Visa Joins MasterCard In Relegating PCI To An Afterthought
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Visa recently updated its Security Best Practices for Mobile Payments, and it is interesting to observe how it mirrors key elements of the guidance issued earlier by MasterCard. The good news is that it sends smaller retailers a consistent message on how best to take cards using their smartphones, tablets or personal digital assistants (PDAs). The less good news—at least from a QSA's perspective—is that Visa seems to have joined MasterCard in relegating PCI compliance to an afterthought.
Actually, come to think of it, the card brands are recognizing the reality that the retail industry is moving forward with mobile payments whether the chosen solution is PCI compliant or not.
Visa neatly divides its best practices into separate sections for application vendors, merchants and what it calls Payment Solution Providers (PSPs). A PSP is the same as MasterCard's Payment Facilitator: an entity that has a merchant agreement of its own and, essentially, resells card processing to small merchants. These small merchants then do not need their own acquiring relationship.
The three-part model for mobile payments is also the same. There is a smartphone or tablet presumably already owned by merchant. The merchant installs a payment application and attaches a hardware device for reading the card's magnetic stripe (or EMV chip when that becomes available) to complete the setup.
Visa's best practice recommendations for merchants are neatly summarized in just over one page. Specifically, merchants should use the payment application only as intended, limit device access to employees who need to use it, tell their acquirer if the device is lost or stolen and avoid installing any games or malware on the device.
As a QSA, what I find interesting, and maybe a little disappointing, is the lack of clear support for PCI compliance. About the only mention of PCI in the entire document is the recommendation that the payment solution "should also adhere to the principles set out" in both PCI DSS and PA-DSS. Somehow, the recommendation to "adhere to the principles" of PCI doesn't sound like a ringing endorsement of the standard.
It is that use of "should," when referring to security and PCI, and "must"—sometimes in bold and underlined—when referring to Visa's own Operating Regulations, that disappoints me a little.
The PCI standard and the PCI Council are creations of the card brands, and now we see the two largest brands each appearing to soft-pedal PCI compliance. I do not know if that is the message the brands intended, but it is a message that comes through.
I believe the PCI Council is on the right track with its point-to-point encryption (P2PE) approach. Its recommendation is straightforward, and the merchant's smartphone or tablet never sees or stores clear-text cardholder data. Furthermore, the Council's approach reflects the reality that the local barista, handyman, food truck vendor or taxi driver has no interest in or ability to assess the security of the mobile payment application. They just want to take plastic and get paid.
All of which leaves me with most of the questions I asked in the previous column unanswered. I am sure this situation will come up during the PCI Council's annual Community Meeting. The apparent conflict between the card brands' and the PCI Council's advice should stimulate some interesting discussion.
Meanwhile, I'd like to hear some stimulating discussion from you. What do you think? Does it look to you like PCI is being pushed to the backseat, or am I too close to the situation? Do larger retailers feel that smaller competitors are being given a free pass on PCI compliance? I'd like to hear your thoughts. Either leave a comment or E-mail me.