Visa Joins MasterCard In Relegating PCI To An Afterthought

Written by Walter Conway
June 27th, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Visa recently updated its Security Best Practices for Mobile Payments, and it is interesting to observe how it mirrors key elements of the guidance issued earlier by MasterCard. The good news is that it sends smaller retailers a consistent message on how best to take cards using their smartphones, tablets or personal digital assistants (PDAs). The less good news—at least from a QSA’s perspective—is that Visa seems to have joined MasterCard in relegating PCI compliance to an afterthought.

Actually, come to think of it, the card brands are recognizing the reality that the retail industry is moving forward with mobile payments whether the chosen solution is PCI compliant or not.

Visa neatly divides its best practices into separate sections for application vendors, merchants and what it calls Payment Solution Providers (PSPs). A PSP is the same as MasterCard’s Payment Facilitator: an entity that has a merchant agreement of its own and, essentially, resells card processing to small merchants. These small merchants then do not need their own acquiring relationship.

The three-part model for mobile payments is also the same. There is a smartphone or tablet presumably already owned by merchant. The merchant installs a payment application and attaches a hardware device for reading the card’s magnetic stripe (or EMV chip when that becomes available) to complete the setup.

Visa’s best practice recommendations for merchants are neatly summarized in just over one page. Specifically, merchants should use the payment application only as intended, limit device access to employees who need to use it, tell their acquirer if the device is lost or stolen and avoid installing any games or malware on the device.

As a QSA, what I find interesting, and maybe a little disappointing, is the lack of clear support for PCI compliance. About the only mention of PCI in the entire document is the recommendation that the payment solution “should also adhere to the principles set out” in both PCI DSS and PA-DSS. Somehow, the recommendation to “adhere to the principles” of PCI doesn’t sound like a ringing endorsement of the standard.

It is that use of “should,” when referring to security and PCI, and “must”—sometimes in bold and underlined—when referring to Visa’s own Operating Regulations, that disappoints me a little.

The PCI standard and the PCI Council are creations of the card brands, and now we see the two largest brands each appearing to soft-pedal PCI compliance. I do not know if that is the message the brands intended, but it is a message that comes through.

I believe the PCI Council is on the right track with its point-to-point encryption (P2PE) approach. Its recommendation is straightforward, and the merchant’s smartphone or tablet never sees or stores clear-text cardholder data. Furthermore, the Council’s approach reflects the reality that the local barista, handyman, food truck vendor or taxi driver has no interest in or ability to assess the security of the mobile payment application. They just want to take plastic and get paid.

All of which leaves me with most of the questions I asked in the previous column unanswered. I am sure this situation will come up during the PCI Council’s annual Community Meeting. The apparent conflict between the card brands’ and the PCI Council’s advice should stimulate some interesting discussion.

Meanwhile, I’d like to hear some stimulating discussion from you. What do you think? Does it look to you like PCI is being pushed to the backseat, or am I too close to the situation? Do larger retailers feel that smaller competitors are being given a free pass on PCI compliance? I’d like to hear your thoughts. Either leave a comment or E-mail me.


5 Comments | Read Visa Joins MasterCard In Relegating PCI To An Afterthought

  1. Steve Says:

    like fire codes in your community, the rules come after walking through a couple of deadly fires and seeing reasons to have rules. After the first major breach that is unique to a mobile payment scheme – we will see attention from the brands.

  2. Cory Says:

    Agreed with the other poster. Very much a reactive system. Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way. Heck, even the DNC is out there in force using these device to get contributions for the presidential campaign. How many billions… yes as in “B” are being run through that type of setup with complete disregard to compliance? It’s like tax cheats… when u see all your neighbors doing it, you start to wonder why you are following the rules.

    If the council comes out with redefining scope the way our auditor is telling us is likely to happen… get ready for a closed-loop system unless of course you implement P2PE, which I might add a major EFT device vendor (cough cough Verifone) has told us that it is a complete mess. Nobody can access the device outside of the managed vendor… say goodbye to loyalty card swipe, advertising and other things on that device unless you want to push all those solutions to a single vendor, which I might add is not in the business of doing those functions.

    Overall the council needs to get it’s act together. Major QA firms having completely different standards for anything or nothing being out of scope… lots of issues in this space.

  3. Walt Conway Says:

    Steve, Cory,

    Thanks for the comments (and thanks, too, to those of you who emailed me). You point out the apparent inconsistency with which the brands view mobile for mid-size and large retailers, versus what they allow smaller merchants to get away with (in a PCI and risk sense, anyway).

    Will it take a major breach to apply the standards uniformly? I really hope not. But how else can one reconcile the evidence of increased card fraud at small businesses (Verizon Data Breach Report) with easing PCI compliance requirements for some of these same merchants. Or, to put it on a more personal level (as one client of mine did), the brands have thrown her/him into the “no” business. They need to be PCI compliant, so the Security team has to say “no” when their business divisions want to use these devices. Not a lot of fun for them (or their QSA).

    I repeat my forecast for an exciting PCI Community Meeting in a couple of months.

  4. Gavin P Says:

    “Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way.”

    Most of those ‘dang devices’ do utilise P2PE in-hardware which still remains absent from the bulk of traditional POS terminals around the world.

    I’d actually be happier swiping my card through one of those, given they’ve been designed ground-up with the view that the smartphone it’s being used on is an insecure environment, than in a traditional POS or integrated environment which is anyone’s guess.

  5. Walt Conway Says:


    Thanks for your comment, but I’m not so sure I share your sentiment.

    For example, I disagree as to whether *any* of the devices uses “P2PE in-hardware.” P2PE is just rolling out, and there are precisely zero approved devices. What’s more, some of the dongles in their original version did not even encrypt the mag stripe data.

    We have similar issues with the payment apps themselves (none of which is PA-DSS validated). As for the underlying operating systems, I don’t think anyone knows what they do with the data passing through them. Do they retain the data? Are the data cached somewhere?

    The only reason I might agree with your sentiment about being “happier swiping my card through one of those” devices is the fact that as a cardholder (in the US, anyway), I am protected against fraud losses so long as I use a credit card. I may be inconvenienced if it is compromised, but the risk (thank you, Reg W) is all on the issuing financial institution.

    Following that thought: if the risk is on the issuing financial institution, and these same issuers are what make up Visa and MasterCard, can someone explain to me why the brands are cutting so much PCI slack on these mobile devices? It seems to be transferring risk back to the issuers from small merchants.

    Great discussion, readers! Thanks, and keep the comments coming.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.