I read recently that giant retailers like Wal-Mart and Target are teaming up to form their own mobile payment network...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
called MCX to allow customers to easily make purchases from their smartphones. Aside from the security issues that I can already foresee, to what extent will they, and similar services, have to address PCI compliance requirements as well? It seems like with such a massive, data-sensitive network of information, their compliance requirements would be unprecedented.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The important thing to remember about the Payment Card Industry Data Security Standard (PCI DSS) is that it is not a law; it is a component of the contractual relationship between a merchant bank and an organization involved in the storage, processing or transmission of payment card information. Only parties subject to those contracts (or those who provide services to organizations subject to the contracts) are required to comply with PCI DSS. The group behind the PCI DSS, the PCI Security Standards Council (PCI SSC), has no authority over other organizations or the non-related activities of a covered organization.
The Merchant Customer Exchange, or MCX, was announced in August, so because it's fairly new there isn't much information available about how it will operate. The extent of its PCI compliance obligations will depend upon the way it structures its service and the link, if any, that will exist to the Visa, MasterCard, American Express and Discover mobile payment networks.
In all likelihood, MCX will offer some sort of "mobile wallet" service that will allow consumers to either link transactions to an existing credit card (similar to the Google Wallet service) or recharge a separate payment account using a credit card (similar to the Starbucks iOS application's approach). This is where PCI DSS would come into play: The components of MCX that handle payment card information or interact with the cardholder data environment are most definitely subject to the provisions of PCI DSS.
However, services like MCX do hold potential compliance benefits for the merchant by removing them from the credit card loop. If a merchant accepts mobile payments from a private network but does not ever directly possess or transmit the cardholder's account data, that merchant does not have a direct relationship and therefore would not be subject to PCI DSS.
While the mobile payment network itself must be PCI DSS compliant, the merchant is sufficiently isolated from the credit card transaction so as not to require PCI DSS compliance. That said, it's going to be a long time before adoption of any private payment network is broad enough to allow merchants to refuse direct credit card transactions in favor of an intermediary network.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.