PCI Risk Compliance


A Merchant’s Guide to PCI SSC Compliance By Morgan Rickel  PMP, QSA

If you are a merchant considering the implementation of a mobile payment acceptance solution, or if you are currently using one, the Payment Card Industry Security Standards Council (PCI SSC) has determined that one of the major risk factors in validating mobile payment acceptance applications with the Payment Application Data Security Standard (PA–DSS) is the environment that the application operates within and the ability of that environment to support the merchant in achieving PCI DSS compliance.  From a PCI perspective, the type of mobile communications device that is selected will have a direct impact on the PA-DSS validation.

As a result, the PCI DSS classifies mobile payment acceptance applications into three categories based on their underlying platform.  The categories detailed below are listed in order of easiest to most difficult to validate.  The mobile payment communication device must fall into one of these categories in order to assess if the mobile payment acceptance application qualifies as a PA–DSS validated solution.

Category 1: The payment application operates only on a Pin Transaction Security (PTS) approved mobile device.

PTS approved mobile devices undergo evaluation and approval by the PCI SSC by adhering to a standard set of point of interaction (POI) and hardware security module (HSM) security requirements, testing methodologies, and approval processes.

The following link contains more information about how devices are qualified as PTS validated.

Category 2:  The payment application meets ALL of the following criteria:

  • The payment application is only provided as a complete solution bundle with a specific mobile device by the vendor
  • The mobile device is purpose-built with the single use of payment acceptance
  • The application and the device are validated by a Payment Application–Qualified Security Assessor (PA–QSA) which is explicitly documented in the payment application’s Report on Validation (ROV) and provides an environment which allows the merchant to meet and maintain PCI DSS compliance

Category 3:  The payment application operates on any consumer electronic handheld device that is not solely dedicated to payment acceptance for transaction processing.

A complete reference to the PCI SSC FAQ to Mobile Payment Applications and PA–DSS Frequently Asked Questions is available on the PCI Security Standards website. 

Category 1 and Category 2 mobile communications devices can both be validated as PA–DSS payment acceptance solutions.  Category 1 devices require less effort since they are already validated as PTS devices.  Category 2 devices can be validated as PA–DSS solutions, however depending on the cardholder data environment (CDE) it may be more difficult to validate and maintain PCI DSS compliance.   According to the PCI SSC, Category 3 devices are not eligible for PA–DSS validation. The easiest way a Category 3 device can be considered compliant is if eliminated from scope by implementing a Point-to-Point Encryption (P2PE) validated solution in tandem.

P2PE solutions include the secure devices, applications, and processes which encrypt card data at the point of interaction (POI) until the data reaches the provider’s secure decryption environment. In this case, the data cannot be decrypted by the merchant. P2PE solutions are validated by P2PE QSAs and P2PE PA-QSAs to ensure that they assume the responsibility of encrypting and decrypting cardholder data appropriately.  The PCI Security Standards website has additional information about qualifying P2PE solutions.

If you are a merchant that is electing to use Category 3 mobile payment applications, you should take the following into consideration from the PCI SSC:  “Since Category 3 mobile payment acceptance applications are not eligible for PA-DSS validation at this time, entities wishing to use such solutions would need to make their own risk assessments around the use of such solutions in consultation with their acquirers and applicable payment brands. Such solutions would be included in an entity’s annual PCI DSS assessment to ensure that the application and its operating environment are compliant with all applicable PCI DSS requirements.” For more information on conducting risk assessments that fulfill this requirement, please consult with your QSA or IT Security professional.

Ultimately, there are several ways for merchants to achieve the safe transmission of cardholder data via mobile payment acceptance solutions.  However, from a PCI perspective, maintaining compliance must take into consideration the processing, storing, and transmission of cardholder data via people, processes, and technology.  PTS devices and PA-DSS validated applications help merchants fulfill PCI DSS requirements. P2PE solutions are great for reducing scope, but these solutions will not eliminate your obligation to fulfill all of the respective requirements that must be maintained for the entire PCI DSS.

As merchants, a comprehensive understanding of your organization’s CDE is expected by the PCI SSC.  For additional reference documentation, talk to your Qualified Security Assessor (QSA) and/or visit the PCI SSC website where additional information is available.