This is page 2 of:
PCI Council: Mobile Payment Interim Fix By August
Council officials also promised “some updated language this summer” about peripheral devices—such as Square—that would interact with mobile units. “This is totally focused on point of sale: Mobile applications that are accepting payments and not initiating payments,” said Bob Russo, the council’s general manager. “This is really a first step.”
What the council will specifically announce is that it is splitting all mobile-payment applications into three categories. The first is apps that operate solely on a PCI PIN Transaction Security (PCI PTS) approved mobile device. (Aside: PCI PTS is a deliciously acronym-intensive phrase, which fully stands for Payment Card Industry Personal Identification Number Transaction Security. Yeah, let’s go with PCI PTS.) The second category is for devices that have as their single—and only—function to accept payments. Category three speaks to apps where payments are handled by a multipurpose consumer-controlled device, such as a smartphone or a tablet. The council is now willing to consider applications for categories one and two.
Category two speaks to “an environment that was dedicated and developed with payment applications in mind. It would be hardened and dedicated to just the purpose of Point of Sale,” Leach said. “It would not be allowed to have the user functionality to download [the game] Angry Birds.”
Leach said the new categories are an attempt to better mesh the council’s goals with today’s retail realities. “The challenge is sometimes assessors have been trying to put a square peg into a [round] hole when trying to meet our PCI-DSS requirements, which are traditionally for Point Of Sale type of applications,” Leach said.
Some creative approaches—such as Home Depot’s customized mobile units that can handle payments along with checking inventory and other functions—don’t fit neatly into these categories. But that’s OK. “If it’s one merchant’s product, I would question why in the world it would go through PA-DSS to begin with. If I’m Home Depot or Lowe’s or any merchant, and I’m using this technology and it’s custom-built for me, why am I going through PA-DSS?”
Conway applauded the new categories, but added that the lack of official action on category 3—true mobile payment, as it has come to be understood—limits the value. “Realistically, the greatest interest is and will be in category 3. That’s where all the action is. Unfortunately, merchants are on their own until sometime in 2012,” he said.
Richard Mader, executive director of the Association For Retail Technology Standards (ARTS), said he wants to know why the PCI Council hasn’t been working with retail groups. “Why is the council not working with the leaders in the industry who are trying to develop secure payments? To my knowledge, they are not engaged with Smartcard Alliance, NFC Forum, GSMA PayBuy Mobile project, ARTS or others that work in this area. Again, this is possibly a delay tactic until Visa and MasterCard have cemented their hold on mobile payment.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
