The Top 500 retailer buys Campus Deals, which offers mobile coupons to college students.
Mobile payment applications need a second security check, PCI says
The PCI Council is re-evaluating mobile payment software.
Managing Editor, International Research
Topics: American Express Co., Discover Financial Services, JCB International, m-commerce, Mastercard Worldwide Inc., mobile commerce, mobile payment applications, PA-DSS, Payment Application Data Security Standard, PCI, PCI Security Standards Council, PCI-DSS, The PCI Council, Visa Inc.
The PCI Council has taken several mobile payment software applications off its approved applications list, citing the need to re-evaluate mobile payment software to ensure that it adequately secures payment card data.
The PCI Council, which was founded by payment card companies Visa Inc. (Visa offers free tools for e-commerce payment app developers ), MasterCard Worldwide Inc., American Express Co., Discover Financial Services and JCB International, and manages the standards for protecting payment card account data in computer networks, has been working recently to figure out how it is going to deal with mobile commerce.
The council is in the beginning stages of determining security requirements for mobile payment software and mobile devices, and how payment software and devices should interact in order to secure cardholder data, Bob Russo, general manager of the PCI Security Standards Council, tells Internet Retailer. Russo wouldn’t say how many payment applications were delisted or release the names of vendors whose applications were removed from the approved list.
Vendors impacted received a letter in January explaining why their mobile payment software is no longer PA-DSS validated and the criteria used to make the decision, Russo says. The PA-DSS, which stands for Payment Application Data Security Standard, is the PCI council’s security standard for payment software.
Russo hinted that the council is struggling to figure out how to extend its security standards, which have traditionally covered payments made in merchants’ stores and on PCs, to the mobile realm. Mobile devices present a security risk to any payment application, even those that meet all of the council’s data security standard requirements, Russo says. In particular, he says the council is concerned about vulnerabilities in the design of mobile hardware and software and a lack of security functions in mobile payment software that would mitigate the vulnerabilities of mobile devices. He didn’t specify what security features are required to make mobile payment software safer.
“Mobile payments are an evolving ecosystem within the payments industry,” he says. “There has been a consistent drive toward flexibility for both consumers and merchants that use payment cards and payment devices. The rapid development and deployment of new and innovative mobile payment technologies has brought a level of complexity to the industry never seen before. This new complexity and the resulting influx of mobile payment applications introduce a new set of risks and threats that may affect the security of cardholder data.”