Visa Joins MasterCard In Relegating PCI To An Afterthought

Written by Walter Conway
June 27th, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Visa recently updated its Security Best Practices for Mobile Payments, and it is interesting to observe how it mirrors key elements of the guidance issued earlier by MasterCard. The good news is that it sends smaller retailers a consistent message on how best to take cards using their smartphones, tablets or personal digital assistants (PDAs). The less good news—at least from a QSA’s perspective—is that Visa seems to have joined MasterCard in relegating PCI compliance to an afterthought.

Actually, come to think of it, the card brands are recognizing the reality that the retail industry is moving forward with mobile payments whether the chosen solution is PCI compliant or not.

Visa neatly divides its best practices into separate sections for application vendors, merchants and what it calls Payment Solution Providers (PSPs). A PSP is the same as MasterCard’s Payment Facilitator: an entity that has a merchant agreement of its own and, essentially, resells card processing to small merchants. These small merchants then do not need their own acquiring relationship.

The three-part model for mobile payments is also the same. There is a smartphone or tablet presumably already owned by merchant. The merchant installs a payment application and attaches a hardware device for reading the card’s magnetic stripe (or EMV chip when that becomes available) to complete the setup.

Visa’s best practice recommendations for merchants are neatly summarized in just over one page. Specifically, merchants should use the payment application only as intended, limit device access to employees who need to use it, tell their acquirer if the device is lost or stolen and avoid installing any games or malware on the device.

As a QSA, what I find interesting, and maybe a little disappointing, is the lack of clear support for PCI compliance. About the only mention of PCI in the entire document is the recommendation that the payment solution “should also adhere to the principles set out” in both PCI DSS and PA-DSS. Somehow, the recommendation to “adhere to the principles” of PCI doesn’t sound like a ringing endorsement of the standard.

It is that use of “should,” when referring to security and PCI, and “must”—sometimes in bold and underlined—when referring to Visa’s own Operating Regulations, that disappoints me a little.

The PCI standard and the PCI Council are creations of the card brands, and now we see the two largest brands each appearing to soft-pedal PCI compliance. I do not know if that is the message the brands intended, but it is a message that comes through.

I believe the PCI Council is on the right track with its point-to-point encryption (P2PE) approach. Its recommendation is straightforward, and the merchant’s smartphone or tablet never sees or stores clear-text cardholder data. Furthermore, the Council’s approach reflects the reality that the local barista, handyman, food truck vendor or taxi driver has no interest in or ability to assess the security of the mobile payment application. They just want to take plastic and get paid.

All of which leaves me with most of the questions I asked in the previous column unanswered. I am sure this situation will come up during the PCI Council’s annual Community Meeting. The apparent conflict between the card brands’ and the PCI Council’s advice should stimulate some interesting discussion.

Meanwhile, I’d like to hear some stimulating discussion from you. What do you think? Does it look to you like PCI is being pushed to the backseat, or am I too close to the situation? Do larger retailers feel that smaller competitors are being given a free pass on PCI compliance? I’d like to hear your thoughts. Either leave a comment or E-mail me.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.