News Stay informed about the latest enterprise technology news and product updates.

How to build on PCI DSS regulations and confront mobile payment apps

Compliance with PCI DSS regulations is only the start of a sound security strategy. In this #GRCChat, participants discuss additional measures to protect data and the complexities around mobile payment applications.

Personally identifiable financial information (PIFI) is speeding through cyberhighways every second of the day...

in massive quantities. As soon as customers swipe their credit cards or enter their information online, that data is out there, and vulnerable to a breach. Enter regulations like the Payment Card Industry Data Security Standard (PCI DSS), established to protect sensitive customer information from increasingly sophisticated cyberthreats.

Participants in SearchCompliance's recent #GRCChat agreed that, while a solid foundation, PCI DSS regulations alone aren't enough to ensure payment card security, as evidenced by the recent string of high-profile retail data breaches. And with the mounting presence of mobile payment tools like Apple Pay, mobile payment security is getting even more complicated -- see CurrentC's recent hack.

Here, editors and fellow tweeters discuss the challenges that accompany mobile payment applications and how to appropriately augment PCI DSS compliance regulations.

How can companies build on PCI DSS processes to protect customer data and assess vulnerabilities?

Commanding your enterprise's strategy around payment card information means going above and beyond the minimum PCI DSS regulations. It requires constant vigilance and implementation of information security best practices:

Security strategies should be applied mindfully, one participant noted; customer convenience is everything, and layering on multiple -- and, in some cases, duplicative -- security measures may push customers away, negating any potential gain from heightened protection.

Another participant pointed to the necessity of treating PIFI more carefully than other organizational data:

How will mobile payment tools complicate PCI DSS and customer data protection efforts?

When it comes to mobile payment applications, it can be a case of convenience vs. compliance. Participants were quick to point out some compliance pros and cons when payment technologies go mobile, the risk of third-party services, and the potential for unforeseen security holes:

Tokenization, the process of replacing sensitive data with unique identification symbols, is one of Apple Pay's highlighted features, but it's not an end-all-be-all for security. As participants discussed, other methods, like audits and penetration testing, can also help remove some of the unknowns in mobile payment:

Do you think new mobile payment applications are opening up a whole new world of PCI DSS compliance challenges? Let us know in the comments below.

Next Steps

For more on PCI DSS regulations, see our first recap from this chat. Then head over to SearchSecurity to learn more about the challenges of mobile payment applications and ongoing mobile security concerns.

Dig Deeper on PCI compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Are tokenization and two-factor authentication enough to protect data on mobile payment applications? Why or why not?
Two-factor authentication is fine for smaller payment applications, but I don’t believe it is safe for larger payments. It would be nice if there were larger payment authentication system in place but because most security platforms for mobile devices don’t have encryption security, so it makes payments questionable in larger sums. If there was authentication through the means of a biometric thumb reading app or even an iris reading app that could be scanned through the cam on a mobile this type of authentication would give me the confidence to make larger payments.