Visa Releases Mobile Acceptance Best Practices
SAN FRANCISCO, April 27, 2011 /PRNewswire via COMTEX/ -- Visa Inc. (NYSE: V) today released a set of mobile acceptance best practices for merchants, software developers and device manufacturers who are using consumer mobile devices, such as smartphones and tablet computing platforms to facilitate the acceptance of card payments. Visa best practices call for important security considerations such as encryption and tokenization of cardholder data and are designed to foster a better understanding of the merchant and service provider responsibilities related to securing cardholder data when a mobile phone is used as an acceptance device instead of a traditional terminal.
Mobile technology is enabling a growing number of small and medium-sized merchants to accept payments using mobile devices. As retailers harness the power of mobile technology to accept payments and grow their businesses, the industry must also build in adequate controls and security measures to maintain stakeholder trust in electronic payments.
"Mobile devices that can facilitate acceptance of payments are an important advancement in payments that must balance the promise of an enhanced consumer and retailer shopping experience with enhanced security measures to protect sensitive cardholder information," said Eduardo Perez, head of global payment system risk, Visa Inc. "As a payment technology leader, Visa is well positioned to provide the industry security guidance for emerging acceptance solutions."
Because mobile devices and acceptance attachments today are not designed to the same security requirements as traditional payment terminals, and merchants do not control the security of the network environments to which their acceptance devices connect wirelessly, there are important security considerations above and beyond those for traditional acceptance solutions. These best practices are intended for two distinct audiences - mobile acceptance application and software solution providers as well as merchants who use these solutions. Among the best practices guidance:
- Encrypt all account data including at the card-reader level and in transmission between the acceptance device and the processor - especially important given the use of wireless or public networks.
- Enable truncation or tokenization of card numbers, allowing the merchant to identify the cardholder without storing the full account data.
"Building security into the DNA of mobile acceptance solutions is necessary to help grow the channel and encourage innovation," said Bill Gajda, head of global mobile product, Visa Inc. "Providing security guidance to retailers and the industry, as mobile phones used as card acceptance devices are still emerging, will help ensure acceptance solutions are secure, provide a strong foundation for future growth of this channel and foster consumer trust in mobile commerce."
For mobile payments to reach a critical mass, they must work everywhere, every time, with the same reliability of Visa payments today. For more than 50 years, Visa has set a high bar for robust security, privacy protections, and guaranteed payment to merchants and global acceptance ubiquity. Merchants, consumers and financial institutions should expect the same standards for mobile acceptance solutions.
A complete version of Visa's Best Practices for Mobile Payment Acceptance Practices may be found online at www.visa.com/cisp. An abbreviated version is provided below.
Best Practices for Vendors:
Goal |
Best Practice |
|
Design and implement secure mobile payment acceptance solutions. |
|
|
Ensure the secure use of mobile payment acceptance solutions. |
|
|
Limit exposure of account data that could be used to commit fraud. |
|
|
Best Practices for Merchants:
Goal |
Best Practice |
|
Ensure the secure use of mobile payment acceptance solutions. |
|
|
Limit the exposure of account data that may be used to commit fraud. |
|
|
Prevent software attacks on consumer mobile devices. |
|
|
This is the first version of these best practices to support the growth of the emerging mobile acceptance solutions. Visa will continue to refine and update the best practices based on industry feedback.
Beyond the best practices, vendors, merchants and acquirers are expected to follow all Visa requirements for magnetic stripe, chip and contactless acceptance. They should also adhere to the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standards (PA-DSS). Additionally, on top of following Visa Operating Regulations, acquirers must also be in compliance with all local laws and regulations regarding sponsored merchants, including adequate Know Your Customer (KYC) and Anti-Money Laundering (AML) due diligence.
About Visa Inc.:Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks - VisaNet - that is capable of handling more than 10,000 transactions a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank, and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: Pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit https://www.corporate.visa.com/.
SOURCE Visa Inc.