Loads of Recent Press, But Not That Helpful
Mobile payment applications have been getting a lot of attention lately, with articles being published that label them as the best thing since sliced bread. However, all the information a merchant should take into account before moving forward with the implementation of a mobile payment application is not being provided in the press. On December 5, 2011 a huge article was published in USA Today about Square.
For anyone who doesn’t know, Square provides a reader and an app for Apple iOS and Android mobile devices to process credit card payments. Payment informationis transmitted directly to Square for processing. I know this isn’t new news and there have been numerous articles and blogs over the past 6 months talking about the benefits and compliance risks of using these technologies. However, it’s killing me that there is such a deep divide in the information given to potential merchants vs. the compliance community.
What I’ve noticed is that articles that tout the technology are typically publications that target consumers and small merchants, such as the New York Times and USA Today. These articles provide great advertising for these companies and provide examples of real-world scenarios that are helping small businesses grow by allowing them to easily accept credit cards as payments. As you read these articles, it’s easy to see why so many companies and investors are interested in the technology. Ease of use? Check. Cheap to acquire? Check. Little overhead and startup costs? Check. PCI and PA-DSS compliant? Check..Wait, no, yes..I don’t know!
What Do the Card Brands and the PCI SSC Say?
The blog postings and tech articles that a QSA or security guy would read talk more about how Visa requires the use of only PA-DSS validated payment applications and how MasterCard’s mandate for using validated payment applications becomes effective July 1, 2012. So, what does all of this mean? Can a merchant use something like Square and still be PCI DSS compliant? Let’s dive in!
According to the FAQ on mobile apps released by the PCI SSC in June 2011, applications running on consumer electronics handheld devices are not eligible for PA-DSS validation. This means that payment software designed to run on something like an iPhone or Droid will not be considered for review at this time. These apps are sort of in validation limbo. However, this does not necessarily mean that they are not allowed to be used. It means that the implementation of these solutions would have to be evaluated during an organization’s annual PCI DSS Assessment, and the risk of using such applications should be discussed with a merchant’s bank and the card brands before they are implemented. Additionally, the PCI DSS does not have a requirement to use only PA DSS validated applications. Those requirements are handled by each individual card brand.
What to Consider
One of the key flaws with this guidance is that the majority of merchants that are using these types of mobile applications are going to be Level 3 and 4 merchants that do not require a PCI On-site Assessment. Many level 4 merchants don’t even validate compliance. What we at SecureState have noticed during numerous PCI Gap and On-site Assessments is that if the vendor says the solution is secure, the client will take them at their word and use it without thinking about any other compliance considerations.
For higher level merchant assessments, it may be hard to find an assessor that can really dig into the mobile OS to determine if the application is implemented properly. How about the fact that this application is running on a mobile phone that is always connected to the Internet and installed with potentially hundreds of other games, messaging programs, and social media applications? Is it a matter of time before someone creates another app that acts as a Trojan, sniffing for traffic from these mobile payment applications?
Be Aware and Mind Your Risk
The point is that small merchants (i.e. your local pizza shop and the self-employed plumber) won’t have the knowledge or background to determine if these applications are secure or not, and won’t understand the risks involved. While the PCI SSC has taken a stand on what they will (or won’t) validate, it’s still up to the banks and card brands to determine if they are willing to accept the risk of allowing merchants to use these apps and ensure that merchants, not to mention assessors, know what is permitted. I’m all for encouraging the success of small businesses, but I believe that the acquirers and brands need to create better awareness in the merchant community about the risks that these apps pose.