The PCI DSS (payment card industry data security standard) and PCI compliance, while a product and process with origins in the electronic payments industry can and must be applied to devices that participate in the electronic payments process. There is a new trend in the ever changing world of electronic payments and sensitive authentication data security. The electronic or “mobile wallet” is a new product being offered to users of mobile phones and other mobile broadband capable devices. It sounds great and is intended to eliminate the plastic electronic payment cards we currently carry in a wallet or pocket book. The product’s designation as a mobile wallet is a little inaccurate since it doesn’t replace your ID, insurance card, or cash for those merchants who don’t take credit cards. But aside from the convenience to you of having your mobile wallet in your mobile smart phone, is it also convenient for computer hackers and fraudsters bent on stealing your sensitive authentication data?
To simply trust that the smart phone application manufacturers and vendors are making sure that their products meet the standards of the PCI DSS and adapt to as yet unforeseen threats and vulnerabilities. It would be unconscionable for a software or hardware company to deliberately market a non PCI compliant device without apprising the customer of the risks associated with using their products, but how about accidentally. Apple products and Android products both contain virus protection and standard security measures, but whose job is it to make sure that the data transmitted across an open public network like the internet meets PCI compliance standards in addition to their own? Or do they operate under some other, internal set of parameters unknown to the public and conceived in the interest of the company stockholders?
I have spoken many times in this blog about the glaring risks associated with the use of the electronic swiper being distributed in enormous quantities by Square Up. The PCI DSS mandates that any device transmitting sensitive authentication data wirelessly or across an open public network, such as the internet, employ the protection of strong cryptographic encryption. In this instance, intercepted data would be completely useless without the correctly encoded decryption key. Don’t blindly trust your mobile wallet provider without first doing your due diligence to verify the compliance of all the parties involved. See our home page for more on PCI compliance and why it is important to you.