PCI Memo To Mobile Payment App Developers: It’s Up To You

Written by Walter Conway
September 19th, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

One of the highlights of last week’s PCI Community Meeting was the long-awaited release of the PCI Security Standards Council’s guidance on mobile-payment application developers. The document lays out a set of requirements that together form a roadmap for mobile-payment application developers and would-be developers.

Currently, retailers have a choice. They can use their smartphones and tablets, sticking on a dongle that reads a payment card’s magnetic stripe, and be cruising down the mobile commerce highway. Or they can be PCI DSS compliant. Unfortunately, the PCI Council has stated that smartphones and tablets are not secure, pointing to recent guidance from the National Institute of Standards and Technology (NIST) to support that position. The question, therefore, is: When will retailers have secure applications that enable them to use a wide range of smartphones and tablets for mobile commerce while still being PCI DSS compliant? I don’t think we have an easy answer to that question yet.

Is having both mobile commerce and PCI DSS compliance too much to ask? I don’t think so. But we all will find out soon.

The future of mobile commerce is in the smartphones, tablets and assorted iDevices that merchants and consumers love. These devices are behind the surge of new merchants that have never before taken payment cards. The devices have also attracted a new set of application developers, who may not know secure coding techniques or understand the risks inherent in a payment transaction. I suspect many of these developers think OWASP is a cry for insect repellent.

This future—or is it the present?—poses risks. The mobile devices often exist outside of any enterprise security management. A device’s location changes as regularly as the merchant moves to different locations (that is what mobile commerce is all about) and it links to different networks. And if that is not enough, it is hard to detect tampering or malware on the device.

As a result, it is not possible for a retailer to be PCI DSS compliant when using a personal smart device.

That fact, however, has not stopped many merchants from using these devices, and therein lays our PCI DSS compliance challenge.

MasterCard was the first to recognize that PCI DSS compliance is not possible—downgrading it to a “unique challenge”—when it released its merchant guidance in May. The card brand’s position was that because mobile commerce using a smart device equipped with a card-reading dongle is inevitable and because PCI DSS compliance is not realistic, retailers should do their best to be safe.

Visa followed shortly thereafter with similar guidance.


3 Comments | Read PCI Memo To Mobile Payment App Developers: It’s Up To You

  1. Preston Says:

    As you say, it’s either use m-commerce or be PCI compliant. The lack of PA-DSS validation puts merchants in a real bind, and it can’t last much longer. I think the council risks making itself irrelevant if merchants realize that they’re “damned if you do, damned if you don’t.” The number of merchants taking the risk and using m-commerce platforms speaks either to ignorance, risk blindness, or a calculated decision that the benefits of m-commerce outweigh the risk.

  2. Walt Conway Says:

    Thanks for your comment, Preston. I agree that the lack of PCI DSS compliant options and the lack of PA-DSS validated payment apps is difficult. The merchant community has already made its decision, and Square (and similar devices) has won. The two major card brands have effectively validated the merchant community’s decision to proceed with mobile commerce.

    The good part, though, is that at least the PCI Council has articulated the requirements that developers need to follow to build secure payment apps. I hope these requirements will be built into the next generation of apps. It would have helped if the Council had gone further and told developers that if they followed the guidelines, they could get PA-DSS validated.

    As you point out, one has to wonder whether it is too late: the mobile commerce genie sure seems to be out of the bottle. I wish developers and merchants (and their acquirers) would have had these guidelines two years ago, but wishes are not terribly useful. Taking action like the Council did — however late — is what will improve security.

  3. David King Says:

    I am glad that the Council has finally released guidelines. The challenge with m-commerce is it is a bit of the wild wild west right now. Today, just about any kid can whip up a payment app. The Council has to find a way to reach all of these people. They are not necessarily medium to large businesses that they are used to working with. Many of them are one or two guys slinging code in their basement.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.