PCI and Mobile Payments

PCI is again making the news as the group that puts together the PCI requirements (PCI Security Standards Council – PCI SSC) has recently decided to delist all mobile payment solutions. This lumps all forms of mobile payment under one heading, including apps that are encrypted payment specific running on locked-down mobile devices and apps that are more open running on standard mobile phones that have been downloaded and installed without vendor supervision.

Right now since there is no standard, it is up to the individual QSA assessors to decide on what they deem as passing for PCI certification and a location that has been certified in the past may or may not pass now if they are using mobile applications.

Vendors of mobile applications mostly have now backed down with their development and sales program because of this change.

The PCI SSC Council is now evaluating mobile payment applications and their supporting environments with the goal to deliver guidance by the end of 2011.