On Friday, June 24, 2011, the PCI SSC issued a press release and a number of supporting documents regarding PA-DSS certification.
In my opinion, the most important part of this announcement is in the FAQ and is the classification of mobile payment applications. According to the PCI SSC, they have identified the following three categories of mobile payment applications.
- Category 1 – any mobile payment application that operates on only a PCI PTS certified device.
- Category 2 – any mobile payment application that meets all of the following criteria: the application that is “bundled” with a specific mobile device; the mobile device is purpose built and performs only the payment function; and when installed on the device per the vendor’s PA-DSS implementation guide, allows the merchant to meet and maintain PCI DSS compliance.
- Category 3 – any mobile payment application that runs on a consumer electronic device such as a smartphone, tablet or PDA that is not dedicated to payment processing.
What the PCI SSC has stated in this latest clarification announcement is that Category 1 and 2 applications and devices can continue through the certification process. For the first time, these mobile applications have been explicitly called out even though these sorts of applications have been part of the certification process in the past.
What is interesting is the definition for Category 3. What the PCI SSC appears to be saying is that applications such as Google Wallet and the like may have to go through PA-DSS certification. While this makes sense from a payment security perspective, it takes the PCI DSS into the realm of pre-authorization data. While the PCI SSC will not officially certify mobile payment applications in Category 3 at this time, they are highly recommending that mobile payment applications in this category use the PA-DSS as a guide to ensure their security. The PCI SSC also commits to releasing guidance on what PCI DSS requirements are relevant to Category 3 mobile payment applications while it continues to research how it should handle these mobile payment applications.
However this is not the first time the PCI SSC has delved into recommendations regarding securing pre-authorization data. At the first PCI Community Meeting in September 2007, there was an infamous breakout session on the security of pre-authorization data. And sometime later this year, the PCI SSC has said it will issue an informational supplement on securing pre-authorization data.
The other important piece of news from this announcement is that, in the interim, the PCI SSC is asking merchants to conduct their own risk assessment of Category 1 and 2 mobile payment applications to determine how well they comply with relevant PCI DSS requirements. These risk assessments should include consultation with an organization’s QSA as well as acquiring banks.
PCI Guru 
We are building a mobile app that allows the user to hand key credit card information (e.g. credit card #, expiration date, cvv2, etc.) to pay for their purchase. Will our mobile app need to be PA-DSS certified?
The PCI SSC just stated at the start of September on a Webinar and at the 2013 North American PCI Community Meeting that mobile payments using smartphones, tablets, etc. are not considered PCI compliant and will never be PCI compliant, so getting a PA-DSS certification will not be possible. One of the posts that I accidentally deleted had the quotes from the Webinar. The PCI SSC reiterated their position at the Community Meeting.