Columnist and certified PCI QSA Walt Conway blogs how Visa’s mandates for mobile commerce apps to comply with PA-DSS are sitting “in a vacuum” while the PCI SSC refuses to certify any mobile apps as being compliant. Valid security concerns are incumbent within the Council’s moratorium, however. But what are merchants to do if delaying mobile isn’t an option? Their acquirers have an app for that!
As I recall from my physics courses, nature abhors a vacuum. Based on what I see happening in the marketplace, this law also applies to the world of PA-DSS and mobile commerce. In this case, we see some leading acquirers stepping into the void and approving payment applications on their own and then offering them to their merchants.
Visa’s mandate allows acquirers this freedom of action. In clarifying the mandate, Visa noted that although using PA-DSS validated payment applications “is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications.”
The acquirer is taking advantage of the provision in Visa’s mandate that gives it the authority to approve payment applications directly.
That provision states: “Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.”
In one move, therefore, an aggressive acquirer can enable its merchants’ strategic plans, build customer loyalty and make it harder for a merchant to switch to a competing acquirer.
Read the Original Blog Post: