In AppSealing News, AppSealing Blog

Mobile payment is one of the most popular payment methods today owing to its ease of use and accessibility. But at the same time, hackers have found a new opportunity in mobile devices and payment apps to exploit data for malicious purposes. So in view of the security challenges prevalent in the mobile payment landscape, the Payment Card Industry (PCI) Council has come up with a set of mobile payment security standards for software developers and mobile device manufacturers to ensure sensitive card information doesn’t get exposed. Being compliant with mobile payment security standards can prevent data loss and subsequent financial and reputational damage arising from the breach. This article will give you an overview of mobile payment security standards. 

Mobile Payment Security Standards

PCI DSS and EMVCO are the two major compliance organizations with standards established for protection of payment data. Following are the payment security standards by PCI DSS:

  1. PA-DSS (Payment Application Security) – These standards are applicable for payment applications or software that transmits, processes or stores cardholder data. The PCI Mobile Acceptance Security guidelines were issued later as it became difficult to apply these standards to mobile devices. The guidelines can be viewed in detail here.
  2. PIN Transaction Security (PCI-PTS) – Any device that processes cardholder data with a PIN at the POS must be in compliance with PTS standards. Click here to view the full list of PCI-approved devices. 
  3. Point-to-Point Encryption (P2PE) – These standards require the data transmitted over a public network to be secured with encryption. Here is a list of encryption solutions recommended by PCI.

EMVCo is a global body that facilitates secure payment transactions by developing specifications for chip cards and contactless payments. NFC technology facilitates contactless payments by establishing a connection between the mobile device and POS. Hardware suppliers and software developers who are involved in developing chip cards must comply with the specifications set by EMVCo. These specifications are different from the approval processes of card brands such as Visa and Mastercard.

Understanding PCI’s Mobile Payment Acceptance Security Guidelines

Developers of mobile applications must comply with payment security standards compulsorily. The core objectives of the council include securing the transactions as well as the supporting environment that facilitates the transaction. Storing data in clear text in mobile devices leaves the data exposed and vulnerable to attacks. PCI’s mobile payment acceptance security guidelines intend to educate all stakeholders involved in the development of applications and supporting environments on the right methods to handle payment data. 

The mobile landscape is evolving at a rapid pace and complying with mobile payment security standards is a must to thwart cyber attacks. The standards focus on how the data is entered, stored, processed as well as how the data leaves the device. The council first released merchant guidance on mobile payment acceptance and later released app development best practices for developers which it keeps reviewing and updating as the threat landscape evolves. 

How does In-app Protection help Developers Meet Mobile Payment Security Guidelines?

In-app protection helps app developers comply with guidelines mentioned in section 4 of the PCI Mobile Payment Acceptance Security Guidelines for Developers. In-app security facilitates safer environments for handling sensitive card information. One of the biggest advantages of in-app protection is that it equips applications with the ability to protect itself against attacks. In-app protection is different from perimeter-based protections such as firewalls which don’t have contextual awareness. In-app protection like RASP detects attacks and takes actions to prevent attacks by terminating user sessions or shutting down applications depending on the deployment mode. Malware, reverse engineering, data loss, tampering are some of the most common security risks found in mobile payment applications.

Final Thoughts

According to a recent study, the mobile payment market is expected to reach $12.06 trillion by 2027. While the mobile payment market is witnessing growth, security concerns still pose a threat to both enterprises and consumers. Lost or stolen devices, phishing scams, public networks, human error and weak passwords are a few key mobile payment security issues. 

Recognizing the evolving threat landscape, PCI issued the mobile payment security guidelines so secure solutions are implemented throughout by all the contributors. Staying PCI compliant can thwart unintended consequences arising from compromised security. 

Appsealing is a mobile app security solution provider with specialization in developing solutions for Android, iOS and Hybrid applications. From real time threat analytics to runtime protection and zero coding, our solutions are scalable and compatible with third party tools. Contact us today to secure your finance, gaming, movie or O2O apps instantly.

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.