PCI Compliance Checklist for Apps| What are the steps?

Concerned about the security of your payment card information? PCI compliance can help you identify potential threats and avoid costly problems for your company. But, what are they?

What is PCI compliance?

The Payment Card Industry (PCI) regulations that were put into place in 2009 have made it much harder for unsavory actors to take over your finances. These regulations say that card networks must verify your identity and ensure that your financial information is up-to-date.

It, therefore, becomes necessary to have a PCI compliance checklist for apps that you own or are planning to develop.

If your payment information is stolen, it becomes much easier for criminals to use it for fraudulent activity. In particular, it’s important to know when it’s right to leave a digital fingerprint on a piece of hardware or software. 

Law enforcement and financial institutions need access to digital forensics information to prosecute cybercriminals, so all card companies must take this issue very seriously. 

PCI compliance doesn’t just concern hardware or software; it also pertains to all communications networks, including the Internet-of-Things (IoT).

In this blog, we’ll explain how your in-app protection can help you meet the requirements of the PCI developer guidelines section and protect your app from unauthorized access to cardholder data. This is particularly relevant if you’re working on an app that handles credit card payments or access cardholder information.

What are the PCI logging and monitoring requirements?

Anybody developing an app that touches on any of these areas will undoubtedly be interested in learning more about the Payment Card Industry regulations (PCI). These regulations help ensure that transactions are secure by requiring businesses to adhere to PCI DSS or the Payment Card Industry Data Security Standard.

According to the Payment Card Industry (PCI) Field Guide, there are two types of requests made:

• Performance audit

It refers to an inspection of system performance, usually after a request is made for performance solutions from the client. You can perform an annual risk assessment and keep reports handy for any future needs, have regular awareness training, check employees’ backgrounds before appointing them, have a team ready for incident management as well. 

• Log management

It refers to the process of aggregating and organizing information from various sources (e.g., event logs, security log files, etc.) and encoding it into representations that third-party applications can use. Log management also has two parts that you can take care of:

• Log Management System (LMS)

A Log Management System (LMS) software can be installed in your system. This software creates and keeps regular audit logs. The system also proves helpful to alert you in case of any errors, data breaches, or suspicious activity happening in the system. Such software sends real-time alerts for any anomalies or audit eros via messages or email. This saves time and also prevents human errors that might happen if you keep a manual audit log.

• Log data analysis in Case Studies

Find, read and understand the previous data and security breaches that happened in the online payment system. It is mandatory to keep your audit history stored for at least one year, and three months of audit data must be available for immediate review.

How In-App Protection Helps

In-app purchases can bring in a lot of revenue but are often forgotten about in terms of security. The PCI DSS doesn’t create many rules for app developers. However, there is one section that you should be paying attention to. Thankfully, like any other In-App feature, you can also have an In-App protection software made. Additionally, the developers can provide you with a cutting-edge app security solution. This could guide your mobile app to protect against tampering, malware, data loss, etc.

You’d be surprised how many mobile apps are still vulnerable to security issues. These issues can result from a lack of support for the latest corporate security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). It can be tricky navigating the amount of information surrounding PCI compliance. Read on to know the three easy ways to get PCI mobile payment compliance.

What are the ways to know mobile app PCI compliance?

There are 3 main ways to know if your mobile app is compliant with security requirements:

1. Careful handling of card data

Some business models have to have sensitive direct card data and manage it. Consequently, they have to meet PCI DSS requirements (300+ security controls). And even though the company’s access to information is only for a limited period of time, they would still have to install security hardware and software. 

Although, most companies use third-party solutions for payment processing and handling credit card data. Such third parties accept and store the data in a secure environment. Some examples could be Paypal, Strip, etc. In such scenarios, your company has to follow only a total of 22 PCI DSS protocols. 

2. Secure data storage

For the proper acceptance of guidelines, make sure you have secured all the data storage details. They should meet the standards of Payment Application- Data Security Standard (PA-DSS).

3. Annual Validation from PCI

Many big firms are asked by PCI for annual audit reports. To avoid dire consequences, it is beneficial to have such audit reports and other PCI compliance elements present in your organization and for mobile app security purposes.

Certainly, each company has to fill an annual PCI validation form. On what grounds are an organization asked to show its yearly PCI compliance? Here are the main reasons:

• For reporting to the payment card brands
• As a prerequisite for entering into a partnership with another company

Steps to get your Mobile app PCI DSS compliant

 Payment Card Industry Security Standards Council is the administrative body, in other words, the security guidelines developers. If you don’t want to catch their eye and pay fines, you can follow these easy PCI compliance steps:

1. Know the requirements

The PCI compliance needs depend on the amount and frequency of credit card transactions. There are different levels for each Mobile app PCI compliance depending on various factors. Four basic levels are fixed under PCI DSS compliance:

• Firstly, Level 1: Applies to the mobile applications that have over 6 million transactions of Mastercard or Visa processed per annum.
• Secondly, Level 2: Starting from 1 million, upto 6 million of any Visa or Mastercard transactions processed per annum. 
• Then, Level 3: 20,000 to about 1 million e-commerce transactions done via Visa or Mastercard per annum.
• Lastly, Level 4: Less than 20,000 e-commerce transactions/ Upto 1 million transactions for any other companies, processed by Visa or Mastercard per annum.

For each industry company, they can judge their level of compliance using these ways:

SAQ (Self Assessment Questionnaires), used by businesses with a small number of transactions,

QSA( External Qualified Assessor), assess your compliance if you are a business  with a moderate number of transactions,

ISA (Firm-specific Internal Security Assessor), for businesses that have large volumes of yearly transactions.

1. Data Mapping

Create a comprehensive map of credit card data stored and the data network of your application. Then consult the developers to follow up on a few points:

• Identify the areas where consumer transactions are involved. For example, online shopping carts, in-app purchase section, orders taken over the phone, etc.
• Next, find out where all the customer payment data is stored and who has access to it.
• Figure out internal systems that work on online payment for your mobile app. They could be cloud environments, network systems, or data centers.

2. Checking app security controls

Now you have identified the payment touchpoints inside your application. Next, you can check the security measures taken for each platform and system integrated with your application. Subsequently, check the protocols and whether your app is following them or not. Most importantly, also get your IT development team to make any changes needed to get the design and change the app in accordance with the protocols. There are many such PCI protocols that overlap with GDPR, and HIPAA requirements, you might already have them in place.

Read more: Simple steps to get mobile app GDPR compliance possible (ideausher.com)

Read more: HIPAA Compliant App Development – Features & Development Cost (ideausher.com)

3. Maintenance

PCI is not a one-time check. You need to maintain the PCI compliance standard and check it time and again. If you are a small venture, you can hire a team of developers and professionals to check the PCI compliance of your app. However, if you are a big firm with over 6 million transactions happening every year, you can hire an internal team for maintaining the payment security standards:

• Security: the CSO (Chief Security Officer) will keep checking the security policies and transaction safety measures. 
• Payment: A CTO (Chief Technology Officer)
• Financial checks: The Chief Financial Officer (CFO), checks that accounts are managed for all payment data flows. They also store an audit of all payment systems and partners. 
• Legal work: The legal work relating to PCI DSS compliance is done by the legal team.

How to handle cardholder data?

The biggest problem facing businesses today isn’t fraud or security issues – it’s compliance. Businesses that have no idea how to handle customer data are at risk of losing bank accounts, tax payments, and other important business data. The CMCG has created this checklist to help you prevent data loss in 2017.

• The best way to secure cardholder data is to encrypt the information file while transferring it through open networks.
• Another way to ensure is by installing antivirus software programs and update them regularly.
• And, routine testing of security systems.

What should a mobile app do for payment security options?

• Choose payment partners like Paypal, Paytm, etc.
• Other valid options like Google Pay, Apple Pay, etc.
• Some other mobile apps even allow payment through Cryptocurrencies like Bitcoins etc.

There are some famous third-party payment integrations that are secure and less tedious to maintain. And, you can use them as payment methods. These are trustworthy integrations. Know why people might use these often as secure payment options:

1. Apple Pay

Apple Pay has included in its privacy policy that they do not use the data to sell it to third parties for advertising reasons.

2FA (two-factor authorization)	Payment Notifications	App/Transaction Lock
Provided	Provided	Both

2. Google Pay

Just like Apple Pay does not sell data to third parties, similarly, Google Pay has restrictions with the data they collect. Moreover, one can also change the manual payment option in case you want to decline the payment request.

2FA (two-factor authorization)	Payment Notifications	App/Transaction Lock
Provided	Provided	Transaction lock

3. PayPal Mobile Cash

Collects data only useful for marketing purposes. Also, has a detailed privacy policy, the takes extra care of fraud monitoring. The app is popular for its easy use and integration.

2FA (two-factor authorization)	Payment Notifications	App/Transaction Lock
Provided	Provided	App lock

How often should companies be testing for compliance?

There is no correct answer to this question except to say that you should have PCI compliance tested as often as possible. If your company is one of those that have been caught with testing in the past, you should review the company’s test plan to determine whether there are ways to make it fail-safe.

The good news is that companies are starting to understand the critical importance of implementing effective security measures. It’s no longer just a case of ‘if’ a particular piece of data is secure — it’s ‘when’ it’s secure.

Many awareness-raising activities have focused on increasing awareness via mainstream media outlets (e.g., Forbes) rather than providing practical advice, but that approach misses the point. You have the PCI compliance checklist, get the testing done after every fixed period of time. 

Takeaway: I have an app how do I know if it’s PCI compliant?

If your business and/or personal information is at risk of being compromised due to poor cybersecurity practices, looking for the best technology solution can make all the difference. Information security is important to all companies, and that’s why the Idea Usher team has taken it upon themselves to guide developers in the right direction so that they can build secure apps. Learn more about our services and find out how we can help you implement them within your company!

We help app developers meet the most demanding regulatory requirements by automating the process of assessing whether your app is compliant with country security and anti-money laundering regulations. 

For more information on PCI DSS compliance, and how we can help you with it contact us.

FAQ

Who are the members of the PCI Security Standards Council?

It is a global organization formed by coming together of the major credit card companies like American Express, Master Card, Visa, Discover, etc.

How does Apple Pay work with Google Pay?

Both of these payment gateways take 30% for each payment made on your mobile app. But, they are more secure trusted payment gateways. You can get an In-App billing API for the app users to make payments through both Apple Pay, and Google Pay.

How to integrate Stripe payment gateway in Android app?

Firstly, make an account on Stripe and log in. Then, register your platform with your Stripe account. Follow the process to get the Stripe authentication code. Once you have got registered, get the testing and development parts done by your app development team.