Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

PCI standards for Mobile?

by Avivah Litan  |  March 10, 2011  |  4 Comments

The most interesting thing I learned today relative to the Verifone/Square security squabble is that the PCI Security Standard stopped issuing PA-DSS certification for mobile payment applications and removed previously-certified PA DSS mobile applications from their ‘approved payments applications’ list. I’m still not 100% sure this is true, but I was informed that they simply threw up their hands for the time being and said they needed to study the issues surrounding secure mobile payments further.

Indeed, this is a challenging assignment and I don’t envy their task. But what does this mean for all the merchants that are accepting card payments now generated through mobile payment applications? That they are not PCI compliant? Are these merchants going to get fined by Visa and MasterCard?

This is certainly worth a closer look.

I just finished a few days in London at Gartner’s Identity and Access Management conference and had a lot of lively discussions with Gartner clients around fraud detection and authentication. The conversation always gets even livelier when we start discussing our mobile future. So it was ironic that this was also the week of two mobile security flaps – one with Google/Android and one with VeriFone/Square. There definitely is a lot to think about when it comes to securing mobile commerce.

And now we get to add mobile PCI compliance to the mix…. Probably the last thing anyone thinks about when they are designing mobile e-commerce applications – but it would probably be a very good idea to have a guiding (pci-even) security standard for mobile now – rather than two years from now… That would help everyone, including Square.


Category: Uncategorized     Tags:

4 responses so far ↓

  • 1 Sumit Kumar Soni   March 11, 2011 at 2:00 am

    It’s good that this issue came on the surface when the mobile e-commerce market is still in emerging state & industry experience with computer e-commerce application can help to build secure apps for mobiles irrespective of platform & OS used.

    But one thing which i am afraid is the time lag that comes in come out with PCI Guideline ( believe me it always a time consuming process) & enforcement of the guideline.

    We need to act & act fast.

  • 2 Tom Mahoney   March 11, 2011 at 10:02 am

    I just saw some discussion about this at http://storefrontbacktalk.com/securityfraud/google-and-apple-can-reach-into-mobile-devices-even-if-youre-using-them-for-pos/ . That article didn’t say that compliance was pulled but I think it made a couple of good arguments in that direction.

    Consider that Apple and Google are able to remotely access their devices to update the OS, remove malicious apps, or just about anything else they’d choose to do. In effect, they have access to the device without even hacking into it. Can a device with this type of access be PCI compliant? I don’t know but I tend to think not.

    Other articles don’t mention Square but this device is a prime example. They claim compliance, and maybe they are, but isn’t the device it’s attached to just as important, if not more so?

    There are obvious ‘political’ implications of pulling compliance certification from already listed devices and we can be sure that if that happens, someone is going to cry foul. Device manufacturers and merchants alike will be scrambling.

    Still, I think pulling back may be the better path. Maybe compliance was certified without all the facts at hand.

  • 3 PCI standards for Mobile? | Mobile Metering   March 11, 2011 at 3:16 pm

    […] here: PCI standards for Mobile? Tags: dss, learned-today, mobile, most-interesting, payment-applications, pci, security, […]

  • 4 James Wester   March 14, 2011 at 9:29 am


    According to PCI, they have stopped approving and listing mobile point-of-sale terminals as of late last year citing “the rapid growth” of the mobile payment environment. Here’s a link to the letter they published on the subject in November.


    Your description that PCI “threw up their hands” seems accurate. :)

    James Wester