PCI Delist Move Threatens Mobile Payment SecurityWritten by Evan Schuman
The PCI Council this week confirmed that it has quietly delisted “multiple” mobile payment applications, although the council didn’t specify a number. This comes as the PCI folk are trying to formulate a mobile strategy, which is likely to take quite a few more months to resolve. Given that retailers can’t put their mobile plans on hold, this puts merchants in a very awkward—and potentially very insecure—place.
The move, which hit at least one of the delisted vendors on January 31, is part of PCI’s effort to create a proverbial level playing field. There are good and bad sides to this effort.
The good is that it’s noble in intent. It acknowledges that mobile payments have so many crucial differences from earlier payment methods that merely tweaking today’s guidelines won’t work. And it also notes that it would be unfair to let vendors that happened to have already been approved be the only applications with the seal of approval, with the door slamming on everyone else.
The bad is that it’s seeking the perfect at the expense of the good. The council hinted Tuesday (March 15) that it would be a very long time before it would come out with its mobile approach, although no timeframe was offered. But retailers can’t wait on trialing and even deploying mobile initiatives. What are they supposed to do during this lawless Wild West mobile period, while Sheriff PCI locks himself in his office for months, contemplating the best long-term strategy while gunmen murder his neighbors?
Would not a piecemeal approach be a better tactic? There are some basics that almost all could quickly agree on—such as encryption rules—and getting some out quickly might help. To the council’s credit, though, until it works out all the mobile payment issues, it’s hard to know even how to tackle encryption. Then again, there’s always the ability to amend and update rules later on. Ahhhh, ’tis a frustrating standards world out there in Mobile Land.
There is a longstanding PCI mechanism to deal with this vacuum, though. Acquirers have always been empowered to approve anything as PCI friendly, as long as they are willing to take the heat later if things go poorly. Thus far, we’ve been unable to confirm that any acquirers have yet to do this. And if they did, it would generate its own kind of Wild West, with retailers with different acquirers operating on different standards, which is exactly what PCI was created to avoid.