Total Apps

PCI issues new guidance for mobile payment apps

The PCI Security Standards Council (PCI SSC), the industry body that develops and administers the payment industry's data security standard (PCI DSS), released its much-anticipated clarification to rules concerning mobile payment acceptance applications. The announcement was intended to give direction to developers and merchants on how the Council will evaluate mobile payment apps in the future under its Payment Applications Data Security Standard (PA DSS).

"We understand there is a growing demand in the marketplace for guidance on how to safely and securely implement mobile payments according to the [PCI] DSS and PA DSS, and we are committed to providing this guidance," said the PCI Council's GM Bob Russo.

Last November the Council issued a statement saying it needed more time to study mobile payment applications before determining if, and how, it would validate those applications under the PA DSS. In February the Council even "delisted" mobile payment apps it had already included on its list of validated applications. Being on the Council's list of validated applications effectively deems an app "secure."

Calling today's statement the end of the "first phase" of the Council's evaluation of mobile payment applications, the Council said it "focused on identifying and clarifying the risks associated with validating mobile payment acceptance applications." The result of this review was the creation of three categories for mobile payments applications. Category 1 covers applications on PIN mobile devices that have already been approved. Category 2 covers applications on devices dedicated to making payment transactions. Applications in these two categories will now be eligible for validation under the PA DSS.

The third category applies to mobile payment acceptance apps for smartphones and other mobile devices used for multiple tasks. Unfortunately for developers of these applications, the Council said that category requires additional review. The results of that review are scheduled for the end of the year.

The issue for some is what effect, if any, the Council's announcement will have on mobile payment applications.

"All they've done is restate their previous position using a lot more words," said Wayne Varga, senior vice president of electronic payment security firm K3DES LLC.

Varga said the announcement at least indicated the PCI Council will consider validating some mobile payment applications in the future, which he said is an improvement from the Council's previous position. However, Varga said he wasn't sure offhand how useful that change would be since few companies use dedicated mobile payment devices.

"Basically what they've done is make it so only those merchants that can afford to create their own (mobile payment) applications will have them," Varga explained.

Varga also warned that the direction the Council seems to be heading may render it irrelevant to the mobile payment application market. He explained the PCI Council only sets standards and has no power to enforce them. Merchants that choose to use mobile payment applications could simply ignore PCI validation. He said if enough merchants choose that path, the PCI Council would have little say in the matter.

As a part of today's announcement, the PCI Council noted that consumer payment methods downloaded to mobile devices, like mobile wallets, are considered the same as a consumer's credit card or physical wallet and are not within the Council's purview.

Related Content

User Comments – Give us your opinion!
  • Nick Reuter
    89056459
    It's seriously about time. Glad to see they are finally releasing these standards and look forward to getting through this compliance so there are no concerns. Hopefully this also helps alleviate some public concern on the security of mopay apps.
Products & Services

Mobile Money Cash Solution

http://global.networldalliance.com/new/images/products/6415.png

6415/Mobile-Money-Cash-Solution

JunglePay - Mobile Payment and Online Billing Solution

http://global.networldalliance.com/new/images/products/4534.png

4534/JunglePay-Mobile-Payment-and-Online-Billing-Solution

Peer-to-Peer

http://global.networldalliance.com/new/images/products/6743.png

6743/Peer-to-Peer

Cardholder Present

http://global.networldalliance.com/new/images/products/6745.png

6745/Cardholder-Present

Cellum Web Checkout

http://global.networldalliance.com/new/images/products/6737.png

6737/Cellum-Web-Checkout

Total-Custom Setup

http://global.networldalliance.com/new/images/products/6201.png

6201/Total-Custom-Setup

QwickPAY Mobile POS

http://global.networldalliance.com/new/images/products/4293.png

4293/QwickPAY-Mobile-POS

White labeled mobile payment platform

http://global.networldalliance.com/new/images/products/6117.png

6117/White-labeled-mobile-payment-platform

IPADĀ® PIN Transaction Device

http://global.networldalliance.com/new/images/products/4297.png

4297/IPAD-PIN-Transaction-Device

Software Solutions

http://global.networldalliance.com/new/images/products/6039.png

6039/Software-Solutions

Magtek QwickPay
VAS Show London 2014
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.