Mobile Payments and PCI Compliance

Payments from mobile devices are becoming more mainstream as more consumers use their mobile devices such as smart phones and tablets to purchase items. With this acceptance to pay for products, consumers will also want to make payments on their bills through their mobile devices. Because of this, collection agencies will want to be prepared to take mobile device payments.

With agency acceptance of mobile payments comes the concern for Payment Card Industry Data Security Standards (PCI-DSS) compliance for security and transport of data. While we cannot cover all the minutiae of rules and regulations, we can discuss the requirements from PCI-DSS. Here is their guidance for securing the payment-acceptance solutions for PCI-DSS compliance for mobile device payments:

A mobile payment-acceptance solution consists of both the software and the hardware components which reside on, or interface with, a mobile device. These components must be protected using PCI-DSS measures and these must be applied in addition to any security measures that are undertaken to secure the mobile device.

Implement secure solutions.

Collection agencies who wish to accept mobile payments should only implement solutions with mobile payment-acceptance solutions that meet all relevant security requirements. Specific requirements include the solution provider‘s host-based payment-acceptance application runs in a Payment Card Industry Data Security Standard (PCI-DSS) compliant environment as attested by a Qualified Security Assessor (QSA). (Source: PCI Security Standards Council Guidelines.)

Ensure the secure use of the payment-acceptance solution

To prevent unintended consequences from the misuse of a mobile payment-acceptance solution, ensure that the payment-acceptance system is used in a manner consistent with the guidance provided by the solution provider. This includes ensuring that any software downloaded onto the mobile device for making payments comes from a trusted source. In addition, ensure that the mobile payment-acceptance solution is CFPB compliant.

Prefer online transactions

By policy and by practice, the agency should not use the mobile payment solution to authorize transactions offline or store transactions for later transmission, for example, when the mobile payment application on the host is not accessible.

Prevent unauthorized use

Access to any payment applications or other software residing on or accessed via a mobile device should be restricted to authorized personnel and records should be strictly maintained. In addition, agencies should ensure they have the ability to manage access to the payment-acceptance software on an ongoing basis.

BillingTree can implement mobile payment processing systems for your agency in a fully PCI-DSS, HIPAA and SSAE-16 compliant environment. For more information on our solutions contact BillingTree or call 877-424-5587 to speak to a representative.