« Are you at the Gartner Summit? | Main | Guest Post: The IT forecast - Cloud-y with a 10% Chance of Effective Security »

MerchantWARE Goes Blackberry, and the story of the unvalidated payment application

The Merchant Maven posted a release about Merchant Warehouse's new Blackberry version of MerchantWARE, following in the footsteps of the apparently successful iPhone application. This new trend is yet another example of a need for good moble payment security.

While the software company states that the application complies with both PCI DSS and PABP, it is not listed on the official Validated Payment Application list as either validated under PABP or PA-DSS. That only means that they have not had an assessment performed and paid the required fees to get it listed on the site.

Acquirers are wary of Point of Sale (POS) vendors and POS implementers, all because of a few bad apples. The restaurateur is at a particular disadvantage. A high failure rate and a desire to carry a small amount of debt when opening a restaurant (see high failure rate) causes some of the same equipment to be used in multiple locations throughout its usable lifespan. Not just tables, chairs, and griddles, but POS terminals as well. This means that some of the same vulnerable equipment keeps surfacing because proprietors simply don't know they need to upgrade.

The card brands, specifically Visa, have invested heavily to fix this. First, by starting the Payment Applicaiton Best Practices program (now the Payment Application Data Security Standard), and later by imposing certain payment application mandates on new (and soon to be existing) merchants.

Merchant education is getting better, but you will do yourself a favor by ensuring that any third party POS applications you rely on for your business are listed on the Validated PA-DSS applications, and be sure that you keep up with the patches associated with that version.

Posted by Branden Williams on June 30, 2009 6:01 AM |

Comments

Great post Branden. We absolutely share your point of view on application security and the need to protect card holder data. This was the driving force behind us using an encrypted card reader for swiped transactions (the data is never in the clear) and also not storing any cardholder data on the device.

MerchantWARE Mobile for the iPhone and the BlackBerry are both currently undergoing PA-DSS validation and we will soon be added to the validated applications list.

Posted by: Mark (Merchant Warehouse) | July 8, 2009 1:54 PM

Fantastic! Please let us know if we can help in any way!

Posted by: Branden Williams Author Profile Page | July 9, 2009 10:55 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)