Acquirers Rush In Where PCI Fears To Tread: Mobile
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
As retailers implement plans for mobile commerce, they are running into a frustrating situation: the PCI Council is not validating any mobile apps. Interestingly, it’s the same roadblock that stymies the developers of those same retailers’ mobile payment applications and their PA-QSAs. The problem is that a vacuum has formed between Visa’s Payment Application Security Mandates and the PCI Security Standards Council’s hold on validating new mobile payment applications.
More than two years ago, Visa mandated—effective July 1, 2010—that “Acquirers must ensure their merchants, (VisaNet Processors) and agents use only PA-DSS compliant applications.” With nearly 800 PA-DSS validated applications listed on the PCI Council’s Web site, retailers have a wide choice. Unless, that is, they are looking for a mobile commerce application.
The problem with mobile payment applications is that there are some valid security concerns, mostly dealing with the mobile devices themselves. Until these concerns are resolved, we cannot expect any new mobile payment software applications to be added to the validated list.
We, therefore, have a vacuum forming: Visa mandates that retailers use only PA-DSS validated payment applications, but there aren’t any new mobile applications being officially validated—at least for now. What is a retailer intent on conducting secure mobile commerce to do?
As I recall from my physics courses, nature abhors a vacuum. Based on what I see happening in the marketplace, this law also applies to the world of PA-DSS and mobile commerce. In this case, we see some leading acquirers stepping into the void and approving payment applications on their own and then offering them to their merchants.
Visa’s mandate allows acquirers this freedom of action. In clarifying the mandate, Visa noted that although using PA-DSS validated payment applications “is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications.”
To those not familiar with the inner workings of the PCI world, it may seem inconsistent to mandate PA-DSS compliance for an application and yet not require that application to be on the approved list. But this is the case.
Anyone with an online newsreader has seen announcements of new mobile payment applications—in at least one case, offered by a leading acquirer. One thing you might notice is that none of those statements has mentioned anything about PA-DSS validation. Why? My take is because the acquirer is taking advantage of the provision in Visa’s mandate that gives it the authority to approve payment applications directly.
That provision states: “Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.” But there’s more to it than that.
-Marc
December 1st, 2010 at 3:11 pm
Given the ridiculous situation that the PCI SSC finds itself in with a backlog of over 8 months for PA-DSS ROV reviews, the last thing they needs is more workload! So good on the acquirers, they accept the risk and technology advances!
December 2nd, 2010 at 10:38 am
Mobile payment applications are here and more are coming. Innovative devices like the iPad and Android tablets are going to change the way small merchants do business. We are moving away from the PC being the traditional POS device to an iPad/Android centric model. They are cost effective, easy to use, and highly mobile. The Standards Council must address this issue. They have to keep pace with the advancements in payment technology are get left behind and become obsolete.
December 2nd, 2010 at 12:30 pm
I think many retailers are looking at Apple Retail and thinking, “why can’t I use an iPod touch with scanner attachment for MPOS?” So the next question would be, “Is that PCI compliant?” If Apple is PCI compliant, does that pave the way for shoppers with iPhones? Will there be an m-commerce area on the app store, where ‘approved’ payment apps could be downloaded for consumers?
December 2nd, 2010 at 6:07 pm
The question, “but there aren’t any new mobile applications being officially validated—at least for now. What is a retailer intent on conducting secure mobile commerce to do?” has one more answer. Outsource. Just like websites do, retailers can outsource payment acceptance on the mobile device to a Level 1 PCI provider and eliminate the need to PA DSS the software, at all. Whether it’s a mobile browser re-directing to a hosted payment page or a downloaded app programmed to call a secure hosted payment page or payment form, it should reduce the merchants’ scope of PCI. We launched this exact service to online merchants for paying over iPhones and Androids last week. I’d welcome your comments, Walt, on this approach.
December 2nd, 2010 at 6:40 pm
I was a little confused at first. It sounds like what you’re referring to is mobile terminals used by merchants for card acceptance. mCommerce on the other hand is when consumers make a purchase using their own mobile device. With mCommerce, PA-DSS is incredibly irrelevant since it’s intended for systems distributed to merchants for use in their card data environment. There’s nothing I’m aware of in PCI standards that addresses consumer applications.
December 2nd, 2010 at 10:07 pm
First of all, thanks to all for the excellent comments (and those of you who emailed me).
@Chalky and David, you both hit it on the head, but I’d like to add one thing. The point of the column was that it is not about the PCI Council or even Visa and the mandates. I was highlighting (as you both pointed out) that the news is about retailers and particularly their acquirers. I think there are risks to both, but those risks are manageable as evidenced by the recent announcements. A lively market benefits everybody, consumers and retailers (and certainly acquirers) alike.
@ Richard, I think what scares me is there already are payment apps out there. They are not PA-DSS validated (as far as I can tell), and it’s unclear whether Apple cares or wants to be responsible.
@Greg, I am also a fan of outsourcing as I’ve written several times. But in many cases the merchant may want to control their environment, have a particular application: what works for a store may not work for a coffee shop or a fitness center or a parking lot. Nevertheless, I agree hosting will have a role to play in this area. It will be interesting to see whether outsource vendors will address 12.8.2.
@Lucas, you raise a great point, and we may need to define our terms better. To me, mobile commerce can include a merchant using an enabled mobile device, whether it is an iPad, iPhone, Android, or whatever. I’m even including a cube to read the mag stripe and the sleds to transform a smart phone into a payment terminal. It’s a broad topic.
A great discussion. I hope it continues here and at NRF (be sure to catch StorefrontBacktalk (and me) there: http://www.storefrontbacktalk.com/securityfraud/at-nrf-storefrontbacktalk-panels-to-include-top-cios-on-mobile-security/
December 11th, 2010 at 4:18 pm
At first blush, I thought this was ridiculous. But now I’m just surprised that Visa has a loophole like this in their program. I imagine it was meant for acquirers to use rarely.
First, this is only Visa’s position. So how this may apply to any other card brand is uncertain.
For another thing, it is okay for an acquirer to take on risk this way. But if there is a compromise, what happens to the merchant? Do they still get safe harbor when not using a listed application? ‘Probably’ isn’t a great answer.
December 20th, 2010 at 5:04 pm
What about the existing Mobile applications already certified and the ones already with completed ROVs submitted for Listing? Will the SSC delist these applications and if so, on what grounds?
The SSC is getting itself in dangerous waters by selectively approving applications after it issued a standard and approval process.
Businesses on both sides of this issue are making important decisions based on what this organization has done to establish itself as a market controlling entity.
I would suspect lawsuits will follow if this ban on mobile applications that have been validated isn’t lifted soon.