Mobile payments, PCI DSS compliance: Some clarity

Mobile payments technology is a loud sonic boom thundering through the payments industry. But are all -- or any -- of these payment schemes compliant with the Payment Card Industry Data Security Standard (PCI DSS?)

For many mobile options, the PCI Security Standards Council says the industry is going to have to wait longer -- a whole lot longer -- to find out.

"We understand there is a growing demand in the marketplace for guidance on how to safely and securely implement mobile payments according to the requirements of the DSS and PA-DSS, and we are committed to providing this guidance," said Bob Russo, general manager, PCI Security Standards in a statement. "Today's update helps clarify how we will be evaluating all payment applications in the future."

Also see: The security-approved smartphone

The future, according to the council, will be by the end of this year -- at the soonest. What the council did recently provide is a document that separates the more-easy-to-certify as PCI DSS from the not-so easy to certify in several categories:

  • Mobile Payment Acceptance Application Category 1 -- Payment application operates only on a PTS-approved mobile device
  • Mobile Payment Acceptance Application Category 2 -- Payment application meets all of the following criteria;
  • 1. Payment application is only provided as a complete solution -- bundled with a specific mobile device by the vendor;
  • 2. Underlying mobile device is purpose built (by design or by constraint) with a single function of performing payment acceptance; and
  • 3. Payment application, when installed on the bundled mobile device [as assessed by the Payment Application Qualified Security Assessor (PA-QSA) and explicitly documented in the payment application's Report on Validation (ROV)], provides an environment which allows the merchant to meet and maintain PCI DSS compliance
  • Mobile Payment Acceptance Application Category3 -- Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing

The first two categories are for applications that run on devices already approved for PCI DSS as well as those that run on point-solution payment devices. These categories can be quantified to meet current standards. The problem now is in the payment systems that run on standard mobile devices -- smart phones, tablets, and who-knows-what-else. These programs will need to be reviewed further for potential PCI DSS compliance.

Also see: PCI's post-audit pain points

Industry analyst reaction to the announcement is mixed.

"The dedicated devices are easy to certify," says Avivah Litan, an analyst who covers financial fraud, authentication, and fraud detection. "There's a lot you can argue is wrong with PCI, but I give them credit for not rushing this. There are a lot of different mobile devices, and each is very different, and they need to look carefully at each platform."

"The council dug themselves into a hole with the level of detail and security prescriptiveness that they provide," says Pete Lindstrom, research director at Spire Security. "This means instead of the industry making risk-based judgments about a payment platform, we have to wait for very detailed examination. It's time consuming and lagging."

George V. Hulme writes about security and technology from his home in Minneapolis. He never buys anything, so he's not very concerned about mobile payment technology himself. He can, however, be found on Twitter as @georgevhulme.

Read more about pci and compliance in CSOonline's PCI and Compliance section.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancefirewallsapplicationssmartphone security compliancesoftwareIT managementCompliance monitoringregulatory compliancePCIPCD DSS and mobile devicesPCI Security Standards Councilnetwork securitysecurity

More about SpireSpire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts