by Avivah Litan | April 27, 2011 | Comments Off on Mobile Payments innovation ‘Square’s off with PCI at Visa Security Summit
I attended part of the Visa Security Summit in Washington D.C. today and was especially interested in the session on mobile payments, where panelists representing major card issuers, Visa, security consultants, analyst firms and mobile payment innovators, i.e. Square, all discussed the future of ‘secure mobile payments.’ Much of the discussion focused on Square, the new kid on the block, which was ably represented by a 20-something (or maybe he was in his 30s) security officer who was completely passionate about mobile payments, and how they will revolutionize the economy and change the world. He also emphasized that we need to keep mobile payments very simple for the users in order to foster massive adoption.
Square is just recovering from a hullabaloo a couple of months ago, where one of the major payment terminal vendors accused the firm of enabling ‘insecure’ and easily-hackable mobile payments through mobile phones. Square announced today at the Summit, in response to an analyst question, that the firm is releasing and distributing to their merchant base a free encrypting card reader for mobile phones this Summer. Major news.
But what exactly does this mean in the realm of PCI and secure mobile payment processing? It probably means that Square payments will be more ‘secure’ — but the PCI Security council isn’t certifying the security for any mobile payment acceptance applications or hardware devices any time soon, at least not until the end of the year.
Meanwhile Square merchants are not the only retailers accepting phone-enabled payments through non-PCI or non-PA DSS certified applications. One senior official who is a major player in determining PCI standards told me he was recently shopping at the Apple store in Hong Kong, and the Apple sales person took his payment on an iPhone-enabled payment acceptance card reader. I asked him if he told her she was out of PCI compliance but I didn’t get a very clear response.
No one wants to stifle payment card innovation, at least I don’t think they do. But the innovators are moving much faster than the standards bodies and the deliberate card companies can, so let’s hope the new payment players and innovators take security seriously, from the beginning, and in the development stage.
If they do, and if we don’t have any notable mishaps due to lack of security – will that mean that the industry can self-regulate? If nothing else, it would indeed set a precedent arguing for that direction.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.