This is page 2 of:
Mobile POS Moves Forward, With MasterCard’s Blessing
The most relevant parts of the document for retailers are on pages five and six. Here MasterCard makes it clear it is talking specifically about mobile devices with a card reader (or dongle) “attached to the audio port, USB port or proprietary connector,” and the merchant uses a payment application installed on its smartphone or tablet to process the transaction. The card brand excludes contactless solutions where customers use their own device as a replacement for the physical payment card.
Things start to get interesting because, as MasterCard puts it, merchants face a “unique challenge.” Specifically, MasterCard mandates that merchants use only PA-DSS validated payment applications listed by the PCI Council. But, as the document notes, “the PCI SSC is not certifying MPOS payment applications that reside on multi-purpose consumer mobile devices until further guidance is developed to ensure the security of cardholder data within the mobile device.” Get it? Retailers must use PA-DSS validated applications, but there are no PA-DSS validated mobile payment applications.
To me, this definitely qualifies as a unique challenge—or maybe even an insurmountable opportunity. What’s the answer? MasterCard appears to be saying merchants should follow its (meaning MasterCard’s) prescribed best practices. But as a QSA I recommend full PCI compliance at all times.
MasterCard tells MPOS solution providers that they “should” (note: not “must”) develop their code securely, update the application and have policies in place when their sub-merchants lose their MPOS device. The card brand tells merchants that they “should” (again, note: not “must”) talk to the solution providers about security.
That is about all solution providers need to do, and the “unique challenge” posed by the lack of PA-DSS validated mobile payment applications goes away. Again, as a QSA I have to reinforce the importance of using only PA-DSS validated applications installed and maintained according to the vendor’s PA-DSS Implementation Guide.
MasterCard recognizes another “unique challenge” a bit further on in the document. It notes that the open architecture of mobile devices and their susceptibility to malware can lead to the loss of unencrypted cardholder data. Because of these “limitations with the security features of mobile devices, merchants who use MPOS solutions will find it challenging to comply with the requirements of the PCI DSS.”
Did I just miss something, or did a major card brand just give MPOS merchants and sub-merchants a pass on PCI compliance? Or, is MasterCard taking a risk-adjusted approach to compliance? I do not think the card brand is doing either, but it could be confusing. MasterCard notes at the very beginning of the document that none of the best practices supersedes any of its rules. Still, the recommendations offered do not seem to include an easy path to PCI compliance.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
