I read recently that giant retailers like Wal-Mart and Target are teaming up to form their own mobile payment network called MCX to allow customers to easily make purchases from their smartphones. Aside from the security issues that I can already foresee, to what extent will they, and similar services, have to address PCI compliance requirements as well? It seems like with such a massive, data-sensitive network of information, their compliance requirements would be unprecedented.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The important thing to remember about the Payment Card Industry Data Security Standard (PCI DSS) is that it is not a law; it is a component of the contractual relationship between a merchant bank and an organization involved in the storage, processing or transmission of payment card information. Only parties subject to those contracts (or those who provide services to organizations subject to the contracts) are required to comply with PCI DSS. The group behind the PCI DSS, the PCI Security Standards Council (PCI SSC), has no authority over other organizations or the non-related activities of a covered organization.
The Merchant Customer Exchange, or MCX, was announced in August, so because it's fairly new there isn't much information available about how it will operate. The extent of its PCI compliance obligations will depend upon the way it structures its service and the link, if any, that will exist to the Visa, MasterCard, American Express and Discover mobile payment networks.
In all likelihood, MCX will offer some sort of "mobile wallet" service that will allow consumers to either link transactions to an existing credit card (similar to the Google Wallet service) or recharge a separate payment account using a credit card (similar to the Starbucks iOS application's approach). This is where PCI DSS would come into play: The components of MCX that handle payment card information or interact with the cardholder data environment are most definitely subject to the provisions of PCI DSS.
However, services like MCX do hold potential compliance benefits for the merchant by removing them from the credit card loop. If a merchant accepts mobile payments from a private network but does not ever directly possess or transmit the cardholder's account data, that merchant does not have a direct relationship and therefore would not be subject to PCI DSS.
While the mobile payment network itself must be PCI DSS compliant, the merchant is sufficiently isolated from the credit card transaction so as not to require PCI DSS compliance. That said, it's going to be a long time before adoption of any private payment network is broad enough to allow merchants to refuse direct credit card transactions in favor of an intermediary network.
This was first published in December 2012