Everything that accepts, processes, stores, or transmits credit card data must meet PCI compliance. This means end users and developers of mobile applications must comply. Failure to comply with the PCI-DSS can make businesses targets for cybercriminals looking to compromise user data. Breaches can expose user data, causing serious financial and reputational impact for the end user and the app maker.
In 2018, the PCI SSC (Payment Card Industry Security Standards Council) announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The security requirements are for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
PCI Security Requirements
The following are some of the PCI requirements for software based PIN entry on mobile apps on phones and tablets:
| PCI Module | PCI Requirement |
| 1.3.2 | All security services provided by The Solution must adhere to Appendix C – Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms. |
| 2.1.5 | The PIN CVM Application must prevent against attacks designed to expose data in storage or memory and deploy appropriate controls including minimizing such storage post transaction completion or application timeout. |
| 2.1.6 | The PIN CVM Application must be securely developed to prevent screen captures. |
| 2.1.7 | The PIN CVM Application must be resistant to reverse engineering. |
| 2.3.1 | The PIN CVM Application must offer tamper-resistance measures around the handling of code, application/monitor interface code and any code that is involved in the use or security of cryptographic keys (both public and private/secret keys) for all the supported platform and protection methods (such as TEE, white-box cryptography). |
| 2.3.3 | The PIN CVM Application must implement methods for detecting and reporting to the monitoring system if any COTS devices have been rooted or jailbroken. |
| PCI Test Requirements
TR-D1 |
The connection between system components must be secured through cryptography. This connection must be implemented to prevent man-in-the-middle and replay attacks on data, as well as preventing traffic analysis to determine the type or content of data communicated between the components. |
Changes in PCI Standards
Standards like the PCI DSS were created to enhance cardholder data security for organizations that store and process credit card data. All organizations that store, process or transmit cardholder data must comply with PCI DSS. In addition to PCI DSS, PA DSS Standards were introduced to help organizations achieve compliance and secure cardholder data.
PA-DSS is a standard managed by the PCI SSC and was established to help software vendors secure payment applications. PA-DSS is for Payment applications that are sold, distributed, or licensed to third parties. Things change on October 28, 2022. At this time, PA-DSS v3.2 will be formally retired and replaced by the PCI Software Security Framework.
Couple of things to note regarding PA-DSS:
- In-house payment applications developed by merchants that are not sold to a third party are not subject to the PA-DSS requirements but need to adhere to the PCI DSS Compliance Standard.
- Regardless of this change, if an organization stores, processes or transmits credit card information, they are required to comply with PCI DSS.
Compliance with PCI Requirements
With Appdome, compliance with PCI Requirements for Software Based PIN entry on mobile apps can achieved without coding and without SDKs. For the following PCI requirements, Appdome provides PCI compliance along with comprehensive mobile app security.
1.3.2: Appdome provides AES 256-bit encryption to all application data.
2.1.5: Appdome encrypts data at rest and data in memory, segmenting all app data from other apps and in-app resources.
2.1.6: Appdome prevents screen captures and provides Blur Application Screen.
2.1.7: Appdome provides Anti-Tampering, Anti-Debugging and Anti-Reversing as well encryption for strings and preferences stored in the app (all methods used by hackers to reverse engineer an app.
2.3.1: In addition to Appdome’s ONEShield™, Appdome’s TOTALCode™ Obfuscation provides complete obfuscation of binary code, including internal SDKs, frameworks and filesystems used by the app (including DLL and JS files in non-native apps).
2.3.3: Appdome OS Integrity provides Jailbreak and Root detection along with developer events to report jailbreak or rooting to monitoring systems.
PCI Test Requirements: Appdome Secure Communication protects against malicious proxies and MITM attacks. This new protection goes well beyond previous methods.
Ensuring PCI Compliance for eCommerce and Mobile Apps Requires DevSecOps Readiness
Ensuring PCI compliance for mobile apps is not something to do just before release. It needs to be part of DevSecOps, or how organizations release security into new Android and iOS apps on a regular basis. Through DevSecOps, organizations don’t have to make tradeoffs between releasing new features and having security. They can have both because each group, whether it’s development, operations or security are coordinated in one continuous workflow.
- With Appdome, organizations can address the complexities of protecting from hackers that other solutions don’t offer. Beyond basic mobile app security and app shielding, Appdome provides different ways to respond to threats. First, you can shut down the app upon a security compromise. Second, you can notify the user or admin when a security compromise has been detected. Furthermore, with hackers ever evolving, the attack surfaces ever expanding, addressing the threat from external forces can be daunting. Appdome has the expertise and focus on the latest fraud and hacking methods to protect your apps now and in the future.
- With Appdome, organizations can automate the process of protecting from hackers and fraudsters Instead of waiting until the end of app development, you can code in mobile app security and fraud prevention at any time in your development process with a few simple clicks. No need to code. No SDK. In addition, you have Certified Secure to prove you have implemented the necessary security controls for audit and validation. Go here to learn more about how to use Certified Secure.
- With Appdome, organizations are using security best practices in a workflow used by the largest companies in the world with hundreds of releases each year. This workflow is so flexible that enables disparate, global dev, security ops teams to work together in a coordinated way that releases secure apps on time.
- With Appdome, organizations can bridge the gap between mobile dev frameworks, SDKs and apps. Where is a problem? A major challenge developers face when attempting to achieve PCI compliance or implement mobile app security using SDKs, open source libraries, or specialized compilers stems from the fact that these methods all rely on source code and require changes to the application code. And as a result of that, each of these methods is explicitly bound to the specific programming language that the application is written in, and are also exposed to various programming language or package ‘dependencies’ between those languages and frameworks. For a real world example of this problem, check out this Stack Overflow post by a developer who needs to build code obfuscation into an iOS app where there are multiple dependencies between React Native (a non-native framework) and Objective C (a native coding language). Because there is no built-in library in the iOS project that will obfuscate React Native code, the developer needs to use an external package (dependency #1). Furthermore, that external package has an additional downstream dependency on yet another npm package in order to obfuscate the JavaScript code (dependency #2).In addition to all of the operational, resource, manual coding, and timing issues that this entails, the most pressing issue with respect to PCI is the loss of control that comes with these dependencies. If those third party libraries become deprecated, are no longer supported, or cease to stop working for any reason, the companies may fall out of compliance with PCI DSS and will need to find another solution. Appdome gives developers a tool to build in security for the diversity of apps and the frameworks used to build the apps.
To embrace DevSecOps and effectively ensure PCI compliance of mobile apps, the entire organization must adhere to new, rapid release processes that meld the different disciplines, development, security and operations, into one continuous workflow. In the new DevSecOps workflow, it is critical that (a) actions be held by the group most capable of completing them, and (b) each group is accountable, transparent and, for its part, deliver with certainty in the release process. Appdome comprehensively ensures mobile apps are PCI compliant at the same time it enables each group in the organization to deliver its part with certainty in the release process.
