PCIDSS Compliance For Mobile Applications



PCI DSS (Payment Card Industry Data Security Standards) standard developed in order to ensure the security of card data and to reduce card fraud. Companies that are PCI DSS compliant must obey specific rules and fulfill requirements (technical, procedural, etc.) defined by the PCI Security Standards Council. The PCI DSS have six major objectives. First, a secure network must be maintained in which transactions can be conducted. Second, cardholder information must be protected wherever it is stored. Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. Fourth, access to system information and operations should be restricted and controlled. Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities.


With increase in number of platform for making payment and with growing demand for e-commerce, the act of paying for a product or service with a credit or debit card must remain easy, efficient, and safe. Because the process is so critical to both businesses and consumers, it is highly regulated and constantly changing. Today each purchase launches a complex, automated, and highly integrated process involving not just merchants but also banks, acquirers, payment processors and potentially a host of other players. New technologies such as smartphones and digital wallets, shifts in buying habits, demands by individuals to accept card payments, and growing interest in peer-to-peer payments have created a fierce battle within the industry, as organizations fight to maintain their position or disrupt the status quo. No longer a set of isolated processes, today’s entire payments ecosystem is just a component of the broader commercial landscape—playing an integral role in fraud management and data privacy as part of a comprehensive IT security framework that must span the Internet, mobile devices, social networks, and cloud services. Merchant using payment gateway or in-house purchase needs to align with the PCIDSS 12 verticles, but in case of mobile application all are not applicable.


PCIDSS has got 12 requirements which includes 256 controls but not all are applicable to mobile application so following is list of requirements for mobile applications

  • Install and maintain a firewall configuration to protect cardholder data.

    Firewall configuration is invalid for mobile applications but some sub controls are still applicable to mobile applications like to make diagram that shows all cardholder data flows across systems and networks, Restricting inbound and outbound traffic which is necessary for the cardholder data environment and not allowing unauthorized outbound traffic from the cardholder data environment to the Internet.

  • Do not use vendor-supplied defaults for system passwords and other security parameters.
    Yes, it is applicable to mobile applications. It works on front end, using default password can increase vulnerability to the user of application. There are certain controls important for mobile application like enabling only necessary services, protocols, daemons, etc., as required for the function of the system and proper security should be implemented for wireless environments connected to the cardholder data environment.
  • Protect stored cardholder data. 
    Yes, all the controls are applicable and are of utmost important for mobile applications. Control restrict vendor to store customer information until it creating some value to the customer and if it is stored, it is protected with the key and key should be kept safely using strong cryptography and should be changed at regular intervals. Also, some of the customer credentials like CVV, PIN etc. should not be stored.
  • Encrypt transmission of cardholder data across open, public networks.
    Yes, it is applicable to mobile applications. When cardholder data is transmitted from mobile to server it should have proper encryption method. Strong security protocols should be used to safeguard transmission of cardholder data and unprotected PANs should never be sent by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
  • Use and regularly update antivirus software. 
    Yes, gadget storing customer’s credential should have anti-virus programs which should be capable of detecting, removing, and protecting against all known types of malicious software. Anti-virus mechanisms should actively run and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
  • Develop and maintain secure systems and applications.
    Yes, developer should address common coding vulnerabilities during software-development processes. Also, Developers should be trained in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data should be handled in memory.
  • Restrict access to cardholder data by business need-to-know. 
    No, control is not applicable to mobile applications. Control restrict employees to cardholder’s data on server side but for mobile applications cardholder data is stored on client side.
  • Assign a unique ID to each person with computer access. 
    Yes, not all but some of the controls related to mobile security are applicable to mobile applications. For example for each unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrases. 
  • Restrict physical access to cardholder data.
    Yes, not all but some of the controls related to security of physical access to mobile are applicable to mobile applications. Like using appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment and storing media backups in a secure location, preferably an off-site facility, such as an alternate or backup site.
  • Track and monitor all access to network resources and cardholder data. 
    No, control track and monitor all access to network resources which is not applicable to mobile applications
  • Regularly test security systems and processes.
    No, control test security systems and processes which is not applicable to mobile application.
  • Maintain a policy that addresses information security
    Yes, control maintain and disseminate a security policy that accomplishes the security policy at least annually and update the policy when the environment changes and implement an incident response plan.