The PCI Security Standards Council (PCI SSC) just released new guidelines for developers, merchants and payment solutions providers using consumer mobile technologies for payment acceptance. These new guidelines represent the most comprehensive list of security considerations from a payment perspective we have yet seen.
But what do these new guidelines mean for iPad and Android kiosks? I spoke with one of the authors of the new guidelines this week and he said the goal for was to get those building these solutions to think beyond just the app and consider the whole environment where the app is running. Even if the app is fully secured and handling data correctly, environmental factors can still make a kiosk or mPOS solution insecure.
The new guidelines surface the security state of the environment inside the app with item 5.4 of the merchant guidelines and 4.15 in the developer guidelines. Basically, the app must show to users that the device is in a secure state. From an end user experience perspective, that is really simple, show a green checkmark or a thumbs up sign during the payment process to indicate that everything is secure. But when you pull back the curtains and look at what it takes to deliver this little indicator you see that it is actually quite involved.
There are many factors that go into the determination of the secure state: has the device been jailbroken, have peripherals changed, where is the device physically located, is the device connected to the network and to what network, is this the right version of the app, has the app configuration changed.
When you deploy a kiosk or mPOS solution out in to the wild, it is easy to say that on day 1 the device is secure, but as it gets used everything changes. In order to meet these guidelines, the payment solution needs to continually monitor for changes and take action when something looks suspicious. No longer must kiosks simply worry about staying up and running, but they must continually monitor their state from a security perspective.
What do you think of the new guidelines? Do you think they seem onerous for anyone building payment solutions?