PCI-DSS for Mobile Applications
All entities that accept, process, store, or transmit credit card data must validate compliance with the PCI Data Security Standards (PCI-DSS). This includes end users and developers of mobile applications. Failure to comply with the PCI-DSS and failure to follow proper data security protocols makes your merchants targets for cybercriminals looking to compromise cardholder data. Breaches of a merchant environment can expose cardholder data, causing serious financial and reputational impact for the end user and the solution provider.
Developers of mobile payment applications must develop these applications using PA-DSS/Software Security Framework requirements as a baseline. They must be developed in a secure manner and in a way that is conducive to use in a PCI-DSS compliant environment. This includes developers of mobile or software-as-a-service (SAAS) platforms with online or in-app purchases.
How to Make a Mobile Payment App Comply with PCI-DSS
Developers of mobile payment applications must comply with the Payment Card Industry Data Security Standards. There are 12 requirements with related sub-requirements that developers must adhere to during development, testing, and ongoing maintenance of the payment solution:
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need to know.
Assign a unique ID to each person with access to cardholder data.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an information security policy.
Check out our blog entry on PCI-DSS Major Objectives for detailed information on each of these 12 requirements.
Validating a Mobile Application’s Adherence to PCI-DSS
Developers of mobile applications can find qualified resources that can validate compliance with PCI-DSS requirements. The PCI Security Standards Council certifies Qualified Security Assessor organizations that can assist you with validating adherence to the PCI-DSS. The PCI Data Security Standards Council maintains a list of active Qualified Security Assessors (QSA) on their website.
PCI Compliance is Contract-Based
It is important to understand that the end user, or merchant, is the entity responsible for PCI compliance and the security of their customers’ cardholder data. Merchants are required to validate PCI compliance based on the PCI compliance program put forth by the merchant’s acquiring bank as part of the contract or merchant agreement.
PCI-DSS requirement 12.8 states that merchants must manage service providers that have access to, or could affect the security of, cardholder data. As part of this process, they must validate that the service provider has validated PCI compliance as a third party service provider, completing a Self Assessment Questionnaire D for service providers (SAQ D-SP).
OpenEdge’s PCI Assure program is designed to simplify the complicated PCI process for your merchants. They have 24/7 access to our web-based portal that steps them through the requirements and the necessary Self-Assessment Questionnaire (SAQ). They are guided through the entire process online through the use of expert assistance and real-life examples.
PCI Assure also provides access to quarterly IP network vulnerability scans, custom security profiles generated from the business’s processing activity, a Breach Reimbursement program, and more.
OpenEdge was great to work with - they helped us immensely with the whole PCI compliance initiative. Our customers can tell their banks they've lessened their PCI footprint and they no longer have credit card information locally stored. That reduces worries.” -Paul Acton, CEO, Tri-Technical Systems, Inc.
In the case where the end user/merchant implements the source code, the merchant would be ultimately responsible for any required code review or penetration testing. Merchants and service providers/developers should work together to create a responsibility matrix that details who is responsible for which PCI-DSS requirement based on the realities and deployment of the solution.
Developing your mobile application with PCI-DSS and Software Security Framework / Secure Development Life Cycle requirements as a baseline will provide your merchant the maximum scope reduction for PCI validation. OpenEdge offers EdgeShield Security Solutions to our partners, which shields the merchant, solution developer, and payment application from handling sensitive cardholder data.
EdgeShield, OpenEdge’s advanced security services bundle, protects credit card data, prevents counterfeit fraud, and enhances payments security. Through a unique collection of complementary security solutions, EdgeShield delivers one of the industry’s most secure payments platforms while enabling developers and merchants for EMV. When integrated into systems that accept payments, the bundle products credit card data while at rest and in transit.
Mobile application developers must validate compliance with the PCI Data Security Standards (PCI-DSS). These standards help developers and merchants avoid data breaches and compromised cardholder data. For more information on how OpenEdge can help your merchants with PCI compliance, contact us today.