Mobile Payment and PCI

As mobile payment gains traction in Europe and Asia, and soon in the US, merchants have a responsibility to ensure that by implementing it they do not “poke a hole” in their otherwise PCI-compliant and/or secure infrastructure, warns columnist David Taylor in StorefrontBacktalk.

"Another issue is whether a phone that has a stored 16 digit card number, even if encrypted, is in PCI scope. I expect to see the credit card number tokenization made into a critical part of mobile payment, so that the only thing the NFC phones have stored is a token, with the card numbers centrally stored and mapped by the TSM (Trusted Service Manager). That would be a more secure implementation, IMHO."

Taylor also notes: "Another organization to watch when it comes to mobile payment security is the FSTC (Financial Services Technology Consortium), a group of financial institutions and technology providers, which recently announced that is has formed a working group to develop mobile payment security standards. Since the PCI SSC has committed to an “every other year” cycle of releasing standards, I’m expecting the FSTC to come out with a draft of their standards before the PCI SSC’s next release in the Fall of 2010. Whether (or when) the FSTC standards are reconciled with the work of the PCI SSC will likely be a gating factor to widespread mobile payment adoption by either Ecommerce or traditional retailers. Speaking of retailing and standards, I expect that the National Retail Federation’s ARTS (Association for Retail Technology Standards) group’s UnifiedPOS standard will also be impacted by the need to support mobile payment at the POS."