Page 37 - Mobile Data Loss
P. 37

Ensuring Mobile Compliance  31

             Table 4.2 PCI Mobile Payment Acceptance Security Guidelines — Summary
             Checklist  Guideline
                    Prevent account data from being intercepted when entered into a mobile device
                    Secure distribution of account data
                    Secure access to & storage of account data
                    Controls over account data while in use (preventing copy/paste, screen shots, file sharing, etc.)
                    Prevention of unintentional or side-channel data leakage
                    Prevent account data from interception upon transmission out of the mobile device.
                    Deploy MDM or MAM, protect device against malware
                    Prevent unauthorized logical device access (secure lock screen, full disk encryption, etc.)
                    Create server-side controls and report unauthorized access
                    Prevent escalation of privileges (detect root or jailbreak and Quarantine)1 Offline detection &
                    quarantine
                    Remotely disable payment application
                    Harden supporting operating systems (restrictions)


            the device. This can simultaneously include the creation and deploy-
            ment of a certificate to the device for uses such as secure access to the
            Wi-Fi, VPNs, Application Tunnels, secure web access, and more.
               MDM/EMM also allows for hardening of the mobile device so that
            the administrator can disable unnecessary services for a Mobile POS.
            This may include disabling the Bluetooth, IRDA, SD Card, AirDrop,
            microphone, and much more. DLP controls can also be used to disable
            copy/paste, screenshot, open-in, etc. It’s important to review these
            options for your chosen Mobile POS device type whether it’s iOS,
            Android, Windows, or some other device; as these features vary from
            device to device. In addition, these features also change with operating
            system upgrades as new features are released. Your MDM/EMM can
            allow you to stay ahead of these new features and disable them upon
            upgrades of the Mobile POS devices.

               The other set of requirements are more guidelines, but very important
            for adapting your PCI security strategy when incorporating mobile
            devices into the POS mix. The Mobile Payment Acceptance Security
            Guidelines outline the following (Table 4.2):

               Probably the single largest fundamental difference in meeting the
            requirements for Mobile versus a PC-based POS is how anti-malware
            functions. In mobile, anti-virus or anti-malware is just another app on
   32   33   34   35   36   37   38   39   40   41   42