PCI DSS Compliance for Mobile Apps


Mobile applications make it easier to bring your services closer to the market. However, if you will be accepting any payments through your mobile app, you need to be vigilant security-wise. Accepting payment means that you will come into contact with the credit and debit card data of your customers, which is highly sought after by cybercriminals.

If these cybercriminals get their hands on the data, you can not only incur losses from the ad hoc fines and data breach costs but also lose customers in the process. Luckily, you do not have to fly blind when it comes to protecting the data of your customers- the PCI DSS regulation can act as a guideline on how you should protect customers’ card data. While the compliance requirements for mobile apps can be slightly different from that of web applications, achieving it will need the same level of attention to detail.

Here is how to ensure PCI DSS compliance for your mobile app:

What Is PCI DSS Compliance?

The PCI DSS is a technical security standard that is meant to help with the protection of cardholders’ data (credit and debit card data). Its main aim is to prevent cases of fraud by securing cardholders’ data within the organization that is accepting the card payments. The whole compliance concept is based on IT services. Ideally, IT managers are supposed to spearhead compliance by ensuring that the entire application development process is in line with the PCI DSS checklist below. As long as you will be accepting payments through your app, this checklist will apply to you.

The PCI Compliance Requirements

For partial or fully Fintech applications, you will be required to follow an app development process that is in line with the Requirements 3, 4, and 6 of the PCI DSS. Here is a dive into the three requirements and the necessary controls to put in place for compliance:

Requirement 3: Secure Stored Cardholder Data

In this case, the term’ cardholder data’ stands for any information that is printed, processed, transmitted, or stored on the payment card. Regardless of whether the data will be stored locally on the app’s user’s device or on the card, the app that will be accepting the payment should ensure the security of this data. As a requirement, no cardholders’ data should be stored unless it is essential to meeting the needs of your business.

Also, the sensitive data found on the card’s magnetic stripe shouldn’t ever be stored. If it has to be stored, you have to render the PAN details unreadable. Other requirements for compliance include:

  • Limit the data retention and storage timelines with regard to business and legal purposes, with any unnecessary data required to be purge after every quarter at the very least.
  • Regardless of whether authentication data is encrypted or not, you should never store the data after authorization. The only exception for this rule is for issuers who have a viable justification for storing the data post-authorization, and they, too, should store the data securely.
  • Whenever you are displaying PAN, you should ensure that it is masked. You should only show the last four or first six digits.
  • Render PAN unreadable whenever you are storing it, whether on digital media, backup media, in logs or in the form of data you receive from wireless networks.
  • Any encryption key you use for securing the cardholders’ data should be protected against disclosure and misuse.
  • You need to document and implement stellar key management processes and procedures for any cryptographic key you use to encrypt cardholders’ data.

Requirement 4: Encrypt the Public, Open Transmission of Cardholders’ Data

The fact that 95% of millennials have shared some information through public Wi-Fi networks, according to a recent survey, makes Wi-Fi eavesdropping one of the most subtle yet monumental threats to the security of cardholder data. Hackers have, for long, used unprotected public networks to launch data breaches and commit fraud. While educating people against using unprotected Wi-Fi networks is essential, the PCI DSS requires app developers to protect cardholders’ data from such risks.

In most cases, encryption and strong security protocols like IPSec and SSL/TLS can suffice in protecting your sensitive data whenever it is being transmitted through public networks. You should also avoid submitting any insecure PANs through end-user messaging systems.

Requirement 6: Develop and Maintain Secure Apps

This provision will apply to applications that are within the scope of PCI DSS enforcement, and any app that collects, stores and/or transmits cardholders’ data belongs in this bracket. If your app is to be used by external organizations, it should comply with the PA-DSS (Payment Application Data Security Standard). Its evaluation is to be done by PA-QSA. For you to prove compliance, you will need to own a well-documented register of the software, tools, and libraries used in the development cycle.

Since it is typical for software libraries and tools to be updated, you ought to constantly review the library and keep it up to date. After establishing a software asset register, you should work to come up with a process for regularly monitoring every item on the register and releasing ad hoc updates regularly.

PCI DSS compliance is a two-phase process; achieving initial compliance and maintaining it. While achieving it is typically easy, maintaining it will require you to commit to policies, processes, and procedures that ensure the continuous compliance of your business. Since compliance will require you to follow a lot more than the checklist above, you should design the necessary policies and implement controls that can help you maintain your compliance status as a mobile-app-based business.