Everything that accepts, processes, stores, or transmits credit card data must meet PCI compliance. This means end users and developers of mobile applications must comply. Failure to comply with the PCI-DSS can make businesses targets for cybercriminals looking to compromise user data. Breaches can expose user data, causing serious financial and reputational impact for the end user and the app maker.
In 2018, the PCI SSC (Payment Card Industry Security Standards Council) announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The security requirements are for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
PCI Security Requirements
The following are some of the PCI requirements for software based PIN entry on mobile apps on phones and tablets:
|PCI Module||PCI Requirement|
|1.3.2||All security services provided by The Solution must adhere to Appendix C – Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms.|
|2.1.5||The PIN CVM Application must prevent against attacks designed to expose data in storage or memory and deploy appropriate controls including minimizing such storage post transaction completion or application timeout.|
|2.1.6||The PIN CVM Application must be securely developed to prevent screen captures.|
|2.1.7||The PIN CVM Application must be resistant to reverse engineering.|
|2.3.1||The PIN CVM Application must offer tamper-resistance measures around the handling of code, application/monitor interface code and any code that is involved in the use or security of cryptographic keys (both public and private/secret keys) for all the supported platform and protection methods (such as TEE, white-box cryptography).|
|2.3.3||The PIN CVM Application must implement methods for detecting and reporting to the monitoring system if any COTS devices have been rooted or jailbroken.|
|PCI Test Requirements
|The connection between system components must be secured through cryptography. This connection must be implemented to prevent man-in-the-middle and replay attacks on data, as well as preventing traffic analysis to determine the type or content of data communicated between the components.|
Changes in PCI Standards
Standards like the PCI DSS were created to enhance cardholder data security for organizations that store and process credit card data. All organizations that store, process or transmit cardholder data must comply with PCI DSS. In addition to PCI DSS, PA DSS Standards were introduced to help organizations achieve compliance and secure cardholder data.
PA-DSS is a standard managed by the PCI SSC and was established to help software vendors secure payment applications. PA-DSS is for Payment applications that are sold, distributed, or licensed to third parties. Things change on October 28, 2022. At this time, PA-DSS v3.2 will be formally retired and replaced by the PCI Software Security Framework.
Couple of things to note regarding PA-DSS:
- In-house payment applications developed by merchants that are not sold to a third party are not subject to the PA-DSS requirements but need to adhere to the PCI DSS Compliance Standard.
- Regardless of this change, if an organization stores, processes or transmits credit card information, they are required to comply with PCI DSS.
Compliance with PCI Requirements
With Appdome, compliance with PCI Requirements for Software Based PIN entry on mobile apps can achieved without coding and without SDKs. For the following PCI requirements, Appdome provides PCI compliance along with comprehensive mobile app security.
1.3.2: Appdome provides AES 256-bit encryption to all application data.
2.1.5: Appdome encrypts data at rest and data in memory, segmenting all app data from other apps and in-app resources.
2.1.6: Appdome prevents screen captures and provides Blur Application Screen.
2.3.1: In addition to Appdome’s ONEShield™, Appdome’s TOTALCode™ Obfuscation provides complete obfuscation of binary code, including internal SDKs, frameworks and filesystems used by the app (including DLL and JS files in non-native apps).
Ensuring PCI Compliance for eCommerce and Mobile Apps Requires DevSecOps Readiness
Ensuring PCI compliance for mobile apps is not something to do just before release. It needs to be part of DevSecOps, or how organizations release security into new Android and iOS apps on a regular basis. Through DevSecOps, organizations don’t have to make tradeoffs between releasing new features and having security. They can have both because each group, whether it’s development, operations or security are coordinated in one continuous workflow.
- With Appdome, organizations can address the complexities of protecting from hackers that other solutions don’t offer. Beyond basic mobile app security and app shielding, Appdome provides different ways to respond to threats. First, you can shut down the app upon a security compromise. Second, you can notify the user or admin when a security compromise has been detected. Furthermore, with hackers ever evolving, the attack surfaces ever expanding, addressing the threat from external forces can be daunting. Appdome has the expertise and focus on the latest fraud and hacking methods to protect your apps now and in the future.
- With Appdome, organizations can automate the process of protecting from hackers and fraudsters Instead of waiting until the end of app development, you can code in mobile app security and fraud prevention at any time in your development process with a few simple clicks. No need to code. No SDK. In addition, you have Certified Secure to prove you have implemented the necessary security controls for audit and validation. Go here to learn more about how to use Certified Secure.
- With Appdome, organizations are using security best practices in a workflow used by the largest companies in the world with hundreds of releases each year. This workflow is so flexible that enables disparate, global dev, security ops teams to work together in a coordinated way that releases secure apps on time.
To embrace DevSecOps and effectively ensure PCI compliance of mobile apps, the entire organization must adhere to new, rapid release processes that meld the different disciplines, development, security and operations, into one continuous workflow. In the new DevSecOps workflow, it is critical that (a) actions be held by the group most capable of completing them, and (b) each group is accountable, transparent and, for its part, deliver with certainty in the release process. Appdome comprehensively ensures mobile apps are PCI compliant at the same time it enables each group in the organization to deliver its part with certainty in the release process.