Mobile payment applications: SBP issues security guidelines – Business & Finance

KARACHI: The State Bank of Pakistan (SBP) has issued comprehensive security guidelines for mobile payment applications to ensure confidentiality and integrity of customer data and availability of app services in a secure manner.

According to the SBP, the objective of the “guidelines” is to provide baseline security requirements for app owners in order to ensure confidentiality and integrity of customer data and availability of developing services in a secure manner when payment applications.

App owners will use the guidelines for the architecture, design, development and deployment of mobile payment apps and their associated environment that the consumers use for payment transactions.

The requirements of the guidelines will be applicable to all Financial Institutions, authorized Payment Systems Operators/Payment Service Providers (PSOs/PSPs), Electronic Money Institutions (EMI) and any other SBP regulated/licensed/authorised institutions, which are developing, procuring, Operating, facilitating, or providing digital financial services through mobile apps to end users.

Mobile payment applications have become an alternative payment channel for a growing number of users and, accordingly, SBP-regulated entities have been offering innovative products and services through the applications. According, opportunities for fraudsters to exploit vulnerabilities in mobile apps and defraud the customers have also increased manifold.

In line with international standards and best practices, the SBP has developed Mobile App Security Guidelines, providing baseline security requirements for app owners in order to ensure confidentiality and integrity of customer data and availability of services in a secure manner, when developing payment applications for mobile or other smart devices.

The central bank has advised that app owners must ensure that their mobile apps and associated infrastructure become compliant with the requirements of these guidelines latest by December 31, 2022.

The convenience, availability and acceptance of mobile app-based payment services have phenomenally increased the adoption of these apps by customers. Data storage, inter-app communication, proper usage of cryptography, Application Programming Interfaces or APIs, and secure network communication are only some of the major areas to consider during mobile app development lifecycle.

The protection of sensitive data and payment transactional information is crucial to mobile app-based payment security.

The SBP aims to provide baseline security requirements for the mobile apps, broadly covering the areas of data storage, network communication with endpoints, authentication and authorisations, interaction with mobile platforms, code quality and exploit mitigation and anti-tampering, etc.

As per the guidelines, app owners will develop a governing policy mobile apps business objectives, standards, compliance, guidelines, controls, responsibilities, and liabilities. App owners may formulate this policy separately or include the same as part of their overall digital channels development policy.

As a principle, the policy shall achieve a balance among security of apps, convenience and performance. The policy shall at least be revised annually and/or when a significant change is made in the environment.

App owners will be required to ensure that sensitive information is not stored in a shared store segment with other apps on mobile devices. It is recommended that only the device internal storage is utilised, which is virtually sandboxed per app or preferably in a container app without meddling with other applications or security settings of the mobile devices.

App owners will also ensure that confidential data is deleted from caches and memory after it is used and/or uninstalled. Further, app owners shall ensure that mobile apps erase/expire all application-specific sensitive data stored in all temporary and permanent memories of the device during logoff or on unexpected termination of app instance.

Copyright Business Recorder, 2022


Leave a Comment