By Judith Clark, QSA Consultant
Ask a QSA recently received the following query from an acquirer and we felt that this may be of interest to our readers. Merchants had been asking their acquirer “how can we better secure our mcommerce channel?”
It’s a good question. Recent research has shown that mobile attack rates are on the increase with mobile transactions now topping desktop transactions as mobile devices are an enabler to the ‘always-on, always-there’ culture of goods and services today.
Mobile attacks over the last year have included account login fraud, account creation fraud and payments fraud. Using stolen or harvested credentials, criminals can use credentials to commit a variety of other fraudulent activity including ‘legitimising’ activity to obtain other credit cards, benefits and generally misrepresent identity.
Many merchants are now developing applications (app/apps) with payment facility for their consumer base to run on the consumer’s device (e.g. smartphone, tablet or laptop).
So, if a merchant does develop an app, what are the important things for them to consider?
Firstly, it is important for the merchant to consider their obligations in terms of PCI DSS and PA DSS for their in-house payment app. Advice from the PCI SSC is that if the consumer is also the cardholder, and using the app for their sole purpose, then the device is treated similarly to a cardholder’s payment card but outside of the scope of PA-DSS and PCI DSS.
That said, even though the consumer’s device is outside of the scope of PCI DSS, the development of that application should still be developed in accordance with industry best practice such as ENISA and OWASP and PCI DSS requirements 6.3, 6.4 and 6.5. Further advice and guidance for developers can be found in the PCI Mobile Payment Acceptance Security Guidelines for Developers.
Secondly, although there may be no PCI DSS compliance obligations as a merchant has no control over the consumer’s device and no cardholder data environment to implement/operate PCI DSS controls for; it is probably better not to use an ‘in-app’ method of card data capture, rather use forms and code the developers have created which relies on the payment being fully outsourced to a PCI compliant Payment Service Provider (PSP) to capture the card details. For example, some methods can link the app to the PSP’s hosted payment page, or like the Stripe iOS and Android examples where the developer can embed Stripe’s own card input widget.
Some excellent resources available to developers of mobile applications which merchants may wish to discuss with their developers can be found here:
A similar offering but with multi-currency support can be found from Adyen:
Some other things to consider include:
- Develop a mobile friendly app for customers to register and use for transactions. This allows for some online behaviour to be captured building a profile of the customer, including a history of normal and potentially abnormal behaviour and their device history (see fingerprinting below).
- Utilise device ‘fingerprinting’ to interrogate and capture device specific information from the customer’s mobile device, typically the make and model of the device, its build number or version, its International Mobile Equipment Identity (IMEI), Mobile Equipment ID (MEID) or Unique Device ID (UDID Apple devices) number as well as its actual mobile phone number.
- Ensure that the app requires the use of strong end-to-end encryption to protect the customer data from the app on their mobile device to the business or payment service provider.
- Ensure the use of strong encryption for any personal data that might be retained within the application.
- Consider setting the app to check to see if the device has been jailbroken or rooted to avoid introducing risks. For further advice and guidance on this see mobile application security
- Use an out-of-band identity verification method when the user is creating their account for the initial setup
- Implement 3-D Secure version 2.0 within the checkout page for those transactions that warrant its use.
- Ensure rigorous penetration and user acceptance testing of the application
Businesses can help keep themselves and their customers safe by changing the way that they do mCommerce. The introduction of specific apps which provide customers with a safer and seamless transaction experience, underpinned by multiple security features, has the potential to improve customer satisfaction and reduce future fraud.
Sysnet’s Cyber Risk can provide mobile application vulnerability assessments and penetration testing. Our security experts are industry veterans, we utilise a wide range of techniques to help you identify any weaknesses and provide guidance on appropriate remediation to fix the issues. To find out more about how we can help your organisation, then please click on the link below.
If you are a merchant that requires technical or PCI DSS help, please click here