Mobile Applications and PA-DSS

Author: Roman Denisenko, Senior Testing Engineer.

Because of the specifics of my work, I often get asked questions like “we have a great mobile application, and we are going to add to it the possibility of payments by bank cards. But we are a bit concerned about the PCI PA-DSS standard. What should we do? ” To make my life easier, I decided to write an article explaining the attitude of the PCI PA-DSS standard to ordinary mobile applications living in millions of mobiles around the world.

First, let's remember what PCI PA-DSS is and what it eats with. PA-DSS was developed by the PCI SSC (Payment Card Industry Security Standards Council) and is a kind of adaptation of the requirements of the PCI DSS standard to individual applications. The standard applies to all applications that process data on cardholders. Its main function is the realization of the possibility of seamlessly integrating a certified payment application into an infrastructure operating within the framework of the PCI DSS standard. Thus, any PCI DSS certified company can use PA-DSS-certified software within its infrastructure without any additional checks.

It is worth noting that, unlike PCI DSS, PA-DSS certification is not an ultimatum, and the software product manufacturer decides for itself whether to certify its product or not, thus transferring some of the responsibility of potential buyers to the PCI SSC on its shoulders.
')
According to official materials, SSC categorizes all mobile applications into three categories:
1. Category 1 . Payment applications that can only work on a mobile device that is recognized as compliant with the PTS standard (for example, on a PoS terminal).
2. Category 2. Mobile applications that meet ALL of the following criteria:
a. Mobile payment application is provided in the form of a turnkey solution that comes bundled with certain equipment.
b. The mobile device is specifically designed to accept payments and performs the sole function.
c. The mobile application is installed in a set on a mobile device intended for it and provides an environment that allows complying with the PCI DSS standard and maintaining compatibility with it.
3. Category 3. All other payment applications running on any household handheld devices (for example, smartphones, tablets, PDAs), the functionality of which is limited not only by accepting payments.

If you are unlucky and your application fits into the first two categories, unfortunately, you fall under the standard PA-DSS. And then everything will depend on whether you want to be certified or not.

But if your application was developed for ordinary users and is available in any mobile market (for example, this is just the mobile version of your online store), you fall into the third category and you do not need to comply with the standard PA-DSS.

The answer to the question why the PCI SSC has not yet released any security standards specific to mobile applications was given at one of the PCI Community Meeting: “We decided not to issue a standard for the simple reason that technologies are evolving so quickly that if we did the standard, it would become obsolete even before it was released. ”

Nevertheless, the PCI SSC looks ahead and advises developing applications, taking into account the recommendations of PA-DSS, because sooner or later mobile applications will still have their own security standard, and compliance with it will be a big headache for all those who will be I'm not ready for it yet. It is for this reason that the PCI SSC has published several guides for developers and commerce representatives .

Additionally, the official website presents a special brochure telling how to properly process card payments through mobile applications. In it, the PCI SSC recommends using P2PE solutions to avoid interception of the transmitted data - in this case, the data of the card holder are transmitted via mobile applications in an already encrypted form.

Finally, I want to say only one thing: create useful and convenient mobile applications that facilitate our everyday life! But never forget that there will always be those who will try to bypass your protection system. Therefore, be vigilant.