PCI Security Standards Council statement on PA-DSS and mobile payment applications

PCI Security Standards Council statement on PA-DSS and mobile payment applications
November 29, 2010

The use of applications by merchants to accept and process payments on mobile communications
devices is an evolving ecosystem within the payments industry. Due to the rapid growth of mobile
payment technology and the need to ensure that the Payment Application Data Security Standard (PA-
DSS) program addresses the full spectrum of secure payment applications, the PCI Security Standards
Council (PCI SSC) is currently working to determine: applicable security requirements for mobile payment
applications, the security capabilities and features of mobile communications devices on which the
applications reside and the necessary interaction between such devices and payment applications to
effectively secure cardholder data. The PCI SSC is committed to an ongoing evaluation of emerging
payment technologies. The impact of mobile payment technology on the security of cardholder data will
be a key focus for the Council in 2011.

Until such time that it has completed a comprehensive examination of the mobile communications device
and mobile payment application landscape, the Counc il will not approve or list mobile payment
applications used by merchants to accept and proces s payment for goods and services as validated PA-
DSS applications unless all requirements can be satisfied as stated.

The Council encourages merchants to refer to the PC I SSC website for a current list of PA-DSS validated
applications and reminds organizations that the use of a PA-DSS compliant application alone does not
make an entity PCI DSS compliant. The application m ust also be configured in accordance with the
vendor’s PA-DSS Implementation Guide and installed into a PCI DSS compliant environment.