One of the components of governance, risk management and compliance, or GRC, is compliance. Because compliance regulations change so frequently, it is recommended that it is a shared responsibility as TechTarget explained:
The responsibility for compliance is shared by many executives, usually at the vice president level. Human resources, audit, corporate counsel and the CIO are all involved in understanding the compliance requirements. The aim in GRC is, first, to coordinate those compliance efforts and processes, and second, to move to a more risk-based approach to compliance.
For instance, the PCI Security Standards Council (PCI SSC) announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. Aite Group Senior Analyst Ron van Wezel explained the reason for the new standard in a formal statement:
Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency. MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere. However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive.
The primary security principles in the standard’s security and test requirements are:
- Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet
- Isolation of the PIN from other account data
- Ensuring the software security and integrity of the PIN entry application on the COTS device
- Protection of the PIN and account data using a PCI approved Secure Card Reader for PIN (SCRP)
Mobile payments are becoming ubiquitous as a payment option. It makes sense, then, as organizations put a focus on other areas of mobile security, that they are ensuring mobile payment options are equally secure. As PCI SSC CTO Troy Leach stated on a PCI blog post:
This standard will give mobile payment solution providers and application developers a baseline of security requirements for how to enter a PIN into a COTS device, as well as methods to test that security is working, even as updates to the mobile devices and applications occur frequently. This will result in secure solutions that are independently tested to demonstrate PIN is isolated from the EMV data and will provide continuous protection, through ongoing monitoring and other controls.
Is your GRC team prepared for this new PCI compliance?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba
