[Owasp-portland] PCI And Mobile Credit Card Terminals

Matthew Lapworth matthewl at bit-shift.net
Tue Mar 13 22:36:37 UTC 2012


At the last chapter meeting the question was raised about how mobile CC
devices like Square would fit into PCI. I asked the PCI expert at Nike and
this was his reply. Please excuse the grammar and spelling, it was sent
from his iPad.

The real answer is no one knows yet. The PCI SSC has been really vague on
this. If they accept end to end encryption where the swipe device, in this
case the Square Device, encrypts the data before the iPhone can get at it
then the solution in itself could be PCI compliant.  But the real questions
come around what happens is the iPhone can see the CC in the clear on the
screen. Then IMHO the device would have to follow the rest of the PCI, like
device hardening and the hardest; logging.



The PCI SSC has released an updated encryption document but is still very
concerned about wireless devices; thank you TJ Max.



So in the end, it is what can you get your QSA to approve.



I would say that if you can should that the swipe device makes it so you
can not get at the CC number , track data at all. And that the transport is
encrypted, and you have solid controls over you devices. Then you should be
able to get the solution easily approved without much additional controls.



On the other hand, if the CC is seen on the device, the work go a whole lot
harder.

-- 
Matthew Lapworth
http://www.bit-shift.net

We are what we repeatedly do. Excellence then is not an act, but a habit.
  - Aristotle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20120313/38bd12f7/attachment.html>


More information about the Owasp-portland mailing list