M-Commerce
Todd Ablowitz
Yes, the PCI Security Council’s timeout on standards for mobile payments has sewn confusion and uncertainty. But that doesn’t mean the industry has to stand still.
The buzz surrounding mobile payments is gaining momentum. The influx of payments software from traditional payments providers and hardware manufacturers, as well as new industry entrants and developers, is spurring a new wave of innovation for the payments industry.
On one hand, this is good news for the industry as acquirers, merchants, and providers can expect to benefit from exciting new technologies that will enter the market. On the other hand, the industry is dealing with an entirely new payment method, and it is blindingly clear that the old rules for ensuring cardholder security and privacy don’t apply to mobile-payments applications and smart phones.
Since the PCI Security Standards Council called a timeout to evaluate the mobile-payments landscape earlier this year, a lack of any compliance mandates regarding security and privacy leaves the industry in a proverbial no man’s land. Unfortunately, that decision is generating confusion at best and potential chaos at worst.
This creates interesting challenges for acquirers, merchants, and providers because a lack of standards isn’t likely to deter mobile-payments applications from flowing into the marketplace. In fact, we will continue to see a wide array of new options. Many will offer methods for addressing security, and some will not.
It’s clear that someone, most likely the PCI Council, needs to take charge. But until that happens, payments-industry players need to take a very close look at the data-protection and security processes they are employing.
Changing Landscape
Recently, there have been highly publicized battles between vendors on issues relating to securing mobile payments. The legacy vendors, those that have been operating within PCI guidelines for years, have seen their share of changes in both policy and enforcement, going back to PCI’s initial Payment Application data-security standard (PA-DSS), which governs payment-software security. As technology and mobility evolved, the PCI Council tried to keep up.
However, in 2010, the PCI Council suddenly went dark on the status of smart-phone-based payment applications. The Council eventually acknowledged that it had stopped adding new smart-phone point-of-sale applications to its validated list—regarded by the entire merchant-services sector as the ultimate, authoritative database of PCI-certified products.
Next, the Council acknowledged its own lack of clarity about how smart-phone POS applications should be regarded and said it would re-assess the suitability of PA-DSS to address smart-phone implementations in 2011.
To obscure things even more, the Council has retracted its previous acknowledgement of validated PA-DSS compliant applications by removing smart-phone applications from its validated list. The confusion brought on by these and other actions has done nothing to help merchants and service providers make prudent decisions.
Indeed, it has created an uneven playing field between traditional payment-processing providers and the emerging application developers who are looking to stake out a claim in the promising new land of mobile payments.
It is easy to understand how critical secure payment systems are for consumer confidence and for the security of the U.S. and global payment infrastructure. That awareness is evident among all of the long-established players.
For example, providers like Apriva, VeriFone Systems Inc., and others stand out as leaders when it comes to security and PCI compliance. Imagine the intense security required for each and every transaction, performed billions of times daily, in millions of places around the globe.
The smart-phone POS providers certainly deserve their say, too. The opportunity associated with smart-phone POS solutions has brought a deluge of entrants. While some players are taking the issue of security seriously, others are more likely focused on generating revenue, and may not have the experience or knowledge to provide the security equivalent of the legacy players.
Instead, they talk about how the simplicity of a card swipe is really all there is to mobile payments. Since the PCI Council is not ready to state or enforce mobile-payments security standards, some new players may be operating in the dark with regard to developing a workable and robust security process.
Without an authority to mandate what is secure and what isn’t, these new firms can focus on grabbing market share, while giving short shrift to security.
Enter PCI?
Still, the smart-phone market marches on, and the application market marches even faster, and neither market is going to wait for a security promised land. Merchants, especially younger, tech-savvy types, are adopting smart phones and mobile-payment apps by the hundreds of thousands each month.
With smart phones forecasted to outpace feature phones later this year, merchant smart phones will reach a critical mass. This growth means market opportunity, and acquirers can only be expected to respond. And what does PCI have to regulate this boom? For better or worse, the only accepted standard for payments currently available is the legacy PA-DSS.
It is understandable that the PCI Council is concerned about new vulnerabilities that may be endemic in smart phones. But in the end, a smart phone is really a computer, and if the PCI Council can evaluate payment software on PCs, it can certainly evaluate it on a smart phone.
The PCI Council has to act, and do so thoroughly and quickly. Those terms are not at odds with each other. With the mobile-payments market growing and moving forward, the Council has no choice but to get its arms around the security aspects of it and guide future development. These are not unrealistic expectations of the Council.
With the market moving fast and the Council still in evaluation mode, how should responsible parties move forward? There are two strategic paths to take: Make an informed decision to be informed, and make a secure decision to be secure.
Making an informed decision. This means providers, acquirers, and merchants have to take the necessary steps to become educated. First, don’t be a pushover for the marketing. Don’t make decisions based on trade-publication articles, or advertising that promotes particular products or emphasizes an innovative payment application.
Instead, do the homework. Understand the issues regarding the security of the smart phone and the payment apps. Use the Internet to search “payment apps security problems” both on the Web and in the news. There are millions of hits.
Merchants, service providers, and independent sales organizations should contact their merchant acquirer of record and obtain clear instruction regarding card-network requirements, guidelines, and best practices.
Ask about protecting a card and cardholder data, receipts, debit card PIN, and signatures. What about defending against chargebacks? Hard questions to be sure, but they should have clear, concise answers for the wide variety of products offered. Remember, acquirers are responsible for all transactions they sponsor, so they have skin in the game and should help.
Making a secure decision. This means asking the tough questions and demanding the answers that are required. Most merchants and acquirers are not positioned to perform individual technical evaluations on the vast array of smart-phone POS products.
Select products by asking: How has the provider established its credentials in the payments arena? Has the provider consistently demonstrated its technical competence over time? Does the provider have a proven history of secure products and services? What testing has the provider done? Who did the testing? Was it with a known, reputable Qualified Security Assessor?
Did it have white-hat hackers try to crack its application/service? It is important to ask “why?” as a follow-up question. Asking hard questions is not about being ignorant or difficult. It is about looking for weaknesses before someone less reputable does. Is it worth the risk if you don’t?
It’s About Trust
Undoubtedly, it would greatly benefit the industry if the PCI Council would act sooner rather than later. But until that time, every merchant, provider, or acquirer should take things into its own hands and do the homework by properly researching the developer or service provider and its products and services.
If you are an acquirer, making an informed decision is mission-critical. If you are a merchant, your acquirer’s recommendation is paramount.
There is a long-standing culture of security with mobile-payment veterans. When a solution is selected, try to understand everything about it from end to end and then evaluate it to see if it meets the highest security standards that mobile-payment veterans live by.
Only with this approach can merchants, acquirers, and providers truly protect their businesses and the trust of their customers.
Todd Ablowitz is president of Double Diamond Group LLC, a payments industry consultancy based in Centennial, Colo. Reach him at todd@doublediamondgroup.com.