The most interesting thing I learned today relative to the Verifone/Square security squabble is that the PCI Security Standard stopped issuing PA-DSS certification for mobile payment applications and removed previously-certified PA DSS mobile applications from their ‘approved payments applications’ list. I’m still not 100% sure this is true, but I was informed that they simply threw up their hands for the time being and said they needed to study the issues surrounding secure mobile payments further.
Indeed, this is a challenging assignment and I don’t envy their task. But what does this mean for all the merchants that are accepting card payments now generated through mobile payment applications? That they are not PCI compliant? Are these merchants going to get fined by Visa and MasterCard?
This is certainly worth a closer look.
I just finished a few days in London at Gartner’s Identity and Access Management conference and had a lot of lively discussions with Gartner clients around fraud detection and authentication. The conversation always gets even livelier when we start discussing our mobile future. So it was ironic that this was also the week of two mobile security flaps – one with Google/Android and one with VeriFone/Square. There definitely is a lot to think about when it comes to securing mobile commerce.
And now we get to add mobile PCI compliance to the mix…. Probably the last thing anyone thinks about when they are designing mobile e-commerce applications – but it would probably be a very good idea to have a guiding (pci-even) security standard for mobile now – rather than two years from now… That would help everyone, including Square.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.