March 31, 2011, 2:51 PM

Mobile payment applications need a second security check, PCI says

The PCI Council is re-evaluating mobile payment software.

Katie Evans

Managing Editor, International Research

Lead Photo

The PCI Council has taken several mobile payment software applications off its approved applications list, citing the need to re-evaluate mobile payment software to ensure that it adequately secures payment card data.

The PCI Council, which was founded by payment card companies Visa Inc. (Visa offers free tools for e-commerce payment app developers ), MasterCard Worldwide Inc., American Express Co., Discover Financial Services and JCB International, and manages the standards for protecting payment card account data in computer networks, has been working recently to figure out how it is going to deal with mobile commerce.

The council is in the beginning stages of determining security requirements for mobile payment software and mobile devices, and how payment software and devices should interact in order to secure cardholder data, Bob Russo, general manager of the PCI Security Standards Council, tells Internet Retailer. Russo wouldn’t say how many payment applications were delisted or release the names of vendors whose applications were removed from the approved list.

Vendors impacted received a letter in January explaining why their mobile payment software is no longer PA-DSS validated and the criteria used to make the decision, Russo says. The PA-DSS, which stands for Payment Application Data Security Standard, is the PCI council’s security standard for payment software.

Russo hinted that the council is struggling to figure out how to extend its security standards, which have traditionally covered payments made in merchants’ stores and on PCs, to the mobile realm. Mobile devices present a security risk to any payment application, even those that meet all of the council’s data security standard requirements, Russo says. In particular, he says the council is concerned about vulnerabilities in the design of mobile hardware and software and a lack of security functions in mobile payment software that would mitigate the vulnerabilities of mobile devices. He didn’t specify what security features are required to make mobile payment software safer.

“Mobile payments are an evolving ecosystem within the payments industry,” he says. “There has been a consistent drive toward flexibility for both consumers and merchants that use payment cards and payment devices. The rapid development and deployment of new and innovative mobile payment technologies has brought a level of complexity to the industry never seen before. This new complexity and the resulting influx of mobile payment applications introduce a new set of risks and threats that may affect the security of cardholder data.”

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement