Monday, September 30, 2013

PCI DSS 3.0: The end of store and forward on mobile?

It is time for new PCI changes to get implemented. Last February (2013), the PCI Security Standards Council released a document on mobile payment security guidelines. While it is not the most entertaining read in the history of guidelines, it does shed light on some of the changes we are going to see implemented in the industry over the coming year. In November, expect to see a new set of regulations being handed down, to be fully implemented by the star of 2014. But most processors, not wanting to find themselves caught in the awkwardness of being out of compliance when the date hits, attempt to get on the bandwagon as early as possible and will demand the same of their merchants.

Mobile payments are still relatively new in the industry, though arguably the fastest growing area of interest. Spurned on by the popularity of SquareUP and its Square Register app, many processors now offer encrypted card readers for smartphones and tablets. Of those, a few had "Store and Forward" functionality built in, so that cards could be swiped where there was no data connection and processed when the connection became available. Not surprisingly -- the Visa-backed Square app could never do this -- that function is being called into question by the major card issuers. Read more here: PCI DSS 3.0 Changes Focus on Risks, Simplifies Compliance

This will impact some merchants who use Phone Swipe, a product which had previously supported Store and Forward. The latest version of Phone Swipe for iOS no longer offers this function, although as of this writing it appears to still work on Android. This all makes sense from the perspective that the ruling does not officially go into effect until after the new version of the Android software is expected to be released and development is almost always completed first on the iPad and iPhone version of the app. It isn't reason to jump ship from one product in lieu of another, however, as all mobile devices will be expected to follow suit and the penalty for not following the rules far outweighs any benefits for processors. In fact, the new PCI compliance requirements will specifically address mobile payments for the first time in the new guidelines.

It is curious to me, however, that Visa and MasterCard find the temporary storage of encrypted data on a smartphone to tablet to be such a threat when the obvious alternative is a paper copy of the card data to be input later by hand. This seems likely to be far less secure in the long run and I hope that the decision is changed so that this helpful function can be restored.

In the meantime, if Store and Forward is essential to doing business, merchants can still consider using a traditional terminal with the Store and Forward function built in. Examples include: the Hypercom M4230 or T4205; the VeriFone Omni 3740, Omni 3750, VX570, VX610; and the Way Systems MTT Wireless. Some of these, like the VeriFone VX610 and the Way Systems MTT are wireless terminals and will likely also require that additional wireless fees are paid on top of the service for them to be operational. Typically, these wireless fees cannot simply be turned on and off as needed, which is why the use of this type of terminal has declined since the introduction of smartphone-based apps. These common terminals are among the few on the market that can be put into Store and Forward mode, with the advantage that they also print receipts for the customer (and a merchant backup). Because the encrypted data will be stored on the terminal until it is connected to a phone line with no other apps potentially having access and no wireless connection offering a backdoor for hackers, this is unlikely to be affected by the new PCI requirements. On the other hand, they do not connect to any sort of inventory or offer advanced reports like the Phone Swipe style of mobile processing does. And, unfortunately, the use of such terminals still requires a traditional merchant account with the associated monthly costs that many mobile users avoid in their "Pay As You Go" plans.

You can access the PCI Security Standards Council documents library here or read the recently published change highlights directly. And for those of you who are still confused about what exactly PCI compliance is, there is a nice guide available to answer many of your questions.


  1. Wow, sounds like you've some wonderful ideas and plans on Best Wireless Merchant Account , sounds like the end result will look very nice!

  2. This is great blog keep it up. Omni POS Thanks for sharing.