News

Long-awaited guidelines from the PCI Security Standards Council about just what constitutes secure mobile-payments software are coming soon, promises Council general manager Robert Russo. “Look for guidance in the next couple of weeks,” Russo said in a session at last week’s Electronic Transactions Association’s annual meeting in San Diego.

Boosted by mobile-payment applications, the number of software programs up for Council review is sprouting almost as fast as 13-year cicadas in Missouri. “Now that mobile is out there, we’re getting hundreds every month,” Russo said.

The Wakefield, Mass.-based Council administers the Payment Card Industry data-security standard (PCI) and several related standards, including the Payment Application data-security standard (PA-DSS). The Council approves applications as meeting PA-DSS requirements, but has come under criticism for freezing approvals on applications specifically for mobile payments. The Council’s position has been that the mobile niche and its apps are too new for it to pass judgment before taking a thorough look at the security issues. In freezing approvals last November, the Council said approvals would start some time in 2011, but didn’t say when.

The payments industry is rapidly changing not only because mobile devices are beginning to stand in for cards and even checks, but also because of new security technologies. Accordingly, the Council is working on guidelines not only for mobile, but also for several other areas. They include encryption, tokenization, wireless security, and virtualization. The Council recently released security guidelines for Europay-MasterCard-Visa (EMV) chip cards, guidelines it developed with EMVCo, an organization that oversees the chip card’s technology.

Also under development is a simpler way for merchants to determine just what path to PCI compliance they should follow as they seek validation from so-called Qualified Security Assessors (QSAs) that their payment-processing systems are secure. Merchants start the process by filling out one of five so-called Self-Assessment Questionnaires (SAQs). Which one they use depends on their business and the payment-processing and data-transmission systems they employ.

Merchants, especially small ones, have long complained that the SAQs are confusing. Some QSA firms offer simpler ways for starting the process, but the Council itself hasn’t offered one. The details have yet to be worked out, but the Council is considering some type of common, online form that would route merchants to the correct form depending on the information they input, according to Russo. “We understand the need here,” he said. The Council’s programmers are working on the online form, and Russo said it hasn’t come out earlier because “it’s a resource issue.”

Meanwhile, the Council is planning to publish on the Web the feedback it receives in the run-up to the next revision of PCI. The Council released version 2.0 of the standard last October and will update it on a three-year cycle instead of the former two-year cycle. In contrast to previous revisions, the Council plans to publish online the comments it receives from PCI stakeholders--card issuers, merchant acquirers, merchants, vendors and others. The feedback period about how version 2.0 is working starts in November. Russo expects the number of comments to run into the “thousands of pages.”