|
By Todd Ablowitz
President
Double Diamond Group
Although experts started predicting the rapid demise of the leather wallet more than 10 years ago, the adoption of mobile payments as a replacement has taken longer than expected.
Hampered by a competitive and complex U.S. market, technological challenges, and limited consumer and merchant acceptance, mobile payments have yet to break the barrier as a mainstream payment alternative—until now.
Several developing trends indicate 2010 may be the year for the mobile payments market to finally hit its stride. Bolstering this idea is the fact that analysts are raising their forecasts for revenue and growth, countering a five-year trend of periodically lowered growth predictions and extended estimates of when the mobile payments market would take off.
Read the Full Article Question:
What are the PCI DSS Compliance implications, if any, for Mobile Carriers that support mobile payment applications under the three models outlined in your article?
Cherie Fuzzell
FirstView, LLC
Answer:
Hi Cherie,
That is an excellent question. Keep in mind, I’m not a PCI expert, but I’m happy give you some thoughts on the subject.
Carrier billing models do not involve any card numbers, therefore I can’t see any application for PCI. Of course, carrier billing is far from fraud-proof, however there are no card numbers to be compromised.
Card-based billing involves the direct entry of card numbers into the phone. This model is definitely subject to PCI DSS. Think of this example just like an e-commerce payment gateway. Those gateways must be PCI DSS certified, but they are generally sold to merchants with PCI certification built into their service. To enable the “single click” experience referenced in the article, the provider must store card information, which has strict PCI requirements on the provider. Some providers improve data security even further with tokenization whereby the merchant cannot access the card numbers at any time, they just see a “token” that represents the card or transaction. To my knowledge, few providers actually store card data on the phone, but you can imagine the added data security challenges if they do!
The registration model is quite diverse. Some providers include card payments in a wallet, storing the card information on their server. In this case, much like card-based billing, the provider would be required to follow strict PCI DSS compliance parameters. For example though, if the system is purely an ACH-based payment, the provider would be subject to standard NACHA rules, but not specifically PCI to my knowledge.
Overall, PCI DSS rules will apply to remote mobile payments in much the same way as they apply in other remote payments, specifically covering card data wherever it sits.
Thanks for your question, and please don’t hesitate to reach out to me directly if you would like to discuss it further.
Todd Ablowitz
|
