In addition to commemorating America’s independence, you also could have celebrated the PCI Security Standards Council for updating its viewpoint on mobile payment applications and the payment card industry data security standard before the holiday. The major points of the updated PCI compliance process are listed below.
What was updated?
The PCI Security Standards Council came to a consensus that the device itself and the software that runs on the device present a large amount of risk. These two factors are referred to as the “environment”. There are three categories of risky devices that the council categorized and they are:
- Approved PIN Transaction Security (PTS) devices.
- Mobile devices built for payment acceptance - This includes the hardware, software and payment application that are solely used for accepting payments and can meet PCI DSS compliance requirements.
- Consumer devices like smart phones and tablets that are not solely used for accepting payments.
What specific devices are in each category?
The council made the description of each category very technical, but here are some examples of how they play into payment card industry data security standards.
Category one includes wireless credit card terminals, such as the VeriFone Vx670, Nurit 8020 and Hypercom M4230.
Category two includes devices that are fairly rare, such as the mobile checkout devices used by clerks in Apple stores. These devices all meet the standards outlined in the PCI compliance program.
The third category is simple and includes iPads, iPhones, Android phones and Blackberry phones, as well as tablets.
How does the PCI compliance process differ between categories?
Any mobile payment applications that fall into category one or two will be expected to follow current PA-DSS validated payment applications. This means that vendors with apps that fall into these two categories need to follow PCI DSS compliance standards.
The PCI Security Standards Council does not yet require category three products to be compliant with PCI data security standards, However, they are expected to provide more instructions for this category by the end of the year.
What is the current PCI process for Category 3?
Category three does not have to be officially compliant with the principles of PCI DSS, but they should be used as a guide. This will hold true until the Council provides more instructions.
