The ABCs of Mobile PCI

mobileTech Tuesday, by Steve Guengerich

One of the things that they teach you in B-school strategy class is SWOT analysis. SWOT (pronounced “swat”) is an acronym standing for Strengths – Weaknesses – Opportunities – Threats.

One of the things you learn relatively early is that externalities like government regulations and industry certifications are often threats and occasionally opportunities that, in either case, are frequently neglected in the analysis.

Part of the reason is that companies tend to focus more on their competitors. Also, changes to such regulatory and certification bodies tend to be known in advance and, the logic goes, are more able to be anticipated. Yet, when they do occur – even with advance notice – they can still put a company, or an entire sector, in a “world of hurt.”

Such was the case earlier this year when the Payment Card Industry (PCI) Security Standards Council decided to delist mobile payment applications until further notice.

Now, most of us are used to handing off the payment process in a digital purchase transaction to an existing payment gateway, like Paypal. Thus, you may be asking yourself, “P C whaa?”

But, if you are a principal in an industry in which payment systems are essential, like the hospitality industry (e.g., hotels, resorts, restaurants), then PCI’s decision is a very big deal. I’m sitting in on some of the hospitality industry association’s major national conference in Austin this week, called HITEC, and PCI has been featured in at least three separate workshops and panels.

Further, if you are considering bypassing the third party gateways, like Paypal, that require a fee and that have infrastructure rules you must follow to the letter, then the PCI’s decision is fast becomes one of those very problematic “Threat” externalities.

This is because the PCI’s validation listing is considered the gold standard in credit card payment security. Thus any system banned from the list is automatically deemed insecure by hard-liners, with “any merchant’s mobile payment app being flagged as non-compliant until the Council says otherwise.”

In response, some app developers are in a quandary. Just read a couple of the comments from a recent article covering issue:

  • “We’ve pulled back on our marketing to some degree for these applications”
  • “We launched a project to put together our own device to insert into a phone to make a payment, but the project is on hold until we understand the direction of the industry and PC”

Closer to home in Austin, when we asked a couple of mobile app providers about the PCI’s decision, most said they planned to forge ahead, with this reply from one summing up the feeling:

We have taken a rather unique approach to PCI… and believe it to be the right way to handle mobile payments; however, 1960′s credit card and security rules can certainly be a challenge from time to time

The bottom line? Know your regulations (and regulators). A change like the PCI’s may or may not necessarily affect your business – but don’t wait until the worst case occurs to decide. For example, firms like VeriFone are plowing ahead because they are confident the demand for mobile payment will overcome any perceived security concerns that a subset of their customers might have from PCI’s certification limbo for apps.

And, if you want to go the extra mile by consulting an independent expert on IT and software security standards, there are a number of central Texas firms, like San Antonio’s Denim Group or Austin’s Bridgepoint Consulting, that you can consult.

Comments

  1. Great article Steve. PCI is definitely top of mind in the community and we’ve helped a handful of companies with compliance.

  2. I’m not sure I understand what it means to be delisted. For example, how does this affect “In-App Purchases” that are so common in iPhone apps?

  3. Ben, I’m something of a PCI layman, but here’s the gist of it: there are plenty of PCI-certified payment gateways available for you (as a mobile app maker) to call out to as as service for processing payment.

    And, thus, when you make an in-app purchase with XYZ crazy virtual goods app-o-the-day, your purchase is either (a) flowing through one of these payment gateways or (b) using one that isn’t certified and you just don’t know it (yet!).

    Examples of PCI certified payment gateways (as of earlier this month, June 2011) include these: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

    The de-listing issue, as I understand it, has to do with the newer crop of integrated payment processing gateways that are being built ground-up, native to the mobile apps themselves.

    Keep in mind that the PCI isn’t a government thing: it was created by the big CC companies: Visa, Mastercard, Discover, AMEX. So, as I read it (and I could be wrong if someone else wants to weigh in), the PCI is in effect saying that they are uncomfortable with the new crop of native payment apps and that they want to go slow and let the already more trusted, certified gateways fill the need for now.

    Check out this handy little PCI FAQ which further explains the issue: http://www.pcicomplianceguide.org/pcifaqs.php (note, this isn’t from the PCI, but a 3rd party). Hope that helps!!