PCI’s New Mobile Guidelines Acknowledge Huge HurdlesWritten by Evan Schuman
The PCI Council officially released its mobile payment guidelines Thursday (Feb. 14), a document that turned out to be anything other than a Valentine to retail IT execs who’d love to know the “all-clear” path to doing mobile payments and staying PCI compliant. Instead, it’s more of a pragmatic acknowledgement of the various mobile hurdles that the council sees as currently insurmountable.
The recommendations, of course, also offer the generic list of best practices for mobile device security (such as strongly encouraging full-disk encryption), which is certainly a handy checklist for chains just starting to seriously explore mobile payments.
One key point of the report is to acknowledge the very complex nature of mobile systems, which have far more players than traditional fixed POS systems. For example, the report speaks of the desirability of lab validation for mobile devices and why it’s simply—and regrettably—not practical.
“Numerous manufacturers, carriers, software developers, and vendors take part in developing a single mobile device. The various combinations of these entities result in an extremely large number of unique mobile devices. The resulting lack of vertical integration would make a lab validation program difficult,” the guidelines say. “All the intervening steps during the production of a mobile device build upon components of the previous steps. For instance, a mobile network operator sells a mobile device manufactured by a specific handset company that contains a chip manufactured by one of several chip-manufacturers and that runs an operating system created by another third party. At each layer, the components added can either increase or decrease the security of the device. For the devices to be adequately tested and validated, proprietary information would have to be shared among all the contributors. If a manufacturer, software developer, or carrier refused to share security-critical proprietary information, validation would be unrealizable. Consequently, the validating of these devices would be problematic.”
Therefore, that section concludes: “The unknown trustworthiness of mobile devices for which no independent, standardized security validation is done remains a residual risk.”
The report also speaks extensively about the attractiveness of remote wipe—also known as zeroizing—to negate security problems the instant it’s detected that a mobile payment device has gone missing. But it also concedes the limitations of such a strategy for many global chains.
“Preventative measures implemented in one jurisdiction may be unlawful to implement in another. For instance, remotely zeroizing a device (i.e., rendering it inoperative) may be legal in the U.S. but not in the European Union, since it may be unlawful to zeroize or otherwise do anything to a mobile device that would remove the user’s ability to make emergency calls,” the report says. “Adjustments made to accommodate jurisdictional legal issues may adversely affect security. This is likely to remain an intractable residual risk.”
Of greater concern, though, are efforts by cyberthieves to guard against such remote wipe efforts. “A mobile device may be shielded in such a way that it may not have the capability of being zeroized remotely (e.g., a Faraday cage). For instance, today mobile phones are being stolen and immediately put into metallic bags that shield them from sending/receiving commands, thereby removing the ability to zeroize the device remotely before the device can be used to divulge sensitive information,” the guidelines document says. “This type of attack could also remove the ability to track the device.”
Associates trying to steal data directly—or who act as an accomplice for external thieves—is an age-old retail problem. Unfortunately, the guidelines say, the mobile vendor community has no practical way of defending against this.
“At each step in the process of producing a mobile device, the potential exists for a renegade employee to introduce exploitable security vulnerabilities,” the report says. “Currently, no commercial vendors perform the level of hardware or software review necessary to assure detection of this kind of sabotage.”
And current anti-malware applications, which have become such a critical part of desktop security, are also not ready for primetime with mobile yet. “Current anti-malware products would be impractical to employ because of the tremendous amounts of resources required to run them (e.g., battery life significantly decreased),” the guidelines say. “Additionally, such products would have no assurance that they could complete their testing before being terminated by the OS to release resources for other tasks.”