The Payment Card Industry Data Security Standard (PCI DSS) defines standards for ensuring the protection of cardholder data in computer transactions. These standards apply to all entities that store, process, or transmit cardholder data. For example, a merchant that accepts or processes payment cards must comply with the PCI DSS. The primary goal of the PCI DSS is to protect cardholder data wherever it is processed, stored, or transmitted.
One portion of the PCI DSS, known as the Payment Application DSS (PA DSS), defines standards for third party payment software applications. For example, the PA DSS would govern an application that receives user input of a credit card number or other payment information on a computing device. The PA DSS requires compliance when cardholder data (e.g. primary account number, cardholder name, expiration date, service code, PIN, magnetic strip data, etc.) is stored, processed, or transmitted by the application.
To comply with the PA DSS, applications that receive, store, or transmit cardholder data must be configured to perform various functions (e.g. encryption) on the cardholder data. Performing these functions requires substantial computing resources. Many computing devices have sufficient resources to adequately support such applications.
However, some computing devices, such as mobile devices, either have limited computing resources or lack other security features that make it much more difficult to provide a PA DSS compliant application on such devices. For example, although many smart phones/apps can be configured to accept payment information in a PA DSS compliant manner, it is difficult, costly, and relatively less secure to do so. For this reason, relatively few mobile applications/platforms are certified as PA DSS compliant.
To address this issue, one workaround is being commonly implemented. Mobile applications such as Square (provided by Square, Inc.) or GoPayment (provided by Intuit, Inc.) use a mobile card reader (which is generally plugged in to the earphone jack) that scans a payment card and encrypts the cardholder data before transmitting it to the mobile phone. Because the cardholder data is encrypted before it is transferred to the phone, and therefore never stored on the phone in an unencrypted format, the application running on the phone does not need to comply with the PA DSS. This approach works, but is often less desirable because it requires a separate card reader and requires that a card be physically scanned.
Mobile devices enable users to perform transactions in virtually any location. For example, using a smart phone, a user can make online purchases or purchases over the phone from any remote location having an appropriate connection. In many transactions, the user's authorization to enter into a transaction can be received over the phone or by clicking a checkbox in a webpage.
In spite of the mobility provided by such devices, many transactions still cannot be performed by a remote user. Some transactions (e.g. recurring payments) often cannot be completed without receiving a signature from the user. For this reason, to authorize some transactions, remote users are required to mail or fax a signed paper to the entity performing the transaction. Examples of transactions that require a user's signature include authorization to make recurring debits from the user's account for repaying a loan or authorization to make recurring charges to a user's credit card for a subscription service.
Printing, signing, and returning a document can be a burdensome requirement for many users. Accordingly, when a signature is required for authorizing a transaction remotely, users are not able to fully benefit from the mobility provided by their portable devices.