Tuesday, September 25, 2012

Mobile payment ecosystems: a challenge for compliance testing

When you have read my blog lately you know I am very interested in compliance and software testing, especially for SaaS, NFC and mobile payments.

Since Google initiated Google Wallet  I kept a close eye on what the compliance institutions were planning to do to develop testing programs for the emerging mobile payment ecosystems.
Especially because this is a new payment ecosystem, still unknown to the many merchants, acquirers and customers who are going to have to deal with it.
That it is susceptible to malicious attacks is illustrated by the POS (point of sale/checkout) attacks at different merchant locations in the USA, like Subway and Penn Station.
As always, the criminals know the weaker spots of the payment ecosystem the quickest and the compliance institutions are lagging behind, but have to react.
The compliance institute which is publicly expected to design countermeasures is the PCI Security Standards Council (PCI SSC). And recently it has 'done' that.

The PCI SSC has provided clarifications how every organisation (which stores, processes or transmits creditcard/debitcard data) should comply with the already devised PCI Data Security Standard (PCI DSS). A standard which should not be unknown to you if you read my former blog posts.

However, it are still clarifications about the PCI DSS, no update is planned yet until 2013.
Why clarifications?
Well, The entity which executes the compliance validation annually(!) is dependent on the amount of volume of transactions involved. If the volumes are small a Self-Assesment Questionnare (SAQ) is used. If the volumes are large, a Qualified Security Assessor (QSA) tests if the stakeholder is PCI DSS compliant.

When you read the PCI DSS you will encounter a lot of text, but no real details about how to test mobile payment ecosystems effectively (by QSA or through SAQ) resulting in an inadequate coverage. Especially what was part of the to be tested ecosystem (the 'scope') was insufficiently explained.

These and other points of concern are now written down in the Summary of 2012 Feedback for the PCI DSS and Payment Application Data Security Standard (PA-DSS). This document is a description of the international (!) feedback given by the PCI SSC stakeholders (merchants, acquirers, QSAs and payment software vendors) to the PCI SSC regarding PCI DSS v.2.0  and PA-DSS.
Regarding PCI DSS the feedback suggestions were mainly about the already mentioned need for scope guidance, a more detailed description of requirements, a more simplified SAQ and an update on password requirements. The last one is, regarding the current changes in identity management, an effective step in actualizing PCI DSS procedures.

Now I know what you're thinking: 'PCI SSC stakeholders, USA, is this also important for the European mobile payment system?'
Yes, it is. It's not a U.S. standard, it's a global standard, also affecting Europe, Africa and the Asia-Pacific (mobile) payment environments. The standard is a result of aligned policies from different U.S. Credit and Debitcard companies like MasterCard and VISA.
If these guidelines are not met annually, non -compliant merchants and acquirers meet its consequences: up to $500.000 fines and litigation costs, degradation to lower level PCI compliance and lower brand reputation and consumer confidence in the long term.

So, it is not amazing merchants and acquirers are giving feedback on guidelines they must comply to, but do not know how to comply to.
Let's see how the feedback from the PCI SSC stakeholders will result in a more testable, usable and , hopefully, more qualitative better PCI DSS standard.