PCI Memo To Mobile Payment App Developers: It’s Up To You

Written by Walter Conway
September 19th, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

One of the highlights of last week’s PCI Community Meeting was the long-awaited release of the PCI Security Standards Council’s guidance on mobile-payment application developers. The document lays out a set of requirements that together form a roadmap for mobile-payment application developers and would-be developers.

Currently, retailers have a choice. They can use their smartphones and tablets, sticking on a dongle that reads a payment card’s magnetic stripe, and be cruising down the mobile commerce highway. Or they can be PCI DSS compliant. Unfortunately, the PCI Council has stated that smartphones and tablets are not secure, pointing to recent guidance from the National Institute of Standards and Technology (NIST) to support that position. The question, therefore, is: When will retailers have secure applications that enable them to use a wide range of smartphones and tablets for mobile commerce while still being PCI DSS compliant? I don’t think we have an easy answer to that question yet.

Is having both mobile commerce and PCI DSS compliance too much to ask? I don’t think so. But we all will find out soon.

The future of mobile commerce is in the smartphones, tablets and assorted iDevices that merchants and consumers love. These devices are behind the surge of new merchants that have never before taken payment cards. The devices have also attracted a new set of application developers, who may not know secure coding techniques or understand the risks inherent in a payment transaction. I suspect many of these developers think OWASP is a cry for insect repellent.

This future—or is it the present?—poses risks. The mobile devices often exist outside of any enterprise security management. A device’s location changes as regularly as the merchant moves to different locations (that is what mobile commerce is all about) and it links to different networks. And if that is not enough, it is hard to detect tampering or malware on the device.

As a result, it is not possible for a retailer to be PCI DSS compliant when using a personal smart device.

That fact, however, has not stopped many merchants from using these devices, and therein lays our PCI DSS compliance challenge.

MasterCard was the first to recognize that PCI DSS compliance is not possible—downgrading it to a “unique challenge”—when it released its merchant guidance in May. The card brand’s position was that because mobile commerce using a smart device equipped with a card-reading dongle is inevitable and because PCI DSS compliance is not realistic, retailers should do their best to be safe.

Visa followed shortly thereafter with similar guidance.


3 Comments | Read PCI Memo To Mobile Payment App Developers: It’s Up To You

  1. Preston Says:

    As you say, it’s either use m-commerce or be PCI compliant. The lack of PA-DSS validation puts merchants in a real bind, and it can’t last much longer. I think the council risks making itself irrelevant if merchants realize that they’re “damned if you do, damned if you don’t.” The number of merchants taking the risk and using m-commerce platforms speaks either to ignorance, risk blindness, or a calculated decision that the benefits of m-commerce outweigh the risk.

  2. Walt Conway Says:

    Thanks for your comment, Preston. I agree that the lack of PCI DSS compliant options and the lack of PA-DSS validated payment apps is difficult. The merchant community has already made its decision, and Square (and similar devices) has won. The two major card brands have effectively validated the merchant community’s decision to proceed with mobile commerce.

    The good part, though, is that at least the PCI Council has articulated the requirements that developers need to follow to build secure payment apps. I hope these requirements will be built into the next generation of apps. It would have helped if the Council had gone further and told developers that if they followed the guidelines, they could get PA-DSS validated.

    As you point out, one has to wonder whether it is too late: the mobile commerce genie sure seems to be out of the bottle. I wish developers and merchants (and their acquirers) would have had these guidelines two years ago, but wishes are not terribly useful. Taking action like the Council did — however late — is what will improve security.

  3. David King Says:

    I am glad that the Council has finally released guidelines. The challenge with m-commerce is it is a bit of the wild wild west right now. Today, just about any kid can whip up a payment app. The Council has to find a way to reach all of these people. They are not necessarily medium to large businesses that they are used to working with. Many of them are one or two guys slinging code in their basement.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.