Visa Releases Mobile Acceptance Best Practices

SAN FRANCISCO, April 27, 2011 /PRNewswire/ — Visa Inc. (NYSE: V) today released a set of mobile acceptance best practices for merchants, software developers and device manufacturers who are using consumer mobile devices, such as smartphones and tablet computing platforms to facilitate the acceptance of card payments. Visa best practices call for important security considerations such as encryption and tokenization of cardholder data and are designed to foster a better understanding of the merchant and service provider responsibilities related to securing cardholder data when a mobile phone is used as an acceptance device instead of a traditional terminal.

Mobile technology is enabling a growing number of small and medium-sized merchants to accept payments using mobile devices. As retailers harness the power of mobile technology to accept payments and grow their businesses, the industry must also build in adequate controls and security measures to maintain stakeholder trust in electronic payments.

“Mobile devices that can facilitate acceptance of payments are an important advancement in payments that must balance the promise of an enhanced consumer and retailer shopping experience with enhanced security measures to protect sensitive cardholder information,” said Eduardo Perez, head of global payment system risk, Visa Inc. “As a payment technology leader, Visa is well positioned to provide the industry security guidance for emerging acceptance solutions.”

Because mobile devices and acceptance attachments today are not designed to the same security requirements as traditional payment terminals, and merchants do not control the security of the network environments to which their acceptance devices connect wirelessly, there are important security considerations above and beyond those for traditional acceptance solutions. These best practices are intended for two distinct audiences – mobile acceptance application and software solution providers as well as merchants who use these solutions. Among the best practices guidance:

  • Encrypt all account data including at the card-reader level and in transmission between the acceptance device and the processor – especially important given the use of wireless or public networks.
  • Enable truncation or tokenization of card numbers, allowing the merchant to identify the cardholder without storing the full account data.

“Building security into the DNA of mobile acceptance solutions is necessary to help grow the channel and encourage innovation,” said Bill Gajda, head of global mobile product, Visa Inc. “Providing security guidance to retailers and the industry, as mobile phones used as card acceptance devices are still emerging, will help ensure acceptance solutions are secure, provide a strong foundation for future growth of this channel and foster consumer trust in mobile commerce.”

For mobile payments to reach a critical mass, they must work everywhere, every time, with the same reliability of Visa payments today. For more than 50 years, Visa has set a high bar for robust security, privacy protections, and guaranteed payment to merchants and global acceptance ubiquity. Merchants, consumers and financial institutions should expect the same standards for mobile acceptance solutions.

A complete version of Visa’s Best Practices for Mobile Payment Acceptance Practices may be found online at www.visa.com/cisp. An abbreviated version is provided below.

Best Practices for Vendors:

Goal

Best Practice

Design and implement secure mobile payment acceptance solutions.

  1. Provide payment acceptance applications and any associated updates in a secure manner with a known chain of trust.
  2. Develop mobile payment acceptance applications based on secure coding guidelines.
  3. Protect encryption keys that secure account data against disclosure and misuse in accordance with industry-accepted standards.

Ensure the secure use of mobile payment acceptance solutions.

  1. Provide the ability to disable the mobile payment acceptance solution.
  2. Provide functionality to track use and key activities within the mobile payment acceptance solution.

Limit exposure of account data that could be used to commit fraud.

  1. Provide the ability to encrypt all public transmission of account data.
  2. Ensure that account data electronically read from a payment card is protected against fraudulent use by unauthorized applications in a consumer mobile device.
  3. Provide the ability to truncate or tokenize the Primary Account Number (PAN) after authorization to facilitate cardholder identification by the merchant.
  4. Protect stored PAN data and/or sensitive authentication data.

Best Practices for Merchants:

Goal

Best Practice

Ensure the secure use of mobile payment acceptance solutions.

  1. Only use mobile payment acceptance solutions as originally intended by an acquiring bank and solution provider.

Limit the exposure of account data that may be used to commit fraud.

  1. Limit access to the mobile payment acceptance solution.
  2. Immediately report the loss or theft of a consumer mobile device and/or hardware accessory.

Prevent software attacks on consumer mobile devices.

  1. Install software only from trusted sources.
  2. Protect the consumer mobile device from malware.

This is the first version of these best practices to support the growth of the emerging mobile acceptance solutions. Visa will continue to refine and update the best practices based on industry feedback.

Beyond the best practices, vendors, merchants and acquirers are expected to follow all Visa requirements for magnetic stripe, chip and contactless acceptance. They should also adhere to the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standards (PA-DSS). Additionally, on top of following Visa Operating Regulations, acquirers must also be in compliance with all local laws and regulations regarding sponsored merchants, including adequate Know Your Customer (KYC) and Anti-Money Laundering (AML) due diligence.

About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world’s most advanced processing networks – VisaNet – that is capable of handling more than 10,000 transactions a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank, and does not issue cards, extend credit or set rates and fees for consumers. Visa’s innovations, however, enable its financial institution customers to offer consumers more choices: Pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit www.corporate.visa.com.