A Secure BYOD Policy at MasterCard? Priceless.

More than a year into its bring-your-own-device program, MasterCard Worldwide continuously assesses the security technology and policies that allow 30 percent of its employees worldwide to use their personal iPhones, iPads and Android devices at work.

“Security is a high priority for us,” says Edgar Aguilar, group executive of infrastructure and operation services at the $6.7 billion credit card company.

Employees can get work email on their devices and merge their personal and business contacts and calendars. “We are giving them access to their own information in a form factor they feel familiar with,” Aguilar says. (The company issues BlackBerrys, which aren’t part of the BYOD program.)

For participants in the BYOD program, MasterCard sets strict conditions of use.

Data stored on or transmitted to or from the device is encrypted. MasterCard also requires passwords to lock the smartphone or tablet or to get on the corporate network. “It’s essentially a secure container,” Aguilar says.

If the device is lost or stolen, MasterCard can wipe just the corporate information. “It’s up to the users to make sure they protect their personal information.”

Best Practices

Janco Associates, an IT management consulting firm, says CIOs should consider reaching further into the home life of employees. A BYOD policy template it recently published stipulates that any personal device that synchronizes with a sanctioned BYOD machine must use antivirus software “deemed necessary” by the IT group. Also important: IT must install mobile virtual private network software on the device, or at least approve of the package the employee uses.

About 2,000 of MasterCard’s 6,700 employees worldwide have signed up for BYOD so far, and that number is growing, Aguilar says. “We keep hiring new employees around the world and we see more requests for BYOD.”

Aguilar’s next step was allowing access to the corporate intranet on personal devices, a feature he enabled early last year. Whatever new applications it deploys, MasterCard, which does business nearly every country, wants to do it globally, not favoring any one country over another, he says. That means knowing how wildly different data privacy rules affect the use of personal smartphones and tablets.

MasterCard can simply tweak its policies for laptops, for example. But the difficulty with personal devices is being able to prove that the company complies with privacy regulations in the event of audits or lawsuits. MasterCard wants to have archiving and usage logs in place and tested before opening other applications to the BYOD program, Aguilar says.

Janco advises IT departments to store records of mobile device activity in a number of ways: based on files, individual users and groups of users, IP address, and material downloaded, uploaded and previewed. At MasterCard, an in-house attorney has been involved in the BYOD rollout from the planning stages. “They provide advice throughout the process, not at the tail end.”

Follow Senior Editor Kim S. Nash on Twitter: @knash99. Or read her blog, Strategic CIO.