The PCI Security Standards Council (PCI SSC), the industry body that develops and administers the payment industry's data security standard (PCI DSS), released its much-anticipated clarification to rules concerning mobile payment acceptance applications. The announcement was intended to give direction to developers and merchants on how the Council will evaluate mobile payment apps in the future under its Payment Applications Data Security Standard (PA DSS).
"We understand there is a growing demand in the marketplace for guidance on how to safely and securely implement mobile payments according to the [PCI] DSS and PA DSS, and we are committed to providing this guidance," said the PCI Council's GM Bob Russo.
Last November the Council issued a statement saying it needed more time to study mobile payment applications before determining if, and how, it would validate those applications under the PA DSS. In February the Council even "delisted" mobile payment apps it had already included on its list of validated applications. Being on the Council's list of validated applications effectively deems an app "secure."
Calling today's statement the end of the "first phase" of the Council's evaluation of mobile payment applications, the Council said it "focused on identifying and clarifying the risks associated with validating mobile payment acceptance applications." The result of this review was the creation of three categories for mobile payments applications. Category 1 covers applications on PIN mobile devices that have already been approved. Category 2 covers applications on devices dedicated to making payment transactions. Applications in these two categories will now be eligible for validation under the PA DSS.
The third category applies to mobile payment acceptance apps for smartphones and other mobile devices used for multiple tasks. Unfortunately for developers of these applications, the Council said that category requires additional review. The results of that review are scheduled for the end of the year.
The issue for some is what effect, if any, the Council's announcement will have on mobile payment applications.
"All they've done is restate their previous position using a lot more words," said Wayne Varga, senior vice president of electronic payment security firm K3DES LLC.
Varga said the announcement at least indicated the PCI Council will consider validating some mobile payment applications in the future, which he said is an improvement from the Council's previous position. However, Varga said he wasn't sure offhand how useful that change would be since few companies use dedicated mobile payment devices.
"Basically what they've done is make it so only those merchants that can afford to create their own (mobile payment) applications will have them," Varga explained.
Varga also warned that the direction the Council seems to be heading may render it irrelevant to the mobile payment application market. He explained the PCI Council only sets standards and has no power to enforce them. Merchants that choose to use mobile payment applications could simply ignore PCI validation. He said if enough merchants choose that path, the PCI Council would have little say in the matter.
As a part of today's announcement, the PCI Council noted that consumer payment methods downloaded to mobile devices, like mobile wallets, are considered the same as a consumer's credit card or physical wallet and are not within the Council's purview.