The most interesting thing I learned today relative to the Verifone/Square security squabble is that the PCI Security Standard stopped issuing PA-DSS certification for mobile payment applications and removed previously-certified PA DSS mobile applications from their ‘approved payments applications’ list. I’m still not 100% sure this is true, but I was informed that they simply threw up their hands for the time being and said they needed to study the issues surrounding secure mobile payments further.
Indeed, this is a challenging assignment and I don’t envy their task. But what does this mean for all the merchants that are accepting card payments now generated through mobile payment applications? That they are not PCI compliant? Are these merchants going to get fined by Visa and MasterCard?
This is certainly worth a closer look.
I just finished a few days in London at Gartner’s Identity and Access Management conference and had a lot of lively discussions with Gartner clients around fraud detection and authentication. The conversation always gets even livelier when we start discussing our mobile future. So it was ironic that this was also the week of two mobile security flaps – one with Google/Android and one with VeriFone/Square. There definitely is a lot to think about when it comes to securing mobile commerce.
And now we get to add mobile PCI compliance to the mix…. Probably the last thing anyone thinks about when they are designing mobile e-commerce applications – but it would probably be a very good idea to have a guiding (pci-even) security standard for mobile now – rather than two years from now… That would help everyone, including Square.
Category: Uncategorized Tags: