Mobile payments and PCI DSS compliance: Some, but not much, clarity (yet)

Mobile payments technology is a loud sonic boom thundering through the payments industry. But are all — or any — of these payment schemes compliant with the Payment Card Industry Data Security Standard (PCI DSS?)

For many mobile options, the PCI Security Standards Council says the industry is going to have to wait longer — a whole lot longer — to find out.

“We understand there is a growing demand in the marketplace for guidance on how to safely and securely implement mobile payments according to the requirements of the DSS and PA-DSS, and we are committed to providing this guidance,” said Bob Russo, general manager, PCI Security Standards in a statement. “Today’s update helps clarify how we will be evaluating all payment applications in the future.”

Also see: The security-approved smartphone

The future, according to the council, will be by the end of this year — at the soonest. What the council did recently provide is a document that separates the more-easy-to-certify as PCI DSS from the not-so easy to certify in several categories:

• Mobile Payment Acceptance Application Category 1 — Payment application operates only on a PTS-approved mobile device
• Mobile Payment Acceptance Application Category 2 — Payment application meets all of the following criteria;
• 1. Payment application is only provided as a complete solution — bundled with a specific mobile device by the vendor;
• 2. Underlying mobile device is purpose built (by design or by constraint) with a single function of performing payment acceptance; and
• 3. Payment application, when installed on the bundled mobile device [as assessed by the Payment Application Qualified Security Assessor (PA-QSA) and explicitly documented in the payment application’s Report on Validation (ROV)], provides an environment which allows the merchant to meet and maintain PCI DSS compliance
• Mobile Payment Acceptance Application Category3 — Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing

The first two categories are for applications that run on devices already approved for PCI DSS as well as those that run on point-solution payment devices. These categories can be quantified to meet current standards. The problem now is in the payment systems that run on standard mobile devices — smart phones, tablets, and who-knows-what-else. These programs will need to be reviewed further for potential PCI DSS compliance.

Also see: PCI’s post-audit pain points

Industry analyst reaction to the announcement is mixed.

“The dedicated devices are easy to certify,” says Avivah Litan, an analyst who covers financial fraud, authentication, and fraud detection. “There’s a lot you can argue is wrong with PCI, but I give them credit for not rushing this. There are a lot of different mobile devices, and each is very different, and they need to look carefully at each platform.”

“The council dug themselves into a hole with the level of detail and security prescriptiveness that they provide,” says Pete Lindstrom, research director at Spire Security. “This means instead of the industry making risk-based judgments about a payment platform, we have to wait for very detailed examination. It’s time consuming and lagging.”

George V. Hulme writes about security and technology from his home in Minneapolis. He never buys anything, so he’s not very concerned about mobile payment technology himself. He can, however, be found on Twitter as @georgevhulme.