Mobile Payment Application PA-DSS Certification Clarification Announcement

On Friday, June 24, 2011, the PCI SSC issued a press release and a number of supporting documents regarding PA-DSS certification.

In my opinion, the most important part of this announcement is in the FAQ and is the classification of mobile payment applications.  According to the PCI SSC, they have identified the following three categories of mobile payment applications.

  • Category 1 – any mobile payment application that operates on only a PCI PTS certified device.
  • Category 2 – any mobile payment application that meets all of the following criteria: the application that is “bundled” with a specific mobile device; the mobile device is purpose built and performs only the payment function; and when installed on the device per the vendor’s PA-DSS implementation guide, allows the merchant to meet and maintain PCI DSS compliance.
  • Category 3 – any mobile payment application that runs on a consumer electronic device such as a smartphone, tablet or PDA that is not dedicated to payment processing.

What the PCI SSC has stated in this latest clarification announcement is that Category 1 and 2 applications and devices can continue through the certification process.  For the first time, these mobile applications have been explicitly called out even though these sorts of applications have been part of the certification process in the past.

What is interesting is the definition for Category 3.  What the PCI SSC appears to be saying is that applications such as Google Wallet and the like may have to go through PA-DSS certification.  While this makes sense from a payment security perspective, it takes the PCI DSS into the realm of pre-authorization data.  While the PCI SSC will not officially certify mobile payment applications in Category 3 at this time, they are highly recommending that mobile payment applications in this category use the PA-DSS as a guide to ensure their security.  The PCI SSC also commits to releasing guidance on what PCI DSS requirements are relevant to Category 3 mobile payment applications while it continues to research how it should handle these mobile payment applications.

However this is not the first time the PCI SSC has delved into recommendations regarding securing pre-authorization data.  At the first PCI Community Meeting in September 2007, there was an infamous breakout session on the security of pre-authorization data.  And sometime later this year, the PCI SSC has said it will issue an informational supplement on securing pre-authorization data.

The other important piece of news from this announcement is that, in the interim, the PCI SSC is asking merchants to conduct their own risk assessment of Category 1 and 2 mobile payment applications to determine how well they comply with relevant PCI DSS requirements. These risk assessments should include consultation with an organization’s QSA as well as acquiring banks.


2 Responses to “Mobile Payment Application PA-DSS Certification Clarification Announcement”

  1. September 26, 2013 at 9:57 AM

    We are building a mobile app that allows the user to hand key credit card information (e.g. credit card #, expiration date, cvv2, etc.) to pay for their purchase. Will our mobile app need to be PA-DSS certified?

    • September 27, 2013 at 7:29 AM

      The PCI SSC just stated at the start of September on a Webinar and at the 2013 North American PCI Community Meeting that mobile payments using smartphones, tablets, etc. are not considered PCI compliant and will never be PCI compliant, so getting a PA-DSS certification will not be possible. One of the posts that I accidentally deleted had the quotes from the Webinar. The PCI SSC reiterated their position at the Community Meeting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

June 2011

%d bloggers like this: