Acquirers Rush In Where PCI Fears To Tread: Mobile

Written by Walter Conway
November 29th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

As retailers implement plans for mobile commerce, they are running into a frustrating situation: the PCI Council is not validating any mobile apps. Interestingly, it’s the same roadblock that stymies the developers of those same retailers’ mobile payment applications and their PA-QSAs. The problem is that a vacuum has formed between Visa’s Payment Application Security Mandates and the PCI Security Standards Council’s hold on validating new mobile payment applications.

More than two years ago, Visa mandated—effective July 1, 2010—that “Acquirers must ensure their merchants, (VisaNet Processors) and agents use only PA-DSS compliant applications.” With nearly 800 PA-DSS validated applications listed on the PCI Council’s Web site, retailers have a wide choice. Unless, that is, they are looking for a mobile commerce application.

The problem with mobile payment applications is that there are some valid security concerns, mostly dealing with the mobile devices themselves. Until these concerns are resolved, we cannot expect any new mobile payment software applications to be added to the validated list.

We, therefore, have a vacuum forming: Visa mandates that retailers use only PA-DSS validated payment applications, but there aren’t any new mobile applications being officially validated—at least for now. What is a retailer intent on conducting secure mobile commerce to do?

As I recall from my physics courses, nature abhors a vacuum. Based on what I see happening in the marketplace, this law also applies to the world of PA-DSS and mobile commerce. In this case, we see some leading acquirers stepping into the void and approving payment applications on their own and then offering them to their merchants.

Visa’s mandate allows acquirers this freedom of action. In clarifying the mandate, Visa noted that although using PA-DSS validated payment applications “is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications.”

To those not familiar with the inner workings of the PCI world, it may seem inconsistent to mandate PA-DSS compliance for an application and yet not require that application to be on the approved list. But this is the case.

Anyone with an online newsreader has seen announcements of new mobile payment applications—in at least one case, offered by a leading acquirer. One thing you might notice is that none of those statements has mentioned anything about PA-DSS validation. Why? My take is because the acquirer is taking advantage of the provision in Visa’s mandate that gives it the authority to approve payment applications directly.

That provision states: “Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.” But there’s more to it than that.


8 Comments | Read Acquirers Rush In Where PCI Fears To Tread: Mobile

  1. Chalky Says:

    Given the ridiculous situation that the PCI SSC finds itself in with a backlog of over 8 months for PA-DSS ROV reviews, the last thing they needs is more workload! So good on the acquirers, they accept the risk and technology advances!

  2. David King Says:

    Mobile payment applications are here and more are coming. Innovative devices like the iPad and Android tablets are going to change the way small merchants do business. We are moving away from the PC being the traditional POS device to an iPad/Android centric model. They are cost effective, easy to use, and highly mobile. The Standards Council must address this issue. They have to keep pace with the advancements in payment technology are get left behind and become obsolete.

  3. Richard Nedwich Says:

    I think many retailers are looking at Apple Retail and thinking, “why can’t I use an iPod touch with scanner attachment for MPOS?” So the next question would be, “Is that PCI compliant?” If Apple is PCI compliant, does that pave the way for shoppers with iPhones? Will there be an m-commerce area on the app store, where ‘approved’ payment apps could be downloaded for consumers?

  4. Greg McGraw Says:

    The question, “but there aren’t any new mobile applications being officially validated—at least for now. What is a retailer intent on conducting secure mobile commerce to do?” has one more answer. Outsource. Just like websites do, retailers can outsource payment acceptance on the mobile device to a Level 1 PCI provider and eliminate the need to PA DSS the software, at all. Whether it’s a mobile browser re-directing to a hosted payment page or a downloaded app programmed to call a secure hosted payment page or payment form, it should reduce the merchants’ scope of PCI. We launched this exact service to online merchants for paying over iPhones and Androids last week. I’d welcome your comments, Walt, on this approach.

  5. Lucas Says:

    I was a little confused at first. It sounds like what you’re referring to is mobile terminals used by merchants for card acceptance. mCommerce on the other hand is when consumers make a purchase using their own mobile device. With mCommerce, PA-DSS is incredibly irrelevant since it’s intended for systems distributed to merchants for use in their card data environment. There’s nothing I’m aware of in PCI standards that addresses consumer applications.

  6. Walt Conway Says:

    First of all, thanks to all for the excellent comments (and those of you who emailed me).

    @Chalky and David, you both hit it on the head, but I’d like to add one thing. The point of the column was that it is not about the PCI Council or even Visa and the mandates. I was highlighting (as you both pointed out) that the news is about retailers and particularly their acquirers. I think there are risks to both, but those risks are manageable as evidenced by the recent announcements. A lively market benefits everybody, consumers and retailers (and certainly acquirers) alike.

    @ Richard, I think what scares me is there already are payment apps out there. They are not PA-DSS validated (as far as I can tell), and it’s unclear whether Apple cares or wants to be responsible.

    @Greg, I am also a fan of outsourcing as I’ve written several times. But in many cases the merchant may want to control their environment, have a particular application: what works for a store may not work for a coffee shop or a fitness center or a parking lot. Nevertheless, I agree hosting will have a role to play in this area. It will be interesting to see whether outsource vendors will address 12.8.2.

    @Lucas, you raise a great point, and we may need to define our terms better. To me, mobile commerce can include a merchant using an enabled mobile device, whether it is an iPad, iPhone, Android, or whatever. I’m even including a cube to read the mag stripe and the sleds to transform a smart phone into a payment terminal. It’s a broad topic.

    A great discussion. I hope it continues here and at NRF (be sure to catch StorefrontBacktalk (and me) there:

  7. Marc Bayerkohler Says:

    At first blush, I thought this was ridiculous. But now I’m just surprised that Visa has a loophole like this in their program. I imagine it was meant for acquirers to use rarely.

    First, this is only Visa’s position. So how this may apply to any other card brand is uncertain.

    For another thing, it is okay for an acquirer to take on risk this way. But if there is a compromise, what happens to the merchant? Do they still get safe harbor when not using a listed application? ‘Probably’ isn’t a great answer.

  8. Dan Jenkins Says:

    What about the existing Mobile applications already certified and the ones already with completed ROVs submitted for Listing? Will the SSC delist these applications and if so, on what grounds?

    The SSC is getting itself in dangerous waters by selectively approving applications after it issued a standard and approval process.

    Businesses on both sides of this issue are making important decisions based on what this organization has done to establish itself as a market controlling entity.

    I would suspect lawsuits will follow if this ban on mobile applications that have been validated isn’t lifted soon.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.