In a previous post I discussed mobile computing and PCI compliance. In the last couple of weeks I have been questioned about using mobile devices such as smartphones and Wi-Fi enabled PDAs as payment terminals and I thought this particular incarnation of mobile computing deserved an in-depth look.
Pay attention to that Apple iPhone advertisement. If you notice in one of their advertisements they show a person processing a credit card payment on their iPhone. As Apple likes to say, “There’s an app for that.” However, it is not just Apple that has a payment application for a mobile device; there are also payment processing applications for Windows Mobile environments. There are also proprietary solutions from VeriFone and the like. Some of these applications are PABP and/or PA-DSS certified. Devices from VeriFone and the like are PCI PTS certified, but the iPhone and other cellular phones as well as PDAs are not PCI PTS certified devices.
So when the pizza delivery person shows up at your door and wants to swipe your credit card through their mobile device, how do you know that it is safe? You likely will not know.
The security surrounding the telecommunications used by these devices is the easiest thing to discuss. All of the devices I have been able to examine use telecommunications methods that are encrypted either by SSL v3 or TLS. The cellular network and Wi-Fi are just used as the conduit and are not relied upon to provide any security.
Do not assume that VeriFone and the like are meeting all of the PCI standards. While their mobile payment terminals are PCI PTS certified, the application software in those devices is not PA-DSS certified. I pointed to the flaws in these devices in a previous post.
But there are bigger problems lurking with the iPhone. Ask any computer forensic examiner about the iPhone and they will talk at length about the fact that the iPhone has a number of “features” that make security and privacy things of the past. From a PCI compliance perspective, some of the more problematic issues are as follows.
- Deleted information does not physically get deleted. In some cases, deleted data can remain on an iPhone for up to six months or even more depending on use.
- The iPhone has a built-in keyboard logger, so anything typed into it is recorded.
- While it is not certain that card swipes would be retained on the iPhone, given all of the other information it retains, it is highly likely that such information would also be retained.
As a result, using the iPhone as a payment processing platform is probably not a good idea until it is certified.
So what, if anything, are the PCI SSC and/or the card brands doing about this situation? As much as they can, given that these solutions are popping up faster than they can identify them. The problem is that the developers of these applications are usually unaware that they are required to comply with various PCI standards. And since the developer is responsible for certifying their solution unless they get ‘ratted out’, the solution will not get certified. So it is up to the application developer and the merchants to ensure that an application is properly certified. If that is not worrisome enough, the cost involved in certifying such an application would likely raise the cost of that solution to a point where it would not be economical to the merchant or salesperson.