Digital Transactions Authoritative, insightful and timely information for payments professionals
The PCI Security Standards Council on Wednesday published guidance on how merchants can accept card payments through smart phones and tablet computers while protecting sensitive cardholder data. The guidelines, however, do not bring to an end an 18-month-old freeze the council has imposed on approvals of software applications for mobile payments. That could happen later this year, though such an outcome isn’t guaranteed.
The Wakefield, Mass.-based PCI Council’s new document, called “At a Glance: Mobile Payments Acceptance Security,” is the result of work by its staff and its approximately 50-member Mobile Working Group comprised of vendors, processors, and others. “This is geared more toward a smaller merchant [and] letting them know how they can accept mobile payments,” PCI Council general manager Robert Russo tells Digital Transactions News.
The council oversees the main Payment Card Industry data-security standard and the related Payment Application data-security standard (PA-DSS) and PIN Transaction security requirements (PTS). The new guidance comes at a time when merchant acquirers and independent sales organizations are signing up for mobile acceptance hordes of small businesses, many part-time, or even occasional sellers who want to accept cards through mobile devices. The hot startup Square Inc., a specialist in the category, in December claimed it had hit the 1-million-merchant mark.
“We’re going to have a huge number of merchants coming into the system,” says Russo. “This is the first time that we’re actually mentioning the word ‘mobile’ and getting people into the fray.”
The guidance explains some of the council’s other initiatives that affect mobile payments. They include its recently updated requirements for hardware systems from point-to-point encryption providers, and updates to the PTS requirements made in October 2011. Those latter requirements addressed how data-encrypting card swipes for mobile devices could meet PCI requirements.
“Both those standards, they’re very technical, are for vendors,” says Troy Leach, PCI Council chief technology officer. “This paper we’re releasing this week is our first communication to merchants.”
The document emphasizes that merchants should use only processors with PCI-validated point-to-point encrypting products and PTS devices that meet council-delineated criteria. They also note that mobile merchants using approved systems still have basic responsibilities under the PCI rules to protect cardholder data.
The council, however, sees the guidance as just one step on a long road to fully secure mobile payments. The council froze PA-DSS approvals for mobile-payment software in November 2010 to get a handle on the myriad security issues raised as the mobile channel began to boom. Last June, it issued a “roadmap” that enabled software for purpose-built mobile-payments hardware, products used mainly by full-time businesses, to attain PA-DSS validation. But applications for the iPhones, Android, and other devices that do double duty as personal tools and mobile card-acceptance terminals have yet to be approved.
In addition to today’s guidance, the path to such approvals will first include a set of mobile best practices that the council plans to release this summer, one for vendors and another for merchants, followed by more guidance at about the time of the council’s so-called community meetings. The North American meeting is set for Sept. 12-14 in Orlando, Fla.
Leach envisions three potential outcomes of the multistep process. “A roadmap [for] whether payment applications can use existing standards, whether new ones need to be created, or whether there needs to be additional security evolutioned to that particular environment.”
Russo says the council is taking a cautious approach to mobile security because of the “complex environment.” “It’s a lot of moving parts out there,” he says. “We want to make sure we get it right.”
Mobile-payments consultant Todd Ablowitz, president of Centennial, Colo.-based Double Diamond Group, says he’s “pleased that there\'s continued progress to give guidance to the community on how to secure mobile transactions.” Regarding the deliberate pace at which the council is moving, he says, “I think they\'ve set a pace for the last couple years. This continues that pace. Are they making progress? Yes. Are they all the way there? Not yet.”
