PCI DSS

PCI DSS - Mobile Security Recommendations

PCI Mobile Payment Acceptance Security Guidelines
The 2017 PCI Mobile Payment Acceptance Security Guidelines states, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”

Section 4.3 Prevent Escalation of Privileges
Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors. Therefore, the device should be monitored for activities that defeat operating system security controls—e.g., jailbreaking or rooting—and, when detected, the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or disables the payment application. Offline jailbreak and root detection and auto quarantine are key since some attackers may attempt to put the device in an offline state to further circumvent detection. Hardening of the application is a method to that may help prevent escalation of privileges in a mobile device. Controls should include, but are not limited to:
 * Providing the capability for the device to produce an alarm or warning if there is an attempt to root or jailbreak the device;
 * Providing the capability within the payment-acceptance solution for identifying authorized objects and designing controls to limit access to only those objects

Links

 * PCI Mobile Payment Acceptance Security Guidelines for Developers • September 2017
 * Blog on Preventing Privilege Escalation in Mobile Payment Apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)
 * PCISecurityStandards.org Website