Understanding the Payment Card Industry Data Security Standard and how it applies to mobile application development.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
PCI-DSS v4.0.1 is the latest version, released in 2024, and includes specific requirements for mobile applications that handle payment card data. Non-compliance can result in fines ranging from $5,000 to $100,000 per month.
How each requirement applies to mobile applications
Implement firewalls and other network security controls to protect cardholder data environments.
Mobile apps must use secure network configurations, certificate pinning, and proper TLS implementation.
Change default passwords and remove unnecessary services to reduce attack surface.
Apps should not contain hardcoded credentials, debug flags, or unnecessary permissions.
Protect stored cardholder data using encryption and access controls.
Card data must never be stored in plaintext. Use secure storage APIs like Keychain (iOS) or EncryptedSharedPreferences (Android).
Encrypt transmission of cardholder data across open, public networks.
All network traffic must use TLS 1.2+ with certificate validation. No cleartext HTTP allowed.
Protect systems and networks from malicious software.
Apps should implement runtime integrity checks and detect rooted/jailbroken devices when processing payments.
Develop and maintain secure systems and software.
Follow secure coding practices, perform code reviews, and address vulnerabilities before release.
Restrict access to system components and cardholder data by business need to know.
Implement proper authorization checks and role-based access controls within the app.
Identify users and authenticate access to system components.
Implement strong authentication, MFA where applicable, and secure session management.
Restrict physical access to cardholder data.
Mobile devices should require screen locks and biometric authentication for payment features.
Log and monitor all access to system components and cardholder data.
Implement audit logging for sensitive operations and security events within the app.
Test security of systems and networks regularly.
Perform regular vulnerability scans and penetration testing on mobile applications.
Support information security with organizational policies and programs.
Maintain security policies that cover mobile app development and deployment.
Scan your mobile app against all 847 PCI-DSS checkpoints in under 10 minutes.
We use necessary storage for security and login. With your permission, we also use analytics to understand page journeys and marketing pixels to measure ad campaigns.