Page 36 - Mobile Data Loss
P. 36

30    Mobile Data Loss

           Table 4.1 PCI DSS 3.1 Requirements — Summary for Mobile
           Section       Requirement
           2.2           Hardening—Configure system (mobile device) security parameters to prevent misuse
           2.3           Encrypt all nonconsole (remote) administrative access using strong cryptography
           4.1.1         Facilitate strong authentication for Wi-Fi by pushing certificates
           8.3           Facilitate two-factor authentication for remote access to CDE
           10.5.4        Audit logging of mobile device activity on device
           12.3          Usage policies and procedures for tablets & PDAs


                                                                1
          EMV credit cards on the POS devices by October, 2015, or incur the
          liability of a breach after that deadline. It’s important to note that the PCI
          Council considers EMV an important move toward deterring future
          breaches, but has also stated that EMV “is not a silver bullet” and device
          management is also recommended, which is where Enterprise Mobility
          Management solutions come in. All of these requirements are intended to
          further thwart the numerous retail breaches over the last 2 years.

             In the context of using mobile devices for POS, there are some
          important differences when compared to a traditional POS cash
          register such as a Windows-Embedded POS. Mobile devices offer a
          better defense-in-depth solution to the many malware threats that have
          impacted legacy POS. Let’s further explore the PCI requirements in
          the context of Mobile POS.

             Ensuring PCI compliance for your Mobile POS devices requires
          that the merchant review two groups of requirements and guidelines.
          The first is the PCI DSS 3.1 requirements. It’s important to note
          that most of the requirements apply more broadly to the overall
          requirements, for example the CDE (Cardholder Data Environment).
          So one must extract the mobile-specific requirements. The following
          Table 4.1 summarizes these.

             Digital certificates are an important part of the mobile-specific PCI
          requirements for administrative access and Mobile POS Wi-Fi access.
          Fortunately, digital certificates are very easy to deploy on mobile
          devices; iOS, Android, Windows Phone, and others fundamentally
          support certificates. With the mobile device under MDM/EMM
          management allows for configuration profiles to be pushed down to


          1 http://www.mastercardadvisors.com/_assets/pdf/emv_us_aquirers.pdf.
   31   32   33   34   35   36   37   38   39   40   41