The PCI Security Standards Council Friday released its long-awaited guidance on how mobile payment acceptance applications can meet PCI standards .
It listed the types of mobile applications now measured by the security standards, and which types require further review. The move is a start but far from sufficient, say analysts.
The new document, dubbed Which Applications Are Eligible for PA-DSS Validation? A Guiding Checklist ( Download PDF ), is designed to let merchants know whether the mobile payment applications they are using could meet today's PCI specifications.
The document separates mobile payment applications into three separate categories.
The first two categories -- applications that operate on mobile devices already approved for use by the council and apps designed to run on purpose-built, dedicated mobile payment devices -- can meet current PCI security standards, the council said.
The third category, payment applications running on popular consumer mobile devices such as smartphones, tablets and PDAs, face further review to determine whether they can be eligible for PCI status, said Bob Russo, general manager of the PCI Security Standards Council.
"Mobile is coming out at Mach 5 with its hair on fire," Russo reasoned. "Unfortunately there are no standards around any of this stuff."
While many merchants are anxious to use mobile payment applications, the speed at which the technology is evolving makes it difficult to establish standards, he said. He compared the situation to the release of drugs that "the FDA has not had a chance to test and approve. You got to be very careful," Russo said.
The Payment Card Industry rules require that all hardware and software technologies used to accept, process, and transmit debit and credit card transactions meet a set of prescribed security controls.
Merchants that use payment applications that have not been formally certified as meeting Payment Applications Data Security Standards (PA-DSS) standards are deemed to be non-compliant.
The announcement marks the first time the PCI council has said that mobile payment applications can be eligible to meet its standards requirements.
The council had previously maintained that it had to conduct a lengthy review of mobile communications devices and payment applications before making a decision on whether the emerging technologies could meet its standards.
Jim Huguelet, an independent US-based PCI analyst, noted that because the PCI decision is incomplete, developers of mobile payment applications for consumer devices and the merchants who use them have been left in a "very tenuous position."
Today's update from the PCI council "will indeed help some vendors and merchants now - as opposed to waiting until later this year when comprehensive guidance on mobile becomes available," he added.
He did note that the council's continued silence on whether payment applications can safely be used on consumer devices is disappointing, he said. "For all intents and purposes, the area where the vast majority of interest lies must wait until later this year for guidance," he said.
The incomplete announcement, he noted, raises interesting questions, such as: "Are they trying to say that applications like Google Wallet are not within the scope of PCI?," he said.