Gartner Blog Network

PCI standards for Mobile?

by Avivah Litan  |  March 10, 2011  |  4 Comments

The most interesting thing I learned today relative to the Verifone/Square security squabble is that the PCI Security Standard stopped issuing PA-DSS certification for mobile payment applications and removed previously-certified PA DSS mobile applications from their ‘approved payments applications’ list. I’m still not 100% sure this is true, but I was informed that they simply threw up their hands for the time being and said they needed to study the issues surrounding secure mobile payments further.

Indeed, this is a challenging assignment and I don’t envy their task. But what does this mean for all the merchants that are accepting card payments now generated through mobile payment applications? That they are not PCI compliant? Are these merchants going to get fined by Visa and MasterCard?

This is certainly worth a closer look.

I just finished a few days in London at Gartner’s Identity and Access Management conference and had a lot of lively discussions with Gartner clients around fraud detection and authentication. The conversation always gets even livelier when we start discussing our mobile future. So it was ironic that this was also the week of two mobile security flaps – one with Google/Android and one with VeriFone/Square. There definitely is a lot to think about when it comes to securing mobile commerce.

And now we get to add mobile PCI compliance to the mix…. Probably the last thing anyone thinks about when they are designing mobile e-commerce applications – but it would probably be a very good idea to have a guiding (pci-even) security standard for mobile now – rather than two years from now… That would help everyone, including Square.


Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Thoughts on PCI standards for Mobile?

  1. It’s good that this issue came on the surface when the mobile e-commerce market is still in emerging state & industry experience with computer e-commerce application can help to build secure apps for mobiles irrespective of platform & OS used.

    But one thing which i am afraid is the time lag that comes in come out with PCI Guideline ( believe me it always a time consuming process) & enforcement of the guideline.

    We need to act & act fast.

  2. Tom Mahoney says:

    I just saw some discussion about this at . That article didn’t say that compliance was pulled but I think it made a couple of good arguments in that direction.

    Consider that Apple and Google are able to remotely access their devices to update the OS, remove malicious apps, or just about anything else they’d choose to do. In effect, they have access to the device without even hacking into it. Can a device with this type of access be PCI compliant? I don’t know but I tend to think not.

    Other articles don’t mention Square but this device is a prime example. They claim compliance, and maybe they are, but isn’t the device it’s attached to just as important, if not more so?

    There are obvious ‘political’ implications of pulling compliance certification from already listed devices and we can be sure that if that happens, someone is going to cry foul. Device manufacturers and merchants alike will be scrambling.

    Still, I think pulling back may be the better path. Maybe compliance was certified without all the facts at hand.

  3. […] here: PCI standards for Mobile? Tags: dss, learned-today, mobile, most-interesting, payment-applications, pci, security, […]

  4. James Wester says:


    According to PCI, they have stopped approving and listing mobile point-of-sale terminals as of late last year citing “the rapid growth” of the mobile payment environment. Here’s a link to the letter they published on the subject in November.

    Your description that PCI “threw up their hands” seems accurate. :)

    James Wester

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.