Evan Schuman's StorefrontBacktalk

VeriFone is one of the mobile payment vendors that was delisted on January 31, according to Paul Rasori, VeriFone’s Senior VP for Global Marketing. His letter said, simply enough, that “until this examination is complete,” the PCI Council “will not approve or continue to list” any impacted mobile applications.

Which applications are—or will be—considered impacted? Without a full list of the delisted applications, that’s difficult to say. One person with knowledge of the council’s startegy said there are various factors, and many involve the hardware. Applications designed to run on consumer-controlled devices—such as iPhones, Androids and Blackberries—will likely get the most resistance, while some mobile applications designed for retailer-controlled devices—such as IBM’s Shopping Buddy—may be able to stay listed during the examination period.

This PCI source said that “the council notified specific vendors and gave them a period to address the concerns, as well.” Asked how a vendor could appeal when the council has yet to issue mobile guidelines (in other words, how can vendors argue that they really are compliant with non-existent rules?), he said much might involve the hardware. The big challenge is making sure all of the mobile capabilities are compliant with all three relevant standards: PCI-DSS, PA-DSS and PTS.

Asked about a rough target of when mobile guidelines will materialize, Council General Manager Bob Russo had a statement E-mailed that didn’t directly answer the question. He even questioned whether new guidelines would ever be issued, saying that “new standards or guidance around mobile payment applications and their associated mobile communications device are possible outcomes of this process.” That said, it seems extremely unlikely the council would go to all of this effort—including the delisting—and then not issue anything.

Beyond that, Russo’s answer to the timeframe question was a lengthy list of things that need to happen between now and the examination’s conclusion, suggesting that the process won’t wrap anytime soon.

“The council is in the beginning stages of a comprehensive examination to determine: applicable security requirements for mobile payment applications, the security capabilities and features of the mobile communications devices on which these applications reside, and the necessary interaction between such devices and payment applications to effectively secure cardholder data,” the Russo statement said. “As part of this examination, if security guidance is defined, each application will need to be reassessed by vendors for possible updates, put forward for review by a PA-QSA to ensure that any new guidance was appropriately incorporated into the application, then submitted to the council for approval.”

There have always been two ways that technology standards—and, for that matter, any standards—can come about: de jure and de facto.

De facto is the majority rules approach, where overwhelming marketshare, for example, can make one approach the standard—think Microsoft Word in word processing or Google for search engines. De jure is where a committee dictates the standard to the population—when the PCI Council, IEEE or W3C, for example, issues guidance on an approach.

If the PCI Council (the de jure option here) moves too slowly, will retailers proceed on their own? And will the council then have to tailor its guidelines to accommodate what the merchant community has already done, assuming one approach becomes far more popular than another?

Maybe this is terminology confusion. Note to the mobile powers-that-be: When people speak of a mobile standard, they mean a standard governing mobile devices. They do not mean that the standard itself is mobile, flitting here and there and never actually landing. Just wanted to clarify that.