mobileTech Tuesday, by Steve Guengerich
One of the things that they teach you in B-school strategy class is SWOT analysis. SWOT (pronounced “swat”) is an acronym standing for Strengths – Weaknesses – Opportunities – Threats.
One of the things you learn relatively early is that externalities like government regulations and industry certifications are often threats and occasionally opportunities that, in either case, are frequently neglected in the analysis.
Part of the reason is that companies tend to focus more on their competitors. Also, changes to such regulatory and certification bodies tend to be known in advance and, the logic goes, are more able to be anticipated. Yet, when they do occur – even with advance notice – they can still put a company, or an entire sector, in a “world of hurt.”
Now, most of us are used to handing off the payment process in a digital purchase transaction to an existing payment gateway, like Paypal. Thus, you may be asking yourself, “P C whaa?”
But, if you are a principal in an industry in which payment systems are essential, like the hospitality industry (e.g., hotels, resorts, restaurants), then PCI’s decision is a very big deal. I’m sitting in on some of the hospitality industry association’s major national conference in Austin this week, called HITEC, and PCI has been featured in at least three separate workshops and panels.
Further, if you are considering bypassing the third party gateways, like Paypal, that require a fee and that have infrastructure rules you must follow to the letter, then the PCI’s decision is fast becomes one of those very problematic “Threat” externalities.
This is because the PCI’s validation listing is considered the gold standard in credit card payment security. Thus any system banned from the list is automatically deemed insecure by hard-liners, with “any merchant’s mobile payment app being flagged as non-compliant until the Council says otherwise.”
In response, some app developers are in a quandary. Just read a couple of the comments from a recent article covering issue:
- “We’ve pulled back on our marketing to some degree for these applications”
- “We launched a project to put together our own device to insert into a phone to make a payment, but the project is on hold until we understand the direction of the industry and PC”
Closer to home in Austin, when we asked a couple of mobile app providers about the PCI’s decision, most said they planned to forge ahead, with this reply from one summing up the feeling:
We have taken a rather unique approach to PCI… and believe it to be the right way to handle mobile payments; however, 1960’s credit card and security rules can certainly be a challenge from time to time
The bottom line? Know your regulations (and regulators). A change like the PCI’s may or may not necessarily affect your business – but don’t wait until the worst case occurs to decide. For example, firms like VeriFone are plowing ahead because they are confident the demand for mobile payment will overcome any perceived security concerns that a subset of their customers might have from PCI’s certification limbo for apps.
And, if you want to go the extra mile by consulting an independent expert on IT and software security standards, there are a number of central Texas firms, like San Antonio’s Denim Group or Austin’s Bridgepoint Consulting, that you can consult.