PCI Council: Validation of Some Mobile Payment Acceptance Apps Now Possible

We recognize that merchants have been eagerly awaiting an update from the PCI Security Standards Council on how they can be sure the mobile payment applications they're deploying can accept and process payment cards securely. A list of all PA-DSS validated payment acceptance applications is available on the Council's website.
In November 2010 the Council announced that it would no longer accept mobile payment acceptance applications for PA-DSS review or validation until a thorough review was completed. Understandably, this was met by mixed reactions in the industry. While some applauded the decision — recognizing the very real complexity and security concerns these applications present — many of you, eager to take advantage of the benefits of mobile payment processing, were frustrated as to why this step was taken.
This was the first and necessary step that has allowed us to confidently give you clear direction today as to what types of applications can allow you to accept and process payments securely and support PCI compliance.
Mobile computing is complex and introduces a number of risks to the payments environment, where in many cases a consumer device is now performing as a point of sale system. In evaluating these applications in light of our standards, we've determined that the major risk is the environment that application operates within, and whether or not it can it support a merchant's PCI DSS security efforts.
Based on this evaluation, we've now identified the types of solutions that can meet PA-DSS requirements and support a PCI DSS compliant environment.
We've also determined the area where solutions can't currently meet PCI requirements — and now we are looking at this closer to see if and how these can be secured, collaborating with industry subject matter experts to produce additional guidance by the end of the year.
So what do merchants need to know? There are now mobile payment acceptance applications that are PA-DSS validated — you can find a current list on our website. Remember that any mobile device and application used in the cardholder data environment must be reviewed as part of your annual PCI DSS assessment, so first make your own risk assessments around the use of mobile payment solutions, with the advice of your QSA. Mobile payment application vendors may also be able to help answer some key questions such as whether the mobile payment application meets PCI DSS requirements (for example, protecting the primary account number [PAN] throughout the transaction, including encryption over public networks, logging and preventing malware attacks) and, if controls are in place in the payment application to support PCI DSS compliance, how has this been tested to demonstrate consistent use of those controls.  
For more information, go to the Council website and check out our statement on PA-DSS and mobile payment acceptance applications, FAQ and handy fact sheet for identifying which applications are validated for use.
Bob Russo is general manager of the PCI Security Standards Council.