Visa Joins MasterCard In Relegating PCI To An Afterthought
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Visa recently updated its Security Best Practices for Mobile Payments, and it is interesting to observe how it mirrors key elements of the guidance issued earlier by MasterCard. The good news is that it sends smaller retailers a consistent message on how best to take cards using their smartphones, tablets or personal digital assistants (PDAs). The less good news—at least from a QSA’s perspective—is that Visa seems to have joined MasterCard in relegating PCI compliance to an afterthought.
Actually, come to think of it, the card brands are recognizing the reality that the retail industry is moving forward with mobile payments whether the chosen solution is PCI compliant or not.
Visa neatly divides its best practices into separate sections for application vendors, merchants and what it calls Payment Solution Providers (PSPs). A PSP is the same as MasterCard’s Payment Facilitator: an entity that has a merchant agreement of its own and, essentially, resells card processing to small merchants. These small merchants then do not need their own acquiring relationship.
The three-part model for mobile payments is also the same. There is a smartphone or tablet presumably already owned by merchant. The merchant installs a payment application and attaches a hardware device for reading the card’s magnetic stripe (or EMV chip when that becomes available) to complete the setup.
Visa’s best practice recommendations for merchants are neatly summarized in just over one page. Specifically, merchants should use the payment application only as intended, limit device access to employees who need to use it, tell their acquirer if the device is lost or stolen and avoid installing any games or malware on the device.
As a QSA, what I find interesting, and maybe a little disappointing, is the lack of clear support for PCI compliance. About the only mention of PCI in the entire document is the recommendation that the payment solution “should also adhere to the principles set out” in both PCI DSS and PA-DSS. Somehow, the recommendation to “adhere to the principles” of PCI doesn’t sound like a ringing endorsement of the standard.
It is that use of “should,” when referring to security and PCI, and “must”—sometimes in bold and underlined—when referring to Visa’s own Operating Regulations, that disappoints me a little.
The PCI standard and the PCI Council are creations of the card brands, and now we see the two largest brands each appearing to soft-pedal PCI compliance. I do not know if that is the message the brands intended, but it is a message that comes through.
I believe the PCI Council is on the right track with its point-to-point encryption (P2PE) approach. Its recommendation is straightforward, and the merchant’s smartphone or tablet never sees or stores clear-text cardholder data. Furthermore, the Council’s approach reflects the reality that the local barista, handyman, food truck vendor or taxi driver has no interest in or ability to assess the security of the mobile payment application. They just want to take plastic and get paid.
All of which leaves me with most of the questions I asked in the previous column unanswered. I am sure this situation will come up during the PCI Council’s annual Community Meeting. The apparent conflict between the card brands’ and the PCI Council’s advice should stimulate some interesting discussion.
Meanwhile, I’d like to hear some stimulating discussion from you. What do you think? Does it look to you like PCI is being pushed to the backseat, or am I too close to the situation? Do larger retailers feel that smaller competitors are being given a free pass on PCI compliance? I’d like to hear your thoughts. Either leave a comment or E-mail me.
-Marc
June 28th, 2012 at 6:33 am
like fire codes in your community, the rules come after walking through a couple of deadly fires and seeing reasons to have rules. After the first major breach that is unique to a mobile payment scheme – we will see attention from the brands.
June 28th, 2012 at 2:19 pm
Agreed with the other poster. Very much a reactive system. Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way. Heck, even the DNC is out there in force using these device to get contributions for the presidential campaign. How many billions… yes as in “B” are being run through that type of setup with complete disregard to compliance? It’s like tax cheats… when u see all your neighbors doing it, you start to wonder why you are following the rules.
If the council comes out with redefining scope the way our auditor is telling us is likely to happen… get ready for a closed-loop system unless of course you implement P2PE, which I might add a major EFT device vendor (cough cough Verifone) has told us that it is a complete mess. Nobody can access the device outside of the managed vendor… say goodbye to loyalty card swipe, advertising and other things on that device unless you want to push all those solutions to a single vendor, which I might add is not in the business of doing those functions.
Overall the council needs to get it’s act together. Major QA firms having completely different standards for anything or nothing being out of scope… lots of issues in this space.
June 28th, 2012 at 8:09 pm
Steve, Cory,
Thanks for the comments (and thanks, too, to those of you who emailed me). You point out the apparent inconsistency with which the brands view mobile for mid-size and large retailers, versus what they allow smaller merchants to get away with (in a PCI and risk sense, anyway).
Will it take a major breach to apply the standards uniformly? I really hope not. But how else can one reconcile the evidence of increased card fraud at small businesses (Verizon Data Breach Report) with easing PCI compliance requirements for some of these same merchants. Or, to put it on a more personal level (as one client of mine did), the brands have thrown her/him into the “no” business. They need to be PCI compliant, so the Security team has to say “no” when their business divisions want to use these devices. Not a lot of fun for them (or their QSA).
I repeat my forecast for an exciting PCI Community Meeting in a couple of months.
June 28th, 2012 at 9:03 pm
“Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way.”
Most of those ‘dang devices’ do utilise P2PE in-hardware which still remains absent from the bulk of traditional POS terminals around the world.
I’d actually be happier swiping my card through one of those, given they’ve been designed ground-up with the view that the smartphone it’s being used on is an insecure environment, than in a traditional POS or integrated environment which is anyone’s guess.
June 29th, 2012 at 7:16 pm
Gavin,
Thanks for your comment, but I’m not so sure I share your sentiment.
For example, I disagree as to whether *any* of the devices uses “P2PE in-hardware.” P2PE is just rolling out, and there are precisely zero approved devices. What’s more, some of the dongles in their original version did not even encrypt the mag stripe data.
We have similar issues with the payment apps themselves (none of which is PA-DSS validated). As for the underlying operating systems, I don’t think anyone knows what they do with the data passing through them. Do they retain the data? Are the data cached somewhere?
The only reason I might agree with your sentiment about being “happier swiping my card through one of those” devices is the fact that as a cardholder (in the US, anyway), I am protected against fraud losses so long as I use a credit card. I may be inconvenienced if it is compromised, but the risk (thank you, Reg W) is all on the issuing financial institution.
Following that thought: if the risk is on the issuing financial institution, and these same issuers are what make up Visa and MasterCard, can someone explain to me why the brands are cutting so much PCI slack on these mobile devices? It seems to be transferring risk back to the issuers from small merchants.
Great discussion, readers! Thanks, and keep the comments coming.