Smart phone payment systems have exploded over the last few months offering the specter of turning every street vendor into a walking, talking, credit-card accepting, free-spirited merchant. In some cases smart phone payment vendors are giving away free card readers just by signing up. Some people saw this as the welcome exuberance of democratic capitalism with innovation driving new opportunities. Others saw this as the apocalypse for credit card security. Is there some middle ground here?
Last November the PCI Security Council took the unprecedented step of suspending all Payment Application Data Security Standard (PA-DSS) certifications of smart phone payment applications, and refused to accept new applications based on that platform. That sent a signal to all established merchants that the council had serious concerns and would be issuing new guidance. Established vendors of payment solutions were left in limbo, and new startups who wanted into this field found themselves stalled. Nerve wracking to say the least.
Today the PCI Security Council removed some of the uncertainty about smart phone payment systems by issuing some preliminary guidance. You can read the press release here.
In the press release you can find initial guidance on what smart phone applications might qualify for PA-DSS certification, and which applications will likely be excluded from the process. You can find that guidance here.
This guidance is bleak for almost all of the smart phone applications currently in the market. In regards to applications that will NOT be considered for certification, this item stands out:
13. Does the application operate on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing?
Does this mean that a merchant can’t use a smart phone application for payment processing? Nope, the council addresses that, too. If you want to accept payments using smart phone technology, you must include the smart phone application as a part of your normal PCI DSS review process. So, as a merchant, that is your path to PCI compliance. But I don’t think it is time to pop the cork quite yet.
A normal PCI DSS review looks at all of the systems that process credit card information, and the systems they connect to. A payment application that has connectivity to another system generally puts that system into scope for PCI compliance. Your average smart phone connects to hundreds of millions (billions?) of servers on the Internet. That’s a scope of compliance from your worst nightmare. So I don’t think we will see a rush by merchants to include smart phones in their PCI DSS plans.
Where is all of this going?
I think some smart phone vendors will move towards dedicated devices for payments. Some vendors of WiFi payment systems may incorporation solutions based on the less expensive smart phone platform. We might also see the emergence of alternative payment technologies that don’t directly involve credit card swipes (think something like PayPal?). Things look bad for those smart phone payment applications that got into the market early. If you are the Balloon Man working the local flea markets, don’t throw away that donation hat just yet.