GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

A new era begins at The Green Sheet


Industry Update

IRN settles with FTC over telemarketing scam

Data breach forces P.F. Chang's back to 'knucklebusters'

Merchants need to eliminate the FUD


How mobile gaming strategies drive revenue


Stop looking for a PCI mobile standard

Gary Glover

Should prepaid companies be regulated like banks?

Patti Murphy
ProScribes Inc.


Street SmartsSM:
Are you selling or telling? - Part 1: How will you know if you don't ask?

Tom Waters and Ben Abel
Bank Associates Merchant Services

Insist on a balanced agent agreement

Alex Nouri
EFT Direct

Stand up, be brief, sit down

Jeff Fortney
Clearent LLC

Company Profile

National Transaction Corporation (NTC)

New Products

Enterprise-grade tablet

ParTech Inc.
PAR Tablet 8

Retail analytics simplified

Swipely Inc.
Summer '14


Decisions at the point of choice


Readers Speak

Meet the Expert

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 14, 2014  •  Issue 14:07:01

previous next

Stop looking for a PCI mobile standard

By Gary Glover

Blaming the PCI Security Standards Council (PCI SSC) for the industry's confusion over mobile security has been the craze since the Payment Card Industry Data Security Standard (PCI DSS) 3.0 was released in 2014. "They forgot to include mobile in 3.0!" people rage. The truth is the council left it out on purpose.

We can't let mobile lower the bar

Merchants want cheap and secure in the same bite. They want to turn a $300 tablet device into a highly secure POS terminal – and use that same cheap piece of equipment as a multipurpose asset in their personal lives.

Most current mobile devices are mini computers that were never designed for secure processing. No matter how many mobile requirements the PCI SSC could add to the standard, the platform itself may not be able to be secure enough to process customer payments.

The council can't provide guidance on something that is inherently vulnerable, especially if the argument is, "But everyone is doing it!" By constantly asking for mobile PCI DSS requirements, acquirers, ISOs and merchants are asking the PCI SSC to accept an insecure processing practice. Why would the council lower the bar for mobile to squeak under? The PCI SSC won't add mobile PCI requirements until mobile devices are a worthy platform.

Mobile device manufacturers: 'Why should we care?'

The problem is phone manufacturers have no real motivation to make mobile devices a worthy platform. Even if the payment card industry's voice were heard among the noise, merchants aren't the main consumers of mobile devices. The general public is.

One piece of technology could be added to a personal smartphone to entice the PCI SSC to create a mobile requirement. A mobile device would need to incorporate secure element technology – for example, incorporating two chips in a single phone: one chip would run only payment processing, and the other chip would run all the apps, text messages, Internet browsing, etc.

If phone manufacturers were somehow persuaded to add secure element technologies into a smartphone, the PCI SSC could then address mobile payments through regulating the technology's attributes, communication and version.

Now, tell me the motivation for phone manufacturers to add new hardware to an already successful product. How much profit could they generate by adding a secure chip to new phones? Out of the 1.5 billion smartphones in the world, how many people actually use theirs for mobile processing? Securing hardware just isn't financially rewarding for phone manufacturers.

What to do with current mobile devices

It looks like we're on our own to secure mobile transactions. At least, for the foreseeable future. Luckily, the council hasn't left us in the dark. The PCI Mobile Payment Acceptance Security Guidelines, which the PCI SSC wrote for merchants in 2013, outlines best practices to enable some semblance of security to current mobile devices.

The following are two models the PCI SSC suggested to adequately secure a mobile device.

The conversation you must have with merchants

Mobile processing is much too convenient to slow down anytime soon. If acquirers and ISOs are determined to provide mobile solutions, it is their responsibility to educate merchants, ensure the security of the solutions and ensure that merchants know the risk they're taking upon themselves.

When speaking at a Treasury Institute for Higher Education conference, Bob Russo, General Manager of the PCI SSC, explained that if acquirers want to say it's OK for a merchant to use mobile, the acquirer and merchant should assume the risk. It's completely up to the merchant and the acquirer, not the council.

At this point, allowing a merchant to mark a business as PCI compliant becomes a business decision between the merchant and Qualified Security Assessor, or the merchant and the acquiring bank. Is there a standard for mobile? No. Should that stop you from allowing your merchants to process via mobile devices? Well, that's entirely up to you.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security Assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over nine years. For more information about SecurityMetrics, visit

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios