In a not so widely disseminated and tough to find statement, the PCI SSC has basically put the kibosh on the certification of any mobile payment applications for the time being. The second paragraph of the statement says it all.
“Until such time that it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated PA-DSS applications unless all requirements can be satisfied as stated.”
The statement indicates that the Council will be taking up the topic of how to certify these applications and addressing any changes to the PA-DSS program that may be required.
As I stated in a previous post, mobile payment processing, no matter how you define it, is not the easiest environment to secure. It is interesting that the Council has seen the light and is also taking a careful approach to this environment.
Hopefully, we shall see next year if the Council comes up with a workable solution.