When the PCI Security Council released its long-awaited update on mobile payment applications in June 2011, it split mobile payment acceptance applications into three categories according to the type of underlying platform and its ability to support PCI DSS certification. While applications that fell within Category 1 and 2 would be considered for inclusion as a PA-DSS validated application, those that fell under Category 3 (payment applications that operate on a consumer handheld device that are not dedicated solely to payment acceptance) were still in need of review. Bob Russo, general manager for the PCI Council, reveals what progress has been made regarding Category 3 applications, the major challenges concerned with their certification, and what operators can do in the meantime to secure their devices.
HT: When the PCI Council released its update on mobile payment security in June, Category 3 mobile payment applications were not being considered for certification. What progress has been made since then?
BR: There’s a task force that we started up internally and they are looking at these things. The biggest issue that we have is the fact that these are basically applications that can go on a platform, which for all intensive purposes is pretty insecure [i.e. iPhones and BlackBerries, etc]. That is still a big concern to us. We’ve taken a step back and we formed this mobile task force, consisting of a number of experts not only from the brands but from the industry, to help us get this right. We can’t afford to get it wrong. We know that there is a huge appetite in the industry for people to go in and do these things. If I am Bob’s Pizzeria the first thing I want to do it take my iPhone and stick a little plug on it to make it able to take a credit card without having to go through all of the issues associated with buying new equipment since I already have an iPhone. So it makes perfect sense and we know that people are running mock five with it with their hair on fire because it is convenient for them—and more importantly— convenient for the customers to be able to do this right at the table. We are taking this one step at a time because we have got to get it right.
HT: What are the major challenges surrounding their certification?
BR: Do we need to not only certify the application itself, but do we need to certify each and every device, because as you know there must be thousands of devices out there. Do we have to certify individually each one of these devices, do we have to certify it individually with each application, and do we have to certify the applications in conjunction with devices themselves? So if you are using application ‘A’ as an example, do we test out application ‘A’ not only on an iPhone, but on a BlackBerry, a Nokia and on a thousand different platforms? There are lots of questions that still need to be answered and we have gone and asked the industry to help us to formulate what the right questions are initially. Once we understand what the right questions are then we can make some informed decisions as to what we are going to do. But so far we are not there yet.
HT: Can you expand upon what some of those questions are?
BR: Can these things be platform agnostic. The guy that created the applications can say, ‘yeah this will work on everything.’ Wonderful. We understand that it will work on everything but is it secure on everything. Well maybe there is a way that we can certify the application, and again do we have to certify the application to work in conjunction with this device? And do we need to certify the application again to work in conjunction with another device, or do we just put out a guideline for the device so that you as a merchant can say, ‘well I am going to buy this application and the guidelines say that the device need to do x, y, and z. My device doesn’t do that, so I will just go out and buy another phone because it is cheaper or another device because it is cheaper.’ We have to make sure that these bundled solutions are properly defined before we go out and do anything. It’s overwhelming when you consider the amount of things that are out there on the marketplace at this point. They are all very convenient for everybody but the question is: are they secure. We cannot prevent someone from going out there and buying something, so we are looking at these things in light of our standards. How do they line up with our standards? You cannot lose sight of the fact that it will always come down to standards. The standards are always our focus. These things have to be in line with what the standards would do.
HT: How are those challenges different from those associated with Category 1 and 2 applications?
BR: Category 1 is something that operates specifically on a PTS-approved device so we can control what the device is. We understand the device; we know that there are not ways to break it. They have been tested in our labs. Category 2 meets all of the requirements of Category 1 as well, except that we are saying that some places are building purpose-built devices that only do one thing. Maybe it is an iPad and all it does is take a credit card number. So those are good as well, but then you get to the point where someone in a retail environment says, you know what, I want to have my people in the store walking around with an iPad so that they can help you and take your credit card immediately when you buy something so that you do not have to go searching for a cashier.’ It is really convenient for the consumers but the problem is that that same retailer also wants to be able to check the inventory on an item. Now it’s not purpose built anymore; you are doing another application on it. Who’s to say that you won’t be adding a different application to do something else, so there are lots of things that need to be considered. That’s why Category 1 and Category 2 are pretty straightforward. If you want something that is going to do different functions then that is something that we really have to look into. Before we make any kind of guidance on this we need to make sure that we looked under every rock so to speak and that’s a huge job.
HT: What advice can you offer end-users in the meantime to secure their mobile apps?
BR: Whether they understand it or not, they should be asking is it PCI compliant. You can bet that whoever the vendor is that is trying to sell you this will understand PCI. At least ask the question and if you are not up to date enough on the security issues don’t only ask the questions of the vendors, but go to your acquiring bank. You can ask them for a recommendation as well. Who’s taking your credit card now in the traditional way? Go to them and ask them what they would recommend in terms of a mobile solution. Don’t just say well I need to go mobile because it is the most convenient for my customers. That’s a given; we know that. Ask around. Ask the acquiring bank, pick up an article, and ask the brands. The brands can recommend stuff on their website. We have stuff on our website for small merchants. Do some research before you jump into something.