Mobile payments should be encrypted, PCI DSS says

Mobile payments should be encrypted, PCI DSS says

The PCI Security Standards Council is urging eCommerce websites and retail merchants that accept mobile payments through a smartphone or tablet to use hardware that supports encryption. There are SSL certificates available for mobile devices through companies like VeriSign, so these companies should be trying to protect sensitive information via encryption as much as possible.

"Many merchants seek innovative ways to engage customers and improve the shopping experience," the document released by the PCI Security Standards Council said. "The ever-expanding capabilities of mobile devices such as smartphones or tablets now includes payment acceptance. Along with the increased convenience at the point of sale, mobile payment acceptance can also bring new risks to the security of cardholder data. Securing account data at the point of capture is one way that you can actively help in controlling these risks."

Merchants can accept payments with mobile devices by using technology to meet the PCI DSS rules, the document said. TechTarget said a validated card reader will encrypt data before it gets to the mobile device, but the providers of the card reader will be responsible for getting devices certified. Once the PCI council determines that a business has reached minimum requirements for security, it will be approved and listed on its website.

TechTarget said there are already technologies emerging that are being driven by credit card brands, including a "one-stop" mobile payment kiosk by Visa. Other brands out include google Wallet, with competing products from wireless companies such as AT&T, T-Mobile and Verizon coming soon.

Businesses that accept mobile payments should always be looking for ways to fight for security beyond the PCI compliance rules. Using things like antivirus scans, firewalls and Thawte SSL certificates should be common practice for keeping a company and its customers completely breach-free.