Towards Secure IoT-Based Payments by Extension of Payment Card Industry Data Security Standard (PCI DSS)
Table 2
Control objectives of PCI DSS and recommendations for IoT-based payment security.
Control objectives (COs) of PCI DSS
Recommendations to make security compatible for IoT-based payments
CO1: build and maintain a secure network
The firewalls must be modified to consider the resource-constrained nature of IoT devices.
CO2: protect cardholder data
(i) Cardholder data must be stored and processed in cloud to save computation and communication power of IoT devices. (ii) PCI DSS must consider the diversity of authentication mechanisms depending upon the model of payments in IoT-based payment systems.
CO3: maintain a vulnerability management program
(i) The security patches must be lightweight in terms of storage and computation and must be released in a fashion to optimize the memory usage for older releases. (ii) Antiviruses and antimalware must be designed suitable for resource-constrained natures of IoT devices for payments.
CO4: implement strong access control measures
There is also a need to pay special attention to physically access the individual IoT devices securely (e.g., physically accessing the refrigerator with installed security credentials) which have already installed cardholder credentials.
CO5: regularly monitor and test networks
The manufacturing and distribution models and day-to-day usage according to diverse capabilities of IoT devices must be considered for access control and logging activities.
CO6: maintain an information security policy
Over-the-air updates are being considered as a viable solution to update so many devices in IoT networks in a manageable way.
