PCI Delist Move Threatens Mobile Payment Security

The PCI Council this week confirmed that it has quietly delisted "multiple" mobile payment applications, although the council didn't specify a number. This comes as the PCI folk are trying to formulate a mobile strategy, which is likely to take quite a few more months to resolve. Given that retailers can't put their mobile plans on hold, this puts merchants in a very awkward—and potentially very insecure—place.

The move, which hit at least one of the delisted vendors on January 31, is part of PCI's effort to create a proverbial level playing field. There are good and bad sides to this effort.

The good is that it's noble in intent. It acknowledges that mobile payments have so many crucial differences from earlier payment methods that merely tweaking today's guidelines won't work. And it also notes that it would be unfair to let vendors that happened to have already been approved be the only applications with the seal of approval, with the door slamming on everyone else.

The bad is that it's seeking the perfect at the expense of the good. The council hinted Tuesday (March 15) that it would be a very long time before it would come out with its mobile approach, although no timeframe was offered. But retailers can't wait on trialing and even deploying mobile initiatives. What are they supposed to do during this lawless Wild West mobile period, while Sheriff PCI locks himself in his office for months, contemplating the best long-term strategy while gunmen murder his neighbors?

Would not a piecemeal approach be a better tactic? There are some basics that almost all could quickly agree on—such as encryption rules—and getting some out quickly might help. To the council's credit, though, until it works out all the mobile payment issues, it's hard to know even how to tackle encryption. Then again, there's always the ability to amend and update rules later on. Ahhhh, 'tis a frustrating standards world out there in Mobile Land.

There is a longstanding PCI mechanism to deal with this vacuum, though. Acquirers have always been empowered to approve anything as PCI friendly, as long as they are willing to take the heat later if things go poorly. Thus far, we've been unable to confirm that any acquirers have yet to do this. And if they did, it would generate its own kind of Wild West, with retailers with different acquirers operating on different standards, which is exactly what PCI was created to avoid.VeriFone is one of the mobile payment vendors that was delisted on January 31, according to Paul Rasori, VeriFone's Senior VP for Global Marketing. His letter said, simply enough, that "until this examination is complete," the PCI Council "will not approve or continue to list" any impacted mobile applications.

Which applications are—or will be—considered impacted? Without a full list of the delisted applications, that's difficult to say. One person with knowledge of the council's startegy said there are various factors, and many involve the hardware. Applications designed to run on consumer-controlled devices—such as iPhones, Androids and Blackberries—will likely get the most resistance, while some mobile applications designed for retailer-controlled devices—such as IBM's Shopping Buddy—may be able to stay listed during the examination period.

This PCI source said that "the council notified specific vendors and gave them a period to address the concerns, as well." Asked how a vendor could appeal when the council has yet to issue mobile guidelines (in other words, how can vendors argue that they really are compliant with non-existent rules?), he said much might involve the hardware. The big challenge is making sure all of the mobile capabilities are compliant with all three relevant standards: PCI-DSS, PA-DSS and PTS.

Asked about a rough target of when mobile guidelines will materialize, Council General Manager Bob Russo had a statement E-mailed that didn't directly answer the question. He even questioned whether new guidelines would ever be issued, saying that "new standards or guidance around mobile payment applications and their associated mobile communications device are possible outcomes of this process." That said, it seems extremely unlikely the council would go to all of this effort—including the delisting—and then not issue anything.

Beyond that, Russo's answer to the timeframe question was a lengthy list of things that need to happen between now and the examination's conclusion, suggesting that the process won't wrap anytime soon.

"The council is in the beginning stages of a comprehensive examination to determine: applicable security requirements for mobile payment applications, the security capabilities and features of the mobile communications devices on which these applications reside, and the necessary interaction between such devices and payment applications to effectively secure cardholder data," the Russo statement said. "As part of this examination, if security guidance is defined, each application will need to be reassessed by vendors for possible updates, put forward for review by a PA-QSA to ensure that any new guidance was appropriately incorporated into the application, then submitted to the council for approval."

There have always been two ways that technology standards—and, for that matter, any standards—can come about: de jure and de facto.

De facto is the majority rules approach, where overwhelming marketshare, for example, can make one approach the standard—think Microsoft Word in word processing or Google for search engines. De jure is where a committee dictates the standard to the population—when the PCI Council, IEEE or W3C, for example, issues guidance on an approach.

If the PCI Council (the de jure option here) moves too slowly, will retailers proceed on their own? And will the council then have to tailor its guidelines to accommodate what the merchant community has already done, assuming one approach becomes far more popular than another?

Maybe this is terminology confusion. Note to the mobile powers-that-be: When people speak of a mobile standard, they mean a standard governing mobile devices. They do not mean that the standard itself is mobile, flitting here and there and never actually landing. Just wanted to clarify that.