PCI Delists Mobile Payments Apps Just As They Take Off

By Lisa Terry
That thunder you hear is the clashing of two unrelenting forces: the burgeoning use of mobile payment and the decision by the PCI Security Standards Council to delist mobile payment applications until further notice.

On November 29, 2010, the Council released a brief statement saying that until it completed a comprehensive examination of the mobile device and payment landscape, “the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated PA-DSS applications unless all requirements can be satisfied as stated.” In a January 25, 2011 addendum, it added to that last sentence, “…and the underlying mobile communications device supports the merchant’s PCI-DSS compliance.” The Council then delisted mobile payment solutions it had previously validated.

Plunged into Limbo
Unfortunately, the announcements opened more questions than they answered.
“It’s giving everybody heartburn,” says Henry Helgeson, co-CEO of processor Merchant Warehouse (www.merchantwarehouse.com). That’s because it throws applications into a compliance grey area; a mobile payment application may have been fully vetted and validated by a QSA (Qualified Security Assessor), as Merchant Warehouse’s had been, yet its PCI status is now quite unclear and its marketability is thrown into question. “We’ve pulled back on our marketing to some degree for these applications,” Helgeson says.

Hypercom reacted similarly. “We launched a project to put together our own device to insert into a phone to make a payment, but the project is on hold until we understand the direction of the industry and PCI,” says William Rossiter, VP of global marketing for Hypercom (www.hypercom.com).

For others, such as VeriFone (www.verifone.com), “until a card association says we cannot issue or distribute it, it is business as usual,” according to Scott Henry VeriFone’s director of North American product marketing. New West Technologies (www.newestech.com), which like others has spent years and millions of dollars developing and securing its mobile payment app, is also forging ahead, hoping to find a way to take the application out of scope entirely through technologies such as tokenization. “Our application’s been certified, we met the regulations, we went through the QSR, and then the Council
rejected everything,” says Dan King, president. New West’s QSA “can’t tell us anything.”

These vendors and Payment Processing Inc. (www.paypros.com) are confident in the security of their mobile application. “With our security and compliance expertise, we are able to ensure that all transactions are safe and secure, regardless [of whether] they are processed through a mobile device or an integrated POS,” says Rick Allen, PCI compliance director for PPI.

The announcement also lumps all mobile payment apps into the same category, from encrypted payment-only apps on locked-down mobile devices running in a controlled environment, to an App Store download on an iPhone. But it’s not a maturity issue, asserts PPI’s Allen. “Extending a mobile feature set to mature POS technologies is not more or less secure than the same features deployed on open platform devices such as Android or iOS applications. I’d be more concerned if my mobile application developer followed security standards like OWASP Mobile Security Project than what platform the software was deployed on.”

But the reality remains that even for those following the strictest standards, they’ve lost the PCI validation listing. For some that automatically deems them insecure. “There will always be providers that say yes” to the security of a mobile payment app,” says Leslie Norris, EVP for Panoptic Security (www.panopticsecurity.com). “Panoptic is not one of those,” and will flag any merchant’s mobile payment app as non-compliant until the Council says otherwise.

Liability or Politics?
Most agree that PCI’s caution in navigating the wild west world of mobile payments is understandable–or at least self-protective. “They’re rightly concerned about the implications that this could expose credit or debit card data, on the network [or] in storage,” says Mohammad Khan, president and founder of ViVOtech (www.vivotech.com). “They must make sure people continue to trust the payment industry and keep it stable.”

What mobile payment application vendors want is some interim PCI guidelines to follow until a final decision, but that’s not likely anytime soon (see sidebar).
It’s the absence of the Council’s transparency and a lack of invitation for input that’s causing consternation.

Panoptic’s Norris says the payment industry shouldn’t just sit around waiting for PCI to act. She’s reached out to customers and competitors seeking to form an industry consortium across all facets of the industry to work alongside PCI, recommending best practices. “The cooperative element within groups that’s needed to make PCI compliance work has been missing from PCI compliance,” says Norris.

But the Retail Solution Provider’s
Association (www.gorspa.org) has tried working with the Council as part of The Coalition of Associations for Data Security to find secure solutions, and has thrown up their hands. “The PCI Security Standards Council is not looking for a new technology solution or even developing a technology road map,” says Joe Finizio, president and CEO of RSPA. “The PCI SSC’s role is to create and manage standards to keep our current broken payment processing infrastructure running and the liability misplaced with merchants and technology providers.” The National Retail Federation is also working on mobile payment guidelines through its Mobile Retail Initiative, and the Federal government is also looking at standards for mobile electronic benefits. “We will see a national level conversation on how to get cell phones protected,” predicts Taylor Gray, executive director of the Petroleum Convenience Alliance for Technology Standards (www.pcats.org) and a consultant to the National Association of Convenience Stores (www.nacsonline.com).

Some observers assign dark motives to the card companies, asserting that the pullback on mobile apps is a futile attempt to stop alternative mobile payments from coming. “I don’t expect MasterCard and Visa to get real clear through PCI on what the standards are for mobile,” says PCATS’ Gray. “Mobile is the most disruptive technology to credit cards.”

One Door Closes, Another Opens
Yet casting doubt on the safe mobile use of credit processing further opens the door for a spate of emerging payment models, such as Paypal’s, that skirt in-transaction use of credit cards—and PCI rules—entirely. In addition, “I do fear that devices that are not secure will get out into the market,” says VeriFone’s Henry. “It leaves the door open for anyone to issue their own apps in a time of no directives.”

Many are bullish on near-field communications (NFC) for payment. “I think mobile payments can be the most secure payment platform we have, because it’s your device, your authentication,” says Gray. “It allows retailers to get out of the payment space, because the customer pushes the payment.”
In the meantime, the demand for mobile payment is exploding, and many merchants, particularly SMBs, are unaware of the change in mobile payments’ PCI status. Some larger chains are sitting on the sidelines, waiting for security to be defined before taking the plunge, while others, such as Apple, Home Depot, and Old Navy, are taking the calculated risk to accept mobile payments. “I think a lot of folks will be much more hesitant,” says New West’s King.
For merchants who have passed the scrutiny of a PCI QSA in the past, one wonders if their entire environment will be thrown into question next time because it includes a mobile payment component. Or, could a QSA still judge them compliant, even the mobile component?

What Now for Solution Providers?
For a solution providers, the decision about selling mobile payment apps comes down to risk assessment: The potential business you’ll gain versus the potential for a breach or lawsuit. Consider this:

• Nothing has changed about the security of previously validated mobile payment applications, other than their compliance status. Make sure you understand your mobile payment application provider’s approach to security, advises Mandeep Khera, CMO for Cenzic (www.cenzic.com). “Ask for references of customers who have passed PCI Security Scans from an ASV using the mobile application infrastructure,” adds PPI’s Allen.

• Solution providers are already being dragged into PCI breach cases; installing a non-validated app increases liability. Obtaining an indemnity letter from the payment app developers may help mitigate this—as well as following developer’s installation instructions and PCI guidelines precisely.

• Tread carefully in aligning with alternate payment providers; just because it avoids use of cardholder data, that doesn’t make it automatically secure.
The simple truth about PCI is that it’s far from simple. Solution providers need to treat mobile payment as carefully as they do any other product, understanding what they’re selling and making their own decisions.