I often receive questions that start with “I’ve got a great mobile application and I am going to add the ability to make payments. But I am a bit worried because of the PCI PA-DSS standard.”
The situation is so typical that I’ve finally decided to write an article dedicated to PCI PA-DSS and what to do about it.
To start with, let`s refresh our knowledge about the PCI PA-DSS standard and maybe even learn something new.
As you remember, the PCI PA-DSS standard is mostly known for enhancing the security of payment applications. Overall, every application that works within the PCI DSS-compliance infrastructure should be PCI PA-DSS compliant.
Let`s drill down into the requirements.
When we look at the official FAQ for mobile applications covered by SSC we’ll see one interesting question: “What are the defined categories of acceptance for mobile payment solutions?”
In accordance with the official materials, SSC divides all mobile applications into three types:
Category 1. Payment applications that operate only on a PTS-approved mobile device. (PoS terminals for instance)
Category 2. Payment applications which meet ALLof the following criteria:
- Payment application is only provided as a complete solution “bundled” with a specific mobile device
- The mobile device is purpose-built (by design or by constraint) with a single function of performing payment acceptance
- Payment application, when installed on the “bundled” mobile device, provides an environment which allows the merchant to meet and maintain PCI DSS compliance
Category 3. All other payment applications which operate on any consumer electronic handheld devices (e.g., smart phones, tablets, or PDA) that is not solely dedicated to payment acceptance for transaction processing
In case your application is not lucky enough and it got into the first two categories, then – yes, you have to be PCI PA-DSS compliant. But if your application is just a mobile version of your online store, then you will be out of range of the standard. The answer to the question “Why has SSC not released mobile security standards?” can be found in the following answer which was given at a PCI Community Meeting: “We decided not to release a standard, because the technology is evolving so quickly, we felt that any standard we produced would be obsolete before it was ever released.”.
Nonetheless, SSC looks forward and suggests developing your applications taking into account the PCI PA-DSS standard due to the fact that the mobile standard will sooner or later become unnecessary headache to all those who will not be ready for it. For these purposes, SSC published some guides for developers and merchants. Also the one pager has been updated recently, which describes how to process payments through mobile applications. Within one page SSC recommends the use of P2PE solutions in order to minimize the risks of interception because in this case cardholder’s data pass through mobile applications in already encrypted form.
Finally, I would like to say only one thing: create different useful and relevant applications that facilitate our everyday life! BUT never forget, there will always be those who seek to subvert your security, so take care.