PCI Chief On Mobile Payment Strategies: I Wouldn't If I Were You

Written by Evan Schuman
September 13th, 2013
With so many companies—especially in retail—experimenting with using mobile in every possible way, it's always nice to hear some encouraging words from a key security standards body chief.

But recent mobile remarks from the general manager of the PCI Security Standards Council—the group that controls how any merchant is allowed to use any kind of payment card—is enough to make a CIO long for the return of rotary dial. In effect, Bob Russo told a private conference call of QSAs (the people who assess whether someone is managing payment security properly) that when it comes to mobile security, it's your neck if you want to proceed.

"The fact is that many consumer mobile devices simply can't provide the level of security needed to adequately protect payment card data," Russo said. "In other words, they cannot create a trusted environment equivalent to the PCI DSS compliant cardholder data environment.

"So what do you do in the meantime? We encourage merchants and others to understand the risk of using mobile. Work with their acquirer and make their own decisions about whether they want to accept that risk," Russo said, according to an audio recording of the late August call. "We are unwilling to lower the bar for security by writing a standard that current consumer mobile devices could meet. If we wrote a standard for mobile now, no consumer devices would be able to meet it."

That warning is bad enough, but what's truly reckless is how vendors are encouraging retailers to go ahead and connect foreign devices to their POS systems and everything will be fine and dandy. PayPal this week is pushing a small device—under the codename "We're blatantly ripping off Square but given that Visa is a Square owner, it's probably not a good idea to say that out loud"—that asks merchants to indeed connect a small PayPal unit to their payment terminals, which will then look for and launch nearby phones with PayPal apps on them. FierceMobileRetail points out that this method leaves a lot of control in the hands of store associates and that this could lead to double-charges, as well as rampant PCI violations. The double charges? Quite possible. The PCI headaches? Given Russo's comments, you can count on it.

What do you think? Are retailers trapped into a mobile no-win scenario?