Say you are interested in developing an application that runs on consumers’ devices and this application of yours will be used to accept payment card data. Perhaps, in this hypothetical reality, that you have no idea where your app’s obligations stand as far as PCI DSS and PA-DSS compliance standards go. Say you need some guidance and intel on the subject.
If you fit that criteria, then you have come to the right place. This article should put to rest any of your concerns about your application’s posture in respect to payment card industry compliance standards.
There are certain, specific requirements in a situation where a merchant develops an application used to accept payment card data that runs on consumers’ devices. If the application can only be used by a cardholder using his or her own credentials, and the consumer is only using the device for his or her own cardholder data entry, then the device is essentially treated the same as a payment card - meaning that the consumer’s environment where the application runs is outside the realm of PCI DSS. This also means that the consumer-facing application cannot be PA-DSS listed.
However, the fact that the consumer’s environment is outside of the merchant’s PCI DSS scope does not mean that the SDLC that developed the application is excused. Because the application was created for the merchant’s payment acceptance process, the application must be developed in compliance with PCI DSS requirements for software development and maintenance. Even though an application such as this is not eligible for PA-DSS, the council still recommends that that standard be used as a baseline reference for properly protecting payment card information. Same goes for other industry references such as ENISA and OWASP.
Finally, do not forget to keep up to date with the publications in the council's library such as:
- Accepting Mobile Payments with a Smartphone or Tablet
- Mobile Payment Acceptance Security Guidelines for Developers
- Mobile Payment Acceptance Security Guidelines for Merchants as End-Users
If you feel that your particular scenario doesn't quite apply to what we have described, give us a call and we can chat about your specific scenario, obligations and options.