Feb 23 2012

PCI DSS for Mobile Payments Remains an Open Question

The PCI Security Standards Council has yet to establish best practices and standards in the mobile-payment industry.

For retailers in the business of charging and receiving payments electronically, the Payment Card Industry Data Security Standard is the law of the land. Established in 2004, the PCI DSS guides retailers on securing any electronic payment transactions so that customer information stays out of the wrong hands.

But with the rise of Google Wallet and other mobile payments, how will PCI DSS be applied?

Avivah Litan, a Gartner vice president and distinguished analyst, raises the unresolved question in a post on the Gartner blog.

So where is the PCI Security Council? And why aren’t they getting ahead of the rush to mobile payments and mobile payment acceptance?

I know where at least one of their founders, Visa, is. Investing and backing Square, one of the more innovative payment card acceptor applications out there that is allegedly growing by leaps and bounds, even in the absence of a PCI standard for mobile payment acceptance.

Walk into any Apple store around the world and you will see the sales people there also ‘ignoring’ PCI standards by accepting payments on non-PCI certified mobile payment devices.

I realize it’s tough to develop standards for the non-standard mobile environment, but no one said the PCI Council should have it all easy.

Bob Russo, general manager of the Payment Card Industry Security Standards Council, stated that mobile was a top priority for the organization in 2012 in an interview with Bank Info Security.

"The adoption of mobile is running rampant, and when it comes to using personal mobile devices, people have not thought about all of the security," Russo said. "We have a task force looking at this, and in 2011 we issued some guidance. This year we will be issuing some best practices."

For more on mobile-payment security, read Litan’s post on the Gartner blog.