The State Bank of Pakistan (SBP) has issued comprehensive security guidelines for mobile payment applications to ensure confidentiality and integrity of customer data and the availability of app services in a secure manner.
According to the SBP, the objective of the “guidelines” is to provide baseline security requirements for app owners in order to ensure confidentiality and integrity of customer data and the availability of services in a secure manner when developing payment applications.
App owners will use the guidelines for the architecture, design, development, and deployment of mobile payment apps and their associated environment that the consumers use for payment transactions.
The requirements of the guidelines will be applicable to all Financial Institutions, authorized Payment Systems Operators/Payment Service Providers (PSOs/PSPs), Electronic Money Institutions (EMI), and any other SBP regulated/licensed/authorized institutions, which are developing, procuring, operating, facilitating, or providing digital financial services through mobile apps to end-users.
Mobile payment applications have become an alternative payment channel for a growing number of users and, accordingly, SBP-regulated entities have been offering innovative products and services through the applications. Consequently, opportunities for fraudsters to exploit vulnerabilities in mobile apps and defraud the customers have also increased manifold.
In line with international standards and best practices, the SBP has developed Mobile App Security Guidelines, providing baseline security requirements for app owners in order to ensure confidentiality and integrity of customer data and availability of services in a secure manner, when developing payment applications for mobile or other smart devices.
The central bank has advised that app owners must ensure that their mobile apps and associated infrastructure become compliant with the requirements of these guidelines latest by December 31, 2022.
The convenience, availability, and acceptance of mobile app-based payment services have phenomenally increased the adoption of these apps by customers.
- Data storage
- Inter-app communication
- Proper usage of cryptography
- Application Programming Interfaces or APIs
- Secure network communication
Above are only some of the major areas to consider during the mobile app development lifecycle.
The protection of sensitive data and payment transactional information is crucial to mobile app-based payment security.
Moreover, SBP aims to provide baseline security requirements for:
- The mobile apps
- Broadly covering the areas of data storage
- Network communication with endpoints
- Authentication and authorizations
- Interaction with mobile platforms
- Code quality and exploit mitigation
- Anti-tampering etc.
And As per the guidelines, app owners will develop a policy governing mobile apps:
- Business objectives, standards, compliance, guidelines, controls, responsibilities, and liabilities.
So, App owners may formulate this policy separately. Or they can include the same as part of their overall digital channels development policy.
As a principle, the policy shall achieve a balance between the security of apps, convenience, and performance. And the policy shall at least revise annually and/or when a significant change comes in the environment.
Furthermore, App owners will ensure that sensitive information is not stored in a shared store segment on mobile devices. And it is recommended that only the device’s internal storage is utilized. Which is virtually sandboxed per app or preferably in a container app without meddling with other applications. (or security settings of the mobile devices.)
App owners will also ensure that confidential data is not in caches and memory after usage or uninstallation. Further, app owners shall ensure that mobile apps erase/expire all application-specific sensitive data stored in all temporary and permanent memories of the device during logoff or on unexpected termination of app instance.
For all the latest updates and news, visit CxO Global FORUM or CxO News Live.
