Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

By Sue Zloth

When Google made the announcement that it was launching a new mobile wallet backed by MasterCard and Visa, we knew that the industry needed to get a better hold on mobile payment security standards.

So what has the PCI Council thought about all of this?

The Council has been evaluating mobile communication devices and the payment application landscape.  The current focus is on determining the need for advice, guidance or re-evaluation of existing PCI requirements for mobile payment transactions.

Recently, the Council issued a statement on PA-DSS and mobile payment acceptance applications that provides specific detail on the types of mobile payment acceptance applications that can meet PA-DSS requirements, and those that require additional examination from the Council.

The Council’s Mobile Working Group, which includes representatives of each payment brand, put mobile payment acceptance applications into three categories based on type of underlying platform [according to  guidance document]:

  • Mobile Payment Acceptance Application Category 1 – The category includes payment applications that operate only on a PTS-approved mobile device
  • Mobile Payment Acceptance Application Category 2 – Payment applications which meets all of the following criteria;
    • payment application is only provided as a complete solution ―bundled with a specific mobile device by the vendor;
    • underlying mobile device is purpose built (by design or by constraint) with a single function of performing payment acceptance; and
    • payment application, when installed on the ”bundled” mobile device [as assessed by the Payment Application Qualifed Security Assessor (PA-QSA) and explicitly documented in the payment application’s Report on Validation, provides an environment which allows the merchant to meet and maintain PCI DSS compliance.
  • Mobile Payment Acceptance Application Category 3 – Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing

Guidance in the third category is not being addressed by the Council at this time.  It is a very important category given the growing trend of mobile payments and it needs to be addressed.  However, in the meantime, the Council plans to release additional guidance on the other categories by the end of 2011.

Powered By DT Author Box

Written by Merchant Link Staff

Merchant Link Staff

Merchant Link’s SecurityCents blog is essential reading for merchants in the retail, lodging, and restaurant industries looking to secure their customers’ credit card data. Check the blog regularly to read what our industry experts have to say about the latest developments in the world of payments, payment data security and technology, PCI compliance, and more. We invite you to leave comments and share your insights and opinions.

Write a Comment

Google Advertisement