Latest posts by Bhakti (see all)
- Cloud Star Certification For Cloud Services Providers - 03/01/2020
- PCIDSS Compliance For Mobile Applications - 03/01/2020
- How to use ISO27001 To Make Your Cloud Secure - 03/01/2020
PCIDSS COMPLIANCE FOR MOBILE APPLICATION
WHAT IS PCIDSS
PCI DSS (Payment Card Industry Data Security Standards) standard developed in order to ensure the security of card data and to reduce card fraud. Companies that are PCI DSS compliant must obey specific rules and fulfill requirements (technical, procedural, etc.) defined by the PCI Security Standards Council. The PCI DSS have six major objectives. First, a secure network must be maintained in which transactions can be conducted. Second, cardholder information must be protected wherever it is stored. Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. Fourth, access to system information and operations should be restricted and controlled. Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities.
WHAT ARE THE RISK ASSOCIATED WITH MOBILE PAYMENT GATEWAY?
With increase in number of platform for making payment and with growing demand for e-commerce, the act of paying for a product or service with a credit or debit card must remain easy, efficient, and safe. Because the process is so critical to both businesses and consumers, it is highly regulated and constantly changing. Today each purchase launches a complex, automated, and highly integrated process involving not just merchants but also banks, acquirers, payment processors and potentially a host of other players. New technologies such as smartphones and digital wallets, shifts in buying habits, demands by individuals to accept card payments, and growing interest in peer-to-peer payments have created a fierce battle within the industry, as organizations fight to maintain their position or disrupt the status quo. No longer a set of isolated processes, today’s entire payments ecosystem is just a component of the broader commercial landscape—playing an integral role in fraud management and data privacy as part of a comprehensive IT security framework that must span the Internet, mobile devices, social networks, and cloud services. Merchant using payment gateway or in-house purchase needs to align with the PCIDSS 12 verticles, but in case of mobile application all are not applicable.
PCIDSS CHECKLIST FOR MOBILE APPLICATION
PCIDSS has got 12 requirements which includes 256 controls but not all are applicable to mobile application so following is list of requirements for mobile applications
Firewall configuration is invalid for mobile applications but some sub controls are still applicable to mobile applications like to make diagram that shows all cardholder data flows across systems and networks, Restricting inbound and outbound traffic which is necessary for the cardholder data environment and not allowing unauthorized outbound traffic from the cardholder data environment to the Internet.
Yes, it is applicable to mobile applications. It works on front end, using default password can increase vulnerability to the user of application. There are certain controls important for mobile application like enabling only necessary services, protocols, daemons, etc., as required for the function of the system and proper security should be implemented for wireless environments connected to the cardholder data environment.
Yes, all the controls are applicable and are of utmost important for mobile applications. Control restrict vendor to store customer information until it creating some value to the customer and if it is stored, it is protected with the key and key should be kept safely using strong cryptography and should be changed at regular intervals. Also, some of the customer credentials like CVV, PIN etc. should not be stored.
Yes, it is applicable to mobile applications. When cardholder data is transmitted from mobile to server it should have proper encryption method. Strong security protocols should be used to safeguard transmission of cardholder data and unprotected PANs should never be sent by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
Yes, gadget storing customer’s credential should have anti-virus programs which should be capable of detecting, removing, and protecting against all known types of malicious software. Anti-virus mechanisms should actively run and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Yes, developer should address common coding vulnerabilities during software-development processes. Also, Developers should be trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data should be handled in memory.
No, control is not applicable to mobile applications. Control restrict employees to cardholder’s data on server side but for mobile applications cardholder data is stored on client side.
Yes, not all but some of the controls related to mobile security are applicable to mobile applications. For example for each unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrases.
Yes, not all but some of the controls related to security of physical access to mobile are applicable to mobile applications. Like using appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment and storing media backups in a secure location, preferably an off-site facility, such as an alternate or backup site.
No, control track and monitor all access to network resources which is not applicable to mobile applications
No, control test security systems and processes which is not applicable to mobile application.
Yes, control maintain and disseminate a security policy that accomplishes the security policy at least annually and update the policy when the environment changes and implement an incident response plan.