PCI Council says mobile payment apps can meet security standard

Guidance can help merchants, tool vendors move on; no ruling yet on apps that run on popular consumer devices

The PCI Security Standards Council has released its long-awaited guidance on how mobile payment acceptance applications can meet PCI standards .

The council today listed the types of mobile applications now measured by the security standards, and which types require further review.

The new document, dubbed Which Applications Are Eligible for PA-DSS Validation? A Guiding Checklist ( Download PDF ), is designed to let merchants know whether the mobile payment applications they are using could meet today's PCI specifications.

The document separates mobile payment applications into three separate categories.

The first two categories -- applications that operate on mobile devices already approved for use by the council and apps designed to run on purpose-built, dedicated mobile payment devices -- can meet current PCI security standards, the council said.

The third category, payment applications running on popular consumer mobile devices such as smartphones, tablets and PDAs, face further review to determine whether they can be eligible for PCI status, said Bob Russo, general manager of the PCI Security Standards Council.

"Mobile is coming out at Mach 5 with its hair on fire," Russo reasoned. "Unfortunately there are no standards around any of this stuff."

While many merchants are anxious to use mobile payment applications, the speed at which the technology is evolving makes it difficult to establish standards, he said. He compared the situation to the release of drugs that "the FDA has not had a chance to test and approve. You got to be very careful," Russo said.

The Payment Card Industry rules require that all hardware and software technologies used to accept, process, and transmit debit and credit card transactions meet a set of prescribed security controls.

Merchants that use payment applications that have not been formally certified as meeting Payment Applications Data Security Standards (PA-DSS) standards are deemed to be non-compliant.

Today's announcement marks the first time the PCI council has said that mobile payment applications can be eligible to meet its standards requirements.

The council had previously maintained that it had to conduct a lengthy review of mobile communications devices and payment applications before making a decision on whether the emerging technologies could meet its standards.

Jim Huguelet, an independent PCI analyst based in Bolingbrook, Ill., noted that because the PCI decision is incomplete, developers of mobile payment applications for consumer devices and the merchants who use them have been left in a "very tenuous position."

Today's update from the PCI council "will indeed help some vendors and merchants now - as opposed to waiting until later this year when comprehensive guidance on mobile becomes available," he added.

He did note that the council's continued silence on whether payment applications can safely be used on consumer devices is disappointing, he said. "For all intents and purposes, the area where the vast majority of interest lies must wait until later this year for guidance," he said.

The incomplete announcement, he noted, raises interesting questions, such as: "Are they trying to say that applications like Google Wallet are not within the scope of PCI?," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags telecommunicationconsumer electronicsMobile and WirelesssecuritysmartphonesPhonesmobilePCI Security Standards Council

More about GoogleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts