Common PCI Violations in the Wild
Our security research team analyzed over 500 payment applications and found these recurring violations.
1. Hardcoded API Keys
Violation: PCI DSS 3.4, 6.5.3
Found in 34% of apps scanned. API keys for payment gateways embedded directly in source code.
Fix: Use secure key management and environment variables.
2. Insufficient TLS Configuration
Violation: PCI DSS 4.1
23% of apps accepted TLS 1.0/1.1 connections or had improper certificate validation.
Fix: Enforce TLS 1.2+ with proper certificate pinning.
3. Missing Root Detection
Violation: PCI DSS 5.1, 11.5
41% of payment apps had no root/jailbreak detection.
Fix: Implement robust device integrity checks.
4. Insecure Data Storage
Violation: PCI DSS 3.4
28% stored sensitive data in plaintext SharedPreferences or UserDefaults.
Fix: Use encrypted storage and Android Keystore/iOS Keychain.
5. Debug Code in Production
Violation: PCI DSS 6.5.10
19% of production apps had debugging enabled or contained debug logs with sensitive data.
Fix: Ensure proper build configurations strip debug code.
6. Vulnerable Dependencies
Violation: PCI DSS 6.3.2
67% used at least one library with known critical vulnerabilities.
Fix: Regular dependency audits and updates.
7. Missing Code Obfuscation
Violation: PCI DSS 6.5.4
52% had no code obfuscation, making reverse engineering trivial.
Fix: Apply ProGuard/R8 for Android, proper build settings for iOS.
Don't let these violations affect your app. Get a free security scan.