CONTINUE TO SITE »
or wait 15 seconds

Article

Council takes wait-and-see approach to mobile payments

PCI SSC announced it would not approve or list any mobile-payment applications as compliant for the time being.

December 27, 2010

By James Wester

The Payment Card Industry Security Standards Council (PCI SSC) recently announced it would not approve or list any mobile payment applications as compliant with its Payment Application Data Security Standard (PA DSS) for the time being. The council cited the quickly evolving mobile payment market as one reason for its decision.

The council also mentioned several areas it is evaluating to determine the best way to proceed in certifying mobile payment applications to protect cardholder data during mobile transactions. The organization also noted that mobile payments will be a “key focus” for the council in 2011.
 
The council's cautious approach is not surprising in light of the relative immaturity of the mobile payment market.

There are very real concerns mobile payments pose to cardholder data security. The organization's announcement, however, is sharp contrast to the flurry of activity that is already occurring in the mobile payments space.

Several mobile payment vendors, wireless providers, banks and card networks, including members of the PCI Council, have recently announced they are moving forward with mobile payment pilot programs and partnerships. T-Mobile, AT&T and Verizon announced in November they are teaming up to create the Isis, a mobile payment network that allows consumers to use their mobile phones to purchase products at the point of sale. This joint effort by the wireless competitors is an attempt to standardize mobile payments at the point of sale using near-field communications (NFC).
 
Google and Apple also have announced that NFC support will be incorporated in the next releases of their mobile phone operating systems.

New mobile payment applications are also being launched and tested. One notable entry is Square, an application backed by Twitter co-founder Jack Dorsey.

Square's goal is to turn every smartphone into a potential credit card terminal. Square will allow anyone with an enabled smartphone to accept and swipe credit cards for a small fee. Wells Fargo & Company has also announced it will be teaming with Visa in the San Francisco area to test In2Pay,an application using MicroSD cards to compete with NFC.

Analysts, who have been reluctant in the past to jump on the mobile payments bandwagon, are even sounding fairly bullish on mobile payments. In recent reports about the future of mobile payments, Gwen Bezard, research director of Aite Group LLC, a Boston-based research firm, announced that in 2011 mobile payments will begin to take off. It is possible that this activity is the reason the PCI Council is just now releasing this statement on the future of certifications for mobile payment applications.

The cautious approach may simply be a tacit admission that no method or standard has emerged as a strong enough leader in the field to merit deeper consideration. There may also be some concern by the PCI Council that approving or listing solutions at this stage may unduly influence the direction of the market as vendors attempt to attract merchants and gain consumer support for competing standards.

By waiting to certify applications, the PCI Council can effectively let the market sort through which standards and solutions will succeed. Unfortunately for merchants, mobile payment vendors and acquirers (the companies that connect merchants to the payment networks), the statement means there may be very little guidance from the PCI Council in the short term.

According to agreements with acquirers, PA DSS certification and approval are mandated for all applications offered to, and used by, their merchants.

That would seem to indicate that as far as the PCI Council is concerned, mobile payment applications are forbidden for now.

However, the fact that the PCI Council will not be listing or validating any mobile payment applications does not mean that acquirers cannot offer mobile applications to their merchants. It may seem to violate the spirit of acquirer agreements to offer non-listed applications, but one of the loopholes of the PCI standard is that acquirers have the ability to provide non-listed solutions to merchants so long as they have been validated in some other way, usually through a PCI Qualified Security Assessor (QSA).

The real issue then becomes who is willing to hire and pay a QSA to certify that a particular solution is compliant with the PA DSS.

One of the criticisms of the PCI Council in the past has been the complexity of the security standard. In the case of mobile payments, the complexity may be how the PCI avoids squashing mobile payments while also avoiding taking a hard stand on potential security vulnerabilities.

Because of the apparent inconsistency in PCI agreements, it is likely that acquirers will continue to offer mobile applications to their merchants. Given the intense interest in mobile payments by merchants, acquirers will be more than willing to work with mobile application vendors. Offering alternative payment methods is one of the ways acquirers provide additional value to their merchant clients in the very competitive acquirer market.

For mobile payment vendors, the announcement can be construed as limited good news as well. Where the PCI Council could have taken a harder line towards potential security issues inherent in any mobile payment application, they instead chose to take a more measured approach. Additionally, there is a cost to be listed as a PCI-compliant application. While application vendors will still likely bear the cost of certifying solutions, or pass that cost along to acquirers looking to offer the solutions to their merchants, the cost to be listed will not be required.

In the end, the burden for security will be borne by merchants. In the case of a data breach due to an insecure mobile payment application, it is the merchant that will ultimately be responsible for any fines, lawsuits and public relations fallout. Therefore, it is always incumbent upon the merchants to work with acquirers and partners to ensure that any mobile payment application is fully audited and secure. Until the dust settles in the mobile payment space, data security will continue to be an issue.

And whether or not the PCI Council addresses the issue, it will be security that determines which mobile payment applications are supported by payment brands, implemented by acquirers, installed by merchants and adopted by consumers.

Wester is a mobile-payments expert. (Photo by Marco Arment.)

Related Media

Marketing
From storefront to screen: A modern retailer's guide to leveraging technology for success
AI
AI-powered digital avatars: The next frontier for retail CX
Technology
Augmented reality and virtual reality: Reimagining try-before-you-buy
General
2025 State of the Industry: Store Innovation Report
Presented by Toshiba Global Commerce Solutions, Inc.
Recent Posts
Frontier Airlines expands loyalty perks access
Price a big focus for back-to-school shoppers
Kroger reducing workforce by 1K
Staples stores making room for optical locations
Criminal gang stole millions from Home Depot over several years


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'