PCI Mobile Madness: Council Clarifications Not Helping

The intersection of PCI and mobile—an admittedly murky place—is getting more complicated. The PCI Council has pledged that it won't validate any more mobile applications for quite some time, at least not until it can determine what the best criteria are. Questions have now cropped up about the handful of mobile applications that had already been PCI validated.

The Council is in a very difficult position (between a ROC and a hard token place?), especially because it must give as much attention to political issues as it does to technological ones. In this case, the politics are not of the Washington, D.C., sort, but of the industry.

Specifically, how to deal with the concerns of the many mobile application developers whose apps now cannot even be considered for PCI validation, especially when they complain of their rivals, who happened to have slipped in before PCI closed the evaluation door.

Should the few already approved applications be delisted, so that all mobile applications can be evaluated at the same time, using the exact same criteria? Is that the fair approach? And what about the applications that were on that approved list? What's the reason for delisting them, given that no specific security hole has been discovered?

It's hard to tell a vendor, "We need to take you off the approved list because we've decided that didn't know what we were doing when we approved you." It's actually closer to "We thought we knew. But upon reflection and industry changes, we've concluded that we need to re-evaluate everything."

This situation gets worse. What's the impact on retailers? As for the delisting situation, what should a merchant who used one of those listed apps do?

If it's delisted for the reasons stated above (as opposed to the discovery of a critical security hole), would chains risk PCI compliance by not immediately removing an app?

And if those apps are not delisted, can retailers use them with confidence, knowing that PCI is going to completely rewrite its mobile rules? From a different perspective, in the months before PCI makes up its mobile mind, will retailers have to choose from the handful of already listed mobile apps (we counted three) because they are the only ones approved?There's also the bigger issue that retailers are moving ahead with mobile functionality now, and many won't risk waiting much longer. Do they risk future PCI compliance by not stalling their mobile deployment efforts?

As we've noted, acquirers always have had the power to clean some of this up by moving in and approving mobile-payment applications directly. Then again, that invites the kind of confusion and industry-wide inconsistencies that PCI was created to eliminate.

PCI has said little to clarify many of these issues. On January 25, the Council offered an addendum. However, the only new datapoint it offered is that the Council is looking at not merely mobile apps but the hardware surrounding those apps. It seemed an odd clarification, as it's unlikely anyone in the retail or payment community thought otherwise.

When asked about whether existing mobile apps would likely be delisted, the Council merely restated long-standing policy that any apps could be delisted "should the Council determine they do not meet the intent of PA-DSS requirements." Taken literally, that would seem to suggest that no applications would be delisted until the mobile review process is complete, because the Council couldn't determine the intent of its requirements until it had created those mobile requirements. But the Council makes its rules, and it can change them.

The Council did say hardware is the key, and applications designed to run on hardware that seems to be compliant would have a much easier time. The only problem is that the Council's mobile teams are also evaluating hardware criteria, so it's impossible to know which devices will still be approved when its review is done.

"At this time, the Council can confidently sanction payment applications (assuming they meet all of the existing PA-DSS requirements) that are designed for use on PTS approved mobile devices as these platforms include third-party validated physical and logical security functions that are designed to protect cardholder data," said a PCI Council response to an E-mail question. "All other mobile communication devices need to be assessed to determine security risk they represent."

In short, the PCI mobile world is full of questions and risks, with almost no comforting assurances from anyone. The only calming thought: Your competitors are having the identical nightmares. In that sense, PCI has delivered some industry-wide mobile consistency.