Evan Schuman's StorefrontBacktalk

The PCI Security Standards Council’s much-anticipated rules on mobile-payment issues won’t happen before April of next year and will probably happen much later, according to a key member of the Council’s board of advisors. Given the pace of mobile-payment deployments and trials, this timetable forces retailers to move into this crucial area without standardized guidance—and virtually guarantees a lot of expensive changes in a year, when the rules finally materialize.

As of Friday (June 10), the Council had not even created the mobile-payment special interest group, which will push back the release of a mobile-payment specification at least 10 months, said Christian Janoff, a retail enterprise architect with Cisco who sits on the Council’s board of advisors. “It takes awhile for these standards bodies” to make these types of recommendations, Janoff said.

Even if the 10 months estimate is correct—and it certainly sounds reasonable—that’s the earliest point for the guidelines to be released. It will still be many months after that before it would be the law of payment and potentially more months after that before compliant applications are available, not to mention compliance with carriers, handsets, chips, readers and all the other elements of the just-barely-already-defined mobile-payment infrastructure.

Janoff’s Cisco colleague, Lindsay Parker (the vendor’s global retail industry director), agreed and termed the effort to create these guidelines “Herculean.” Asked what retailers should do while waiting for the guidance, she said there’s little choice. Retailers always have to look at PCI rules and data-protection processes as accomplishing two parallel objectives: Being secure and being standards compliant.

For compliance, merchants will simply have “to be compliant with what we know” and focus all efforts on simply being secure, Parker said.

This information is actually good news for retail IT for two reasons. By eliminating the possibility that mobile payment is imminent and by offering a “no sooner than” timetable, retailers are freed up to pursue various mobile-payment schemes without worrying about immediate change demands.

The second reason this is good news is pragmatic. Although knowing what the industry standards are is helpful at any point, it’s essential to know before undertaking a full-scale deployment. For small trials, it’s much less critical. As a practical matter, the next year will overwhelmingly be focused on exactly those types of small focused trials. The absence of standards will actually give IT chiefs free reign to pursue any efforts for evaluation.

That said, there are also some serious drawbacks with this type of a delay. In any young market, such industry standards can often help retailers choose which vendors to work with on trials, confident that the final result will be within industry expectations.

Second, if a trial (or, worse, a limited deployment) goes well and a chain starts to make development, programming and training investments and then the word comes down that a very contradictory technology approach gets the endorsement, that could hurt in two ways. First, the expensive pain of breaking things down and starting all over again.

The other problem, though, is more insidious. If enough retailers have progressed far enough by the time the guidance is released, it could create anger, resistance and resentment, which might undermine compliance. That’s especially bad, because if any IT area truly needed strong security rules, it’s mobile payment.

Come to think of it, there’s yet one more good thing about this timetable. It will provide more time for real-world feedback from those initial trials before the guidelines are released. If there’s anything certain in mobile payment, it’s that these systems will never work as predicted and consumers will never interact with them as predicted. It would certainly be nicer if the specs were available now. But if they have to be delayed, it’s good that there will at least be a few silver magstripe linings.