Good news for anyone considering using Google Wallet. Google Wallet encrypts the PAN and only stores the last four digits of the PAN in clear-text according to a forensic assessment conducted by ViaForensics. The other piece of good news from ViaForensic’s examination was that drive by attacks against Wi-Fi or near field communications (NFC) to intercept Google Wallet communications appear to fail.
Based on ViaForensic’s analysis, it appears that Google Wallet would likely comply with the PA-DSS. The full PAN is encrypted and communication of the PAN via Wi-Fi or NFC is secured. Granted there are a lot of other PA-DSS requirements that we do not have a window into that may or may not be PA-DSS compliant. But on the whole, I would have to believe that Google Wallet would be PA-DSS certified. So, why is Google Wallet not PA-DSS certified?
First and foremost, in the eyes of the PCI SCC and the card brands, Google Wallet and similar applications are storing pre-authorization data and are just an electronic representation of someone’s traditional wallet. The PCI SSC does not certify traditional wallets, so why would they certify electronic wallets? As a result, the PA-DSS does not apply. Should Google and other vendors of electronic wallets ensure the security of cardholder data? No doubt about it.
But a more important reason that the PCI SSC is backing away from certification is related to the other findings in ViaForensic’s report. Their analysis also uncovered some not so good news in that Google Wallet stores a lot of personally identifiable information (PII) unencrypted. This PII includes such information as cardholder name, expiration date, credit limit and account balance. I think most people would now start to understand why the PCI SSC backed away from certifying such applications.
The PCI SSC does not want to be on the hook for the unsecured PII. If the PCI SSC were to certify Google Wallet as PA-DSS compliant, I am sure their lawyers informed them that such a certification would drag them into lawsuits involving the exposure of the unsecured PII even though the PA-DSS does not cover PII outside of the PAN. Their lawyers probably advised them that a PA-DSS certification would likely imply to users of these electronic wallet applications that their PII was included in the PA-DSS certification. As a result, the PCI SSC and card brands would likely have to launch a massive and costly educational campaign to explain to the public that the PA-DSS certification was only related to protection of a cardholder’s PAN and nothing else. And even with such a campaign, the PCI SSC would likely still get dragged into lawsuits over peoples’ PII being exposed.
And the likelihood of such lawsuits is very high. Smartphones are regularly lost and the security protecting them is almost non-existent, if security is even enabled. A hacker can easily take a lost smartphone and obtain enough information to perform identity theft. Hackers could even decrypt the PAN given the high likelihood that the PIN to decrypt the PAN could be derived from other information on the smartphone. The nightmare scenario would be development of malware delivered through the smartphone’s application store that harvests the PII.
At the end of the day, there is just too much risk involved in certifying such applications because there is just no way to manage the risk. So those of you thinking the PCI SSC should certify these applications need to rethink your position.
FYI This is my 200th post. I never guessed that this blog would last this long and I want to take this time to thank all of you for keeping this going.