Payment card industry (PCI) veteran Walter Conway has put out a great piece on the regulatory challenges faced by retailers and service providers who want to tap into the rapidly expanding world of mobile payments.
In essence, Conway tells us, all mobile apps run squarely against existing payment security standards and the PCI Council – the industry security compliance enforcer – is not validating any of them.
Here is the situation, as Conway sees it:
More than two years ago, Visa mandated – effective July 1, 2010 – that “Acquirers must ensure their merchants, (VisaNet Processors) and agents use only PA-DSS [Visa’ Payment Application Data Security Standards] compliant applications.” With nearly 800 PA-DSS validated applications listed on the PCI Council’s Web site, retailers have a wide choice. Unless, that is, they are looking for a mobile commerce application.
The problem with mobile payment applications is that there are some valid security concerns, mostly dealing with the mobile devices themselves. Until these concerns are resolved, we cannot expect any new mobile payment software applications to be added to the validated list.
We, therefore, have a vacuum forming: Visa mandates that retailers use only PA-DSS validated payment applications, but there aren’t any new mobile applications being officially validated – at least for now.
Now, that is a problem. As it has often been mentioned on this blog, mobile payments are forecast to explode in the coming years. Boston-based Aite Group LLC, a research and advisory firm focused on the financial services industry, for example, forecasts that the volume of mobile payments in the U.S. will be growing at a compound annual growth rate of 68 percent between 2010 and 2015, reaching $214 billion, up from just $16 billion. But how will that happen if retailers and consumers are denied access to the tools they need to accept mobile payments?
Conway suggests one way around the issue, one that is already being exploited. It turns out that there is a loophole in the industry regulations, allowing processing banks to certify mobile apps on their own and assume all risks resulting from their decision.
That explains how all of the already existing mobile payments services have managed to find their way through the regulatory maze and on to the market. But what happens next? Well, processing banks are members of Visa and MasterCard and there is little doubt that, once they approve an application, they will do everything they can to have it officially validated by the PCI Council.
With so much money at stake, it seems inevitable that security issues associated with mobile payments will soon be worked out and PCI compliance achieved. Until then, however, if you want your app to make it to the market, you will need to find a processor willing to take the chance.
Image credit: Visa.com.