-
Latest from the Blog
- Cyber Group Offers Special Update on Chinese Threats on May 29
- Assume the Enemy is Already on Your Network and Look for Them
- Caswell to Speak at Healthcare Security Summit in Los Angeles on May 21
- When Your High Walls and Wide Moats Fail
- Discovery of Confidential Records are Potential Identity Theft Danger
- So Your Twitter Account was Hacked…
- AP Hack Proves that Social Engineering Awareness is Necessary for Businesses
- Compliance and Forensics Experts Talk to Two Nashville Groups Thursday
- BYOD Is Great for Business, But Is It Secure?
- The New HIPAA Omnibus Rule and Your Business
-
Archives by Date
Archives by Category
Blogroll
- Anton Chuvakin
- AverageSecurityGuy
- CloudAve
- DarkReading – All Stories
- Electronic Discovery Law
- Emergent Chaos
- ExploitSearch *
- Forensic Focus Blog
- HolisticInfoSec
- InfoSec Daily Podcast
- Jeremiah Grossman
- SANS Application Security Street Fighter
- SANS Computer Forensic Investigations and Incident Response
- SANS Internet Storm Center
- SANS Mastering Windows (In)Security
- SANS Security Leadership Blog
- Schneier on Security
- SecuriTeam Blog
- Security Bloggers Network
- Security Catalyst
- Security Padawan *
- Security Sociability
- Securosis
- Staff Twitter Bill Dean *
- Staff Twitter John McNeely *
- Storefront Backtalk
- TaoSecurity
- The Ashimmy Blog
- Twitter – Adam Compton
- Twitter – Adrian Sanabria
- Twitter – Stephen Haywood
- Vicious Circle of Security *
- Vitalsecurity.org
- Windows Incident Response
800-810-1885
Your Partner for a Secure Future
- Home
- Services
- Industry Solutions
- Products
- About
- Contact
- Blog
Security Testing
Risk & Compliance
Forensics & eDiscovery
Security Products
© 1997-2013 Sword & Shield Enterprise Security, Inc.
PCI and Mobile Payment Application Security
So far, the world of mobile payments has been a “Wild West”, before the sheriff came to town. The vendors have been making their own rules, though at least a
few have been smart, and have prepared for what they guessed would happen. The solution can be expressed in one word: Encryption.
As early in the payment process as possible, all the way to the bank (acquirer).
The PCI Council has issued a press release on mobile payment security, along with an “At a Glance” publication. These usually precede the release of new standards/best practices documents by a few months as fair warning. This post is my attempt to analyze where the Council sits on the matter, and a bit of reading between the lines to try to predict what’s coming.
End to end encryption, or point-to-point encryption (P2PE), as the PCI Council calls it, is easily the best solution to securing the explosion of mobile payment applications now on the market. It is ideal because, in most cases, when implemented, it is invisible to the user, the merchant and the application. Apps don’t have to be rewritten, the user experience doesn’t suffer, and the merchant still has the same level of convenience. Most importantly, when done correctly, it is easily the most secure approach available.
There is a price though, and it is on the merchant. All solutions I’ve seen offered raise the transaction rate. Such is the price for the convenience of mobile payment acceptance in this case.
Read More »