Digital Transactions Authoritative, insightful and timely information for payments professionals
A freeze on approvals of mobile applications for card acceptance by merchants, announced in November by the PCI Security Standards Council (PCI SSC), will likely be lifted some time before the end of the year. Top officials with the Wakefield, Mass.-based organization tell Digital Transactions News the Council is working on what it calls a “technology evaluation” to craft new validation procedures that more clearly suit the software used by mobile merchants. “There will certainly be guidance you can bank on in 2011,” says Bob Russo, the Council’s general manager. “We’re still in the early stages of one of the more comprehensive evaluations of technology that we’ve had in our five-year history.”
The Council’s freeze comes as the nascent market for mobile payments is developing rapidly and developers are rushing to meet demand from businesses that want to process card transactions on smart phones. Vendors like Intuit Inc., VeriFone Sytems Inc., and startup Square Inc., along with a slew of others, have launched applications and hardware to let on-the-go merchants use their handsets to accept card payments from customers. “We understand the appetite in the market,” says Russo. “[Merchants] want to be using these things.”
Troy Leach, chief standards architect for the Council, says the organization will have a better idea of progress on the new procedures by the end of March. “At the end of the first quarter we’ll evaluate progress so far,” he says. At the same time, he cautions, there’s a risk in rushing the process, since the Council is looking at testing criteria and other fundamental controls. “We recognize there’s a market demand, but [we’re asking], What is the diligent way to evaluate [these products] in a smart and efficient way so we’re not creating security requirements that are valid today and obsolete tomorrow?” he says.
Currently, card-acceptance software is evaluated for information security under a set of PCI-related rules known as the Payment Application data-security standard (PA-DSS). Security assessors, which evaluate software on behalf of developers, have been submitting an increasing number of mobile-merchant applications to the Council for its imprimatur. But these submissions often can’t meet PA-DSS requirements because the rules were written for software that works in fixed, wired point-of-sale terminals in in-store locations, say Russo and Leach. That leaves some requirements as “not applicable,” they say. “That became one of the red flags for us,” says Leach, regarding the applicability of the PA-DSS to mobile applications. “We’re trying to put a square peg in a round hole.”
Among the Council’s concerns are issues surrounding keylogging by mobile devices, protection of data in the device and between the device and connected card-swipe hardware, and transaction authentication, says Leach.
The Council, which manages the Payment Card Industry data-security standard (PCI) and related data-security rules, announced in a statement dated Nov. 29 it would not approve mobile-merchant applications submitted by security assessors on behalf of clients. But Leach and Russo say the statement simply made official a policy the Council had been following any way. “We were constantly rejecting applications [for approval] long before this,” says Leach.
A survey of software applications approved by the Council, listed on the Council’s Web site, shows a number of mobile-payment applications that had been approved under a set of guidelines called the Payment Application Best Practices (PABP), a predecessor to the PA-DSS. There are also some applications, including one from VeriFone, that have been approved under PA-DSS. “There were mobile-payments applications approved under PA-DSS before the growth of this new mobile-payments market necessitated a review of PCI SSC criteria and processes for examining the security of these applications,” says a spokesperson for the Council.
While the Council’s freeze has been a topic of discussion among payment-software vendors and gateways, it is less well-known in the merchant community, says Robert Vamosi, an analyst at Pleasanton, Calif.-based Javelin Strategy & Research who follows payment-data security topics.
And even among security experts, opinion on the Council’s decision to stop approving mobile-merchant apps is not uniformly favorable. Unless there have been unreported breaches, “it’s a knee-jerk reaction,” says Branden R. Williams, director of security consulting for the security practice of RSA, a unit of EMC Corp. If the Council takes all or most of the year to work out its new PA-DSS procedures for mobile apps, it runs the risk of being disregarded by some developers eager to serve market demand, says Williams. “If it’s all year and they haven’t figured this out, that reduces their relevance,” he says.
