Visa (NYSE: V) today released a set of mobile acceptance best practices for merchants, software developers and device manufacturers who are using consumer mobile devices, such as smartphones and tablet computing platforms to facilitate the acceptance of card payments.
Visa best practices call for important security considerations such as encryption and tokenization of cardholder data and are designed to foster a better understanding of the merchant and service provider responsibilities related to securing cardholder data when a mobile phone is used as an acceptance device instead of a traditional terminal.
Mobile technology is enabling a growing number of small and medium-sized merchants to accept payments using mobile devices. As retailers harness the power of mobile technology to accept payments and grow their businesses, the industry must also build in adequate controls and security measures to maintain stakeholder trust in electronic payments.
"Mobile devices that can facilitate acceptance of payments are an important advancement in payments that must balance the promise of an enhanced consumer and retailer shopping experience with enhanced security measures to protect sensitive cardholder information," said Eduardo Perez, head of global payment system risk, Visa Inc. "As a payment technology leader, Visa is well positioned to provide the industry security guidance for emerging acceptance solutions."
Because mobile devices and acceptance attachments today are not designed to the same security requirements as traditional payment terminals, and merchants do not control the security of the network environments to which their acceptance devices connect wirelessly, there are important security considerations above and beyond those for traditional acceptance solutions. These best practices are intended for two distinct audiences - mobile acceptance application and software solution providers as well as merchants who use these solutions. Among the best practices guidance:
- Encrypt all account data including at the card-reader level and in transmission between the acceptance device and the processor - especially important given the use of wireless or public networks.
- Enable truncation or tokenization of card numbers, allowing the merchant to identify the cardholder without storing the full account data.
"Building security into the DNA of mobile acceptance solutions is necessary to help grow the channel and encourage innovation," said Bill Gajda, head of global mobile product, Visa Inc. "Providing security guidance to retailers and the industry, as mobile phones used as card acceptance devices are still emerging, will help ensure acceptance solutions are secure, provide a strong foundation for future growth of this channel and foster consumer trust in mobile commerce."
For mobile payments to reach a critical mass, they must work everywhere, every time, with the same reliability of Visa payments today. For more than 50 years, Visa has set a high bar for robust security, privacy protections, and guaranteed payment to merchants and global acceptance ubiquity. Merchants, consumers and financial institutions should expect the same standards for mobile acceptance solutions.