Visa Inc. wants merchants, software developers and device manufacturers who are using mobile devices for processing credit card payments to encrypt account data and tokenize card numbers for security reasons.

Mobile devices that facilitate acceptance of credit card payments can provide added convenience to consumers and retailers. However, retailers and service providers must be sure to take security measures that protect sensitive cardholder information.

“There are existing security standards that apply to payments in general that would apply to mobile,” said Eduardo Perez, head of global payment system risk at Visa, San Francisco. “What we are doing is to provide guidance to solutions providers as they develop mobile acceptance solutions.”

Much of the focus on mobile payments is on enabling consumers to make purchases using their phones. However, many small and mid-sized businesses are also using mobile devices to process credit card payments.

Intuit, for example, recently broadened the reach of its GoPayment mobile acceptance application to iPad users to give small and mid-size retailers an additional way to drive business. 

Mobile’s security challenges
To address the growth in mobile payments , Visa has introduced a set of guidelines for mobile acceptance service providers and retailers to help ensure they are taking adequate security measures.

There are important security considerations for mobile acceptance that go beyond those for traditional acceptance services because mobile devices and acceptance attachments are not designed to the same security requirements as traditional payment terminals, per Visa.  

Also, merchants do not control the security of the network environments to which their acceptance devices connect wirelessly.

Visa’s guidelines lay out some of the more important security measures that should be taken, including encrypting all account data at the card-reader level and in transmission between the acceptance device and the processor.

Also very important is the need to enable truncation or tokenization of card numbers so merchants can identify cardholders without storing the full account data.

Other best practices suggested by Visa include the need for mobile acceptance service providers to provide the ability to track use and key activities within the mobile payment service and to ensure that account data electronically read from a payment card is protected against fraudulent use by unauthorized applications in a consumer mobile device.

Security will foster trust
The guidelines caution retailers to use mobile payment acceptance services only as originally intended and to limit access to mobile payment acceptance services.

Visa has put out security guidelines in the past related to other payment areas. This is first move by the company to try to provide guidelines in the mobile acceptance area.

Enhanced security for mobile acceptance can help foster consumer trust in mobile commerce as it continues to grow.

“The mobile security environment today is still nascent,” Mr. Perez said. “These guidelines will help ensure providers make it convenient for consumers to use mobile acceptance solutions in a safe and secure manner.”

Final Take
Retriever’s Jack Criss on mobile processing trends