Rosenberg says there is much discussion in the industry now on how to appropriately secure mobile under PCI guidelines, but he's disappointed the council didn't take up that topic specifically in PCI 3.0. At most, the industry today looks to "best practices" guidelines the council published more than a year ago separately for mobile outside of the PCI standard itself.
Industry needs the council to dig more deeply into the mobility question related to PCI, says Rosenberg, adding the ongoing battles between the card-payment associations and others over mobile payment strategies may be slowing down the ability of the council to be more definitive about mobile security. He thinks there's a "gap" today and without PCI guidance, the danger is many developers may not take steps for security in mobile payment-card processing.
Asked about mobile, the PCI Council's Russo and Leach acknowledge PCI 3.0 doesn't single out mobile for special comment, but say nothing in PCI 3.0 should be thought of as not applying to mobile either.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org. Read more about wide area network in Network World's Wide Area Network section.