Spring naar content

Is PCI DSS Applicable To Mobile Device Management Solutions?

May 22, 2020 | 42Gears Team


With economies around the world going digital, it is the way people make payments that has been affected the most. Digital modes of making payments have made life easy – buyers don’t have to worry about carrying money or falling short of cash when using credit cards. However, using such cards for paying also has a flip side – the PoS systems being used to accept such payments also collect cardholder data. Data that can be used to wreak havoc. Thus, businesses are required to adhere to strict regulations set by the Payment Card Industry Data Security Standards (PCI DSS) Council.

Businesses that accept credit card payments, and store, process and transmit cardholder data electronically must host their data securely with a PCI DSS compliant hosting provider.

PCI DSS applies to all companies of all sizes that accept payments through credit cards. Businesses that accept credit card payments, and store, process and transmit cardholder data electronically must host their data securely with a PCI DSS compliant hosting provider. Businesses that fail to stay PCI DSS compliant are subject to steep fines and penalties, in case a data breach affects a cardholder’s payment card data.


image-Is-PCI-DSS-Applicable-To-Mobile-Device-Management-Solutions

Courtesy: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security


As is evident, it’s imperative for businesses accepting credit card payments to stay PCI DSS compliant to minimize the risk of a data breach. However, businesses today depend on a plethora of devices to conduct their daily operations – smartphones, tablets, PoS machines, barcode scanners, and others. And all these devices must come under the purview of one solution for businesses to be able to control them all from a single pane of glass. 

Merchants need to prevent unauthorized physical and logical access to devices. This entails storing devices securely, separating user accounts and app data (to facilitate multi-user support), and restricting non-privileged access to payment-related functionalities. Merchants must also consider device encryption for additional protection against disabling device-level authentication (in event of device loss or theft). PCI DSS guidelines also mandate that business owners have sufficient security controls in place to safeguard their mobile devices against malware threats by installing trusted security software products (antispyware, antivirus, and software authentication products).

The solution merchants choose should also be able to disable unnecessary device functionality, be able to detect loss or theft, and securely decommission a device if needed.

Merchants are also responsible for ensuring that their devices are secure by scanning them for unwarranted app privileges, apps storing clear-text passwords, apps that are vulnerable to man-in-the-middle attacks, and more. It is recommended that businesses use a logging and monitoring tool that can send real-time information if device security is compromised. The solution they choose should also be able to disable unnecessary device functionality, be able to detect loss or theft, and securely decommission a device if needed. And most businesses use unified endpoint management (UEM) solutions to manage, monitor and secure devices deployed across locations.

A UEM solution not only makes it easy for IT admins to keep a tab on devices, provision devices in bulk, convert them into dedicated-purpose tools, push app updates/content, block/limit data usage, etc., but also helps to reduce downtime and save costs through remote troubleshooting. That’s the reason most businesses employ such tools for device management. However, since these solutions are also used to manage the systems/machines that collect cardholder data, many businesses have strict criteria for choosing a UEM solution vendor. A key criterion for evaluating such vendors is whether their solutions will have an impact on a business’s PCI DSS compliance. 

SureMDM does not have an impact on a business’s PCI DSS compliance; companies that are PCI DSS compliant continue to be compliant even after implementing SureMDM, regardless of where they store their cardholder data.

42Gears’ UEM solution, SureMDM, is being used by businesses across the globe. A number of 42Gears’ customers need to stay PCI DSS compliant, and they have satisfactorily been using SureMDM for a while. While the solution helps businesses manage their devices, it does not, in any way, capture, store or transmit cardholder data collected by these devices. As such, SureMDM does not have an impact on a business’s PCI DSS compliance; companies that are PCI DSS compliant continue to be compliant even after implementing SureMDM, regardless of where they store their cardholder data. As long as they are consistent in adhering to the PCI DSS guidelines set forth by the governing bodies, they can safely use SureMDM for managing their devices without the risk of any non-compliance.

42Gears helps businesses stay PCI DSS compliant by enabling businesses to manage, monitor and secure their mobile devices. Crossbow Labs LLP, a PCI QSA (Qualified Security Assessors) company and an IT security auditing organization, conducted Application Resilience and Penetration Tests on our processes, configurations, and products based on PCI DSS v3.2.1 guidelines. The results of the tests confirmed that 42Gears’ products are in line with PCI DSS guidelines and have no high and medium vulnerabilities as per the Common Vulnerabilities Scoring system.

PoS Terminals Management

Learn how 42Gears’ SureMDM addresses challenges of managing remote POSIFLEX PoS Terminals.

TRY SUREMDM FOR FREEREAD MORE

Subscribe for our free newsletter

Thank you! you are successfully subscribed.
newsletter

Exclusive News and Updates on Enterprise Mobility!

* I consent to receive newsletters via email from 42Gears and its Affiliates.
Please agree
* I have reviewed and agreed to 42Gears Privacy Policy and Terms of Use prior to subscribing and understand that I may change my preference or unsubscribe at any time.
Please agree
Please verify captcha
Please enter a valid official email