The folloowing is the text of the PCI Security Standards Council addendum to statement on PA-DSS and mobile payment applications:
January 25, 2011
The following is an addendum to the PCI Security Standards Council statement on PA-DSS and mobile payment applications released on November 29th 2010.
Due to the evolving nature of the payment application landscape, new categories of applications emerge that necessitate regular review of PCI SSC criteria and processes for examining the security of these applications. While the Council’s initial statement regarding mobile payment applications and the PA-DSS (November 29th 2010) noted that “no mobile payment applications used by merchants to accept or process payment for goods and services would be approved or listed as validated PA-DSS applications unless all requirements can be satisfied as stated,” this category of payment applications remains under review, and the Council is able to provide the following additional detail:
“Until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated PA-DSS applications unless all PA-DSS requirements can be satisfied as stated and the underlying mobile communications device supports the merchant's PCI DSS compliance.”
Again, the Council encourages merchants to refer to the PCI SSC website for a current list of PA-DSS validated applications and reminds organizations that the use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant. The application must also be configured in accordance with the vendor’s PA-DSS Implementation Guide and installed into a PCI DSS compliant environment.
The big news here is that the SSC is delisting those mobile apps that it had previously certified as compliant. This obviously upsets the PCI apple cart for any merchant who is using these apps for its mCommerce initiatives. For a good discussion of this, see PCI Mobile Madness: Council Clarifications Not Helping by Evan Schuman on the StoreFrontBackTalk site.