PCI Mobile Payment Guidelines To Not Appear Before April, And Probably Much Later

Written by Evan Schuman
June 14th, 2011

The PCI Security Standards Council’s much-anticipated rules on mobile-payment issues won’t happen before April of next year and will probably happen much later, according to a key member of the Council’s board of advisors. Given the pace of mobile-payment deployments and trials, this timetable forces retailers to move into this crucial area without standardized guidance—and virtually guarantees a lot of expensive changes in a year, when the rules finally materialize.

As of Friday (June 10), the Council had not even created the mobile-payment special interest group, which will push back the release of a mobile-payment specification at least 10 months, said Christian Janoff, a retail enterprise architect with Cisco who sits on the Council’s board of advisors. “It takes awhile for these standards bodies” to make these types of recommendations, Janoff said.

Even if the 10 months estimate is correct—and it certainly sounds reasonable—that’s the earliest point for the guidelines to be released. It will still be many months after that before it would be the law of payment and potentially more months after that before compliant applications are available, not to mention compliance with carriers, handsets, chips, readers and all the other elements of the just-barely-already-defined mobile-payment infrastructure.

Janoff’s Cisco colleague, Lindsay Parker (the vendor’s global retail industry director), agreed and termed the effort to create these guidelines “Herculean.” Asked what retailers should do while waiting for the guidance, she said there’s little choice. Retailers always have to look at PCI rules and data-protection processes as accomplishing two parallel objectives: Being secure and being standards compliant.

For compliance, merchants will simply have “to be compliant with what we know” and focus all efforts on simply being secure, Parker said.

This information is actually good news for retail IT for two reasons. By eliminating the possibility that mobile payment is imminent and by offering a “no sooner than” timetable, retailers are freed up to pursue various mobile-payment schemes without worrying about immediate change demands.

The second reason this is good news is pragmatic. Although knowing what the industry standards are is helpful at any point, it’s essential to know before undertaking a full-scale deployment. For small trials, it’s much less critical. As a practical matter, the next year will overwhelmingly be focused on exactly those types of small focused trials. The absence of standards will actually give IT chiefs free reign to pursue any efforts for evaluation.

That said, there are also some serious drawbacks with this type of a delay. In any young market, such industry standards can often help retailers choose which vendors to work with on trials, confident that the final result will be within industry expectations.

Second, if a trial (or, worse, a limited deployment) goes well and a chain starts to make development, programming and training investments and then the word comes down that a very contradictory technology approach gets the endorsement, that could hurt in two ways. First, the expensive pain of breaking things down and starting all over again.

The other problem, though, is more insidious. If enough retailers have progressed far enough by the time the guidance is released, it could create anger, resistance and resentment, which might undermine compliance. That’s especially bad, because if any IT area truly needed strong security rules, it’s mobile payment.

Come to think of it, there’s yet one more good thing about this timetable. It will provide more time for real-world feedback from those initial trials before the guidelines are released. If there’s anything certain in mobile payment, it’s that these systems will never work as predicted and consumers will never interact with them as predicted. It would certainly be nicer if the specs were available now. But if they have to be delayed, it’s good that there will at least be a few silver magstripe linings.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.