It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the reader’s dilemma:

Does mobile phone technology fall into [the classification] of public networks? I have ongoing arguments with an acquirer about whether a purpose-built mobile payment device, which they sold to us, can be assessed under SAQ B. The device uses cell phone tech only, no Wi-Fi. When I asked them if SAQ B was OK, they said “No, use SAQ D.” I talked them down to SAQ C with Req 4.1 (conceding it was connected to a network) but everyone I know says it should be SAQ B.

Satellite Dish, by adulau

Man, there are several elements in play here. First, let’s examine the definition of an open, public network in the context of PCI DSS. From the glossary:

Network established and operated by a telecommunications provider, for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks in scope of the PCI DSS include, but are not limited to, the Internet, wireless, and mobile technologies.

So the first thing we can establish, if the device can communicate without wires it must use strong cryptography. There are some exceptions that could cause interpretation issues like satellite or USSD, but if you approach the problem with the mindset of encryption, you really can’t go wrong here. Intercepting cellular communication is fairly trivial nowadays with baseband hacks galore. Therefore, applications that use cellular technology must use some kind of strong encryption to protect transmitted cardholder data. Also, posting a sign like this won’t work.

The next part of the question is about the version of the Self-Assessment Questionnaire you should be filling out. Keep in mind, your acquirer is responsible for reporting on your compliance, so they can technically choose whichever questionnaire they wish for you to fill out. If they want all of their merchants on SAQ-D, then you may want to find a new acquirer if the burden is really that high. But let’s explore the version of the questionnaire you should be filling out.

In order to be eligible to fill out SAQ-B, there are several conditions that must be met. Let’s look at two that the mobile payment device does not meet:

  • Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;
  • Your company does not transmit cardholder data over a network (either an internal network or the Internet);

wi-fi, by poloballs

The highlighted text shows two things that the mobile payment solution violates. First off, it doesn’t connect to your processor with a wire, and secondly, it does transmit data over a network. Therefore, you would not be eligible to fill out SAQ-B for your current payment solution.

What about SAQ-C? Without knowing more about your setup, I don’t have a clear answer for you. I do agree that it is possible that you meet the requirements to fill out SAQ-C, but there isn’t enough information to definitively tell.

Thank you for the question! As more mobile payment solutions come to market I am certain this question will continue to come up. Don’t forget, if you have your own requirement you want analyzed, go to this post and add it in the comments!

This post originally appeared on BrandenWilliams.com.