The point-to-point advice "will talk about the ability to encrypt at one point and decrypt at another point and the transmission between those two points being completely out of compliance scope," Leach said. That is the first time the council has been that publicly explicit about point-to-point applications being out-of-scope.
Even more intriguing was when Leach tied it back to mobile devices: If a retailer associate "is swiping the card or dipping the card into a peripheral device that plugs into a mobile phone, now we're talking about devices and not applications. If they can do that and the mobile phone is simply a conduit for transmitting cardholder data that is encrypted," then PCI compliance could be had through standard means without waiting for the council's formal mobile guidance next year, Leach said.
Ultimately, of course, retailers will want to go the full application route—to take advantage of CRM, inventory, preferred pricing, coupons, etc.—but this is a nice interim step to get mobile payment live and compliant much more quickly. "Instead of getting a Hypercom terminal, you can in essence turn your phone into an NFC terminal," said PCI Columnist—and QSA—Walt Conway.
"This is good news. Troy's comments are very encouraging for retailers that want to implement a secure mobile POS capability. (Related story: Mobile Payment Vendor Claims PCI Compliance, Then Admits That It Was Fiction.) He points out that by this summer when point-to-point encryption guidelines are released, retailers should be able to implement a secure hardware card-swipe peripheral device," Conway said. "Because it encrypts the data at the swipe, the device effectively removes the phone from the retailer's PCI scope. With such a secure peripheral device coupled with point-to-point encryption, it appears retailers do not have to wait for the council to develop guidelines for smartphone payment applications or for software vendors to write them. Because retailers in this scenario rely on the hardware, they don't need a payment application. Retailers will be able to use their current smartphone coupled with a PTS-listed card-swipe and approved encryption for Mobile Commerce."
Leach's comments came in the middle of a briefing on a mobile payment update that the council will make Friday (June 24). That update will reflect an initial step for mobile-payment guidance. But it will only impact mobile devices that are solely used for—and solely capable of—accepting payments. The mobile-payment issue that the vast majority of retailers care about—where consumers can use their personal phones to make purchases—is still in limbo until next year, with some guidance promised by the end of 2011.
The change, incremental as it is, will be that such single-purpose dedicated devices "will now be considered for inclusion as PA-DSS validated payment applications," according to a draft statement from the PCI Council.Council officials also promised "some updated language this summer" about peripheral devices—such as Square—that would interact with mobile units. "This is totally focused on point of sale: Mobile applications that are accepting payments and not initiating payments," said Bob Russo, the council's general manager. "This is really a first step."
What the council will specifically announce is that it is splitting all mobile-payment applications into three categories. The first is apps that operate solely on a PCI PIN Transaction Security (PCI PTS) approved mobile device. (Aside: PCI PTS is a deliciously acronym-intensive phrase, which fully stands for Payment Card Industry Personal Identification Number Transaction Security. Yeah, let's go with PCI PTS.) The second category is for devices that have as their single—and only—function to accept payments. Category three speaks to apps where payments are handled by a multipurpose consumer-controlled device, such as a smartphone or a tablet. The council is now willing to consider applications for categories one and two.
Category two speaks to "an environment that was dedicated and developed with payment applications in mind. It would be hardened and dedicated to just the purpose of Point of Sale," Leach said. "It would not be allowed to have the user functionality to download [the game] Angry Birds."
Leach said the new categories are an attempt to better mesh the council's goals with today's retail realities. "The challenge is sometimes assessors have been trying to put a square peg into a [round] hole when trying to meet our PCI-DSS requirements, which are traditionally for Point Of Sale type of applications," Leach said.
Some creative approaches—such as Home Depot's customized mobile units that can handle payments along with checking inventory and other functions—don't fit neatly into these categories. But that's OK. "If it's one merchant's product, I would question why in the world it would go through PA-DSS to begin with. If I'm Home Depot or Lowe's or any merchant, and I'm using this technology and it's custom-built for me, why am I going through PA-DSS?"
Conway applauded the new categories, but added that the lack of official action on category 3—true mobile payment, as it has come to be understood—limits the value. "Realistically, the greatest interest is and will be in category 3. That's where all the action is. Unfortunately, merchants are on their own until sometime in 2012," he said.
Richard Mader, executive director of the Association For Retail Technology Standards (ARTS), said he wants to know why the PCI Council hasn't been working with retail groups. "Why is the council not working with the leaders in the industry who are trying to develop secure payments? To my knowledge, they are not engaged with Smartcard Alliance, NFC Forum, GSMA PayBuy Mobile project, ARTS or others that work in this area. Again, this is possibly a delay tactic until Visa and MasterCard have cemented their hold on mobile payment."