The PCI Security Standards Council on Friday released its first guidelines on mobile-acceptance applications since announcing in November that it had stopped reviewing such products. The Wakefield, Mass.-based Council, which manages the Payment Card Industry data-security standard (PCI), also said it hopes to start forming a broad group of mobile-payments experts next month to help formulate further rules for acceptance apps.
The new policy touches on which mobile-acceptance apps can be evaluated under the Payment Application data-security standard (PA-DSS), a set of PCI-related security rules that apply to payment software. Software certified under PA-DSS is considered helpful to merchants in achieving compliance with PCI.
While the Council said certain apps can now be considered for validation under PA-DSS, it continued to bar programs written for consumer handsets, such as smart phones. It said it will not review such apps until it has developed further guidance, which it said will be done by the end of the year. “The Council’s guidance should be an indication that there is some uneasiness” about these products, says Branden R. Williams, director of security consulting for the security practice of RSA, a unit of EMC Corp.
Products that can now be considered include: those that work only on mobile devices that are approved under the Council’s PIN Transaction Security requirements, which govern devices with PIN-entry capability; and those included as part of a dedicated system that can be used only for payments. An example of the latter is a tablet computer a sales associate might use to check out customers. The device, says Bob Russo, the Council’s general manager, must be “totally locked down,” and thus incapable of running other applications. “You can’t add ‘Angry Birds’ to the cash register, so to speak,” adds Troy Leach, the Council’s chief standards architect.
The new guidelines come as mobile apps to allow merchants and even individuals to accept card transactions continue to flourish, a marketplace reality Council officials say they’re fully aware of. “We recognize this is a big, big area,” says Russo. “People are rushing headlong to get into it.” Entrants in this market range from startups like Square Inc. and Inner Fence LLC to established players such as VeriFone Systems Inc. and Intuit Inc.
But security concerns led the Council to suspend PA-DSS reviews of such products last fall. The organization, which was set up five years ago by the card networks to administer PCI, concluded then that acceptance apps could not be fully evaluated under PA-DSS, which was written for software that works on fixed terminals in a traditional point-of-sale environment. The new guidelines appear to be meant at least in part to satisfy demand from developers left up in the air in November. “People are clamoring for information,” Russo says.
Russo lauds the work of a Council working group formed earlier this year in coming up with this first set of guidelines. “This is really a solid first step,” he tells Digital Transactions News. “It’s taken a lot of hard legwork to get to this point.”
But some mobile experts say the move, in leaving out, for now, the broader marketplace of non-dedicated consumer handsets, is too tentative. Apps running on PTS-certified devices and those that work on dedicated systems constitute “an extremely narrow band,” says Todd Ablowitz, president of Double Diamond Group, a Centennial, Colo.-based consultancy. He also professes disappointment with the Council’s end-of-the year estimate for further policy on smart phones and other consumer handsets. “They need to go faster,” he says, pointing to the rapidly mounting popularity of acceptance apps for such devices.
The Council, meanwhile, is seeking broader advice in formulating mobile policy. While the working group that came up with the guidelines announced Friday was made up of members of Leach’s staff and card-network representatives, Leach says the Council plans to form in July a new group of what he calls “subject-matter experts,” including representatives of platform and application developers.