This is page 2 of:
PCI Memo To Mobile Payment App Developers: It’s Up To You
Although the card brands’ guidance focused on retailers, neither focused on telling developers all the things they need to do to develop secure applications. The PCI Council has stepped into that void by providing some guidelines for developers. The hope is that secure payment applications will be able to compensate for the inherent insecurity of the mobile devices themselves.
The Council’s guidance is aimed straight at solution developers. Its stated purpose is to “educate stakeholders responsible for the architecture, design and development of mobile apps and their associated environment within a mobile device that merchants might use for payment acceptance.” To its credit, the Council does not overpromise, either: “No assumption should be made that meeting the guidelines and recommendations expressed in this document would cause a solution to be compliant with PA-DSS.”
The PCI Council offers guidance for transaction controls to prevent the three main risks associated with mobile payments: intercepting the card data when it is entered into the mobile device; compromising the account data while it is being processed or stored; and intercepting the data when it is transmitted. The guidance then proceeds to offer 15 security requirements that address environment controls for the mobile device and the payment application. These requirements include preventing unauthorized access (you need more than a just a “slide” to access the device), disabling the device remotely if it is lost or stolen, supporting only online transactions (no offline mode of operation), and authenticating attachments and applications (bye-bye Angry Birds, but will inventory checking be allowed?).
The next step is up to the mobile-application developers. One difficulty will be getting the word out to these developers. For example, does the PCI Council know how to reach them? I heard one story of a merchant meeting with his payment-application developers in a Chinese restaurant. That restaurant was their “office.” Getting the word out to this developer community will involve more than posting a document on the Council’s Web site.
Assuming the Council gets the word out successfully and the developers actually read the PCI Mobile Payment Acceptance Security Guidelines document, will those developers actually build secure mobile-payment applications? Without a guarantee of PA-DSS validation, will developers change their habits? If they do, will retailers be willing to pay for the secure applications? With the major card brands appearing to give retailers a pass on PCI DSS compliance, where is the incentive for a retailer to pay more for a secure payment application?
You have heard some of my questions, but I would like to hear what your questions are. Either leave a comment or E-mail me.
-Marc
September 20th, 2012 at 8:01 am
As you say, it’s either use m-commerce or be PCI compliant. The lack of PA-DSS validation puts merchants in a real bind, and it can’t last much longer. I think the council risks making itself irrelevant if merchants realize that they’re “damned if you do, damned if you don’t.” The number of merchants taking the risk and using m-commerce platforms speaks either to ignorance, risk blindness, or a calculated decision that the benefits of m-commerce outweigh the risk.
September 20th, 2012 at 1:29 pm
Thanks for your comment, Preston. I agree that the lack of PCI DSS compliant options and the lack of PA-DSS validated payment apps is difficult. The merchant community has already made its decision, and Square (and similar devices) has won. The two major card brands have effectively validated the merchant community’s decision to proceed with mobile commerce.
The good part, though, is that at least the PCI Council has articulated the requirements that developers need to follow to build secure payment apps. I hope these requirements will be built into the next generation of apps. It would have helped if the Council had gone further and told developers that if they followed the guidelines, they could get PA-DSS validated.
As you point out, one has to wonder whether it is too late: the mobile commerce genie sure seems to be out of the bottle. I wish developers and merchants (and their acquirers) would have had these guidelines two years ago, but wishes are not terribly useful. Taking action like the Council did — however late — is what will improve security.
September 22nd, 2012 at 10:37 am
I am glad that the Council has finally released guidelines. The challenge with m-commerce is it is a bit of the wild wild west right now. Today, just about any kid can whip up a payment app. The Council has to find a way to reach all of these people. They are not necessarily medium to large businesses that they are used to working with. Many of them are one or two guys slinging code in their basement.