobile Payment Acceptance Best Practices" in the subject line. 4