Essential security practices for mobile apps that handle payment card data. Follow these guidelines to protect your users and maintain PCI-DSS compliance.
Always encrypt or tokenize card numbers before storage.
iOS Keychain, Android EncryptedSharedPreferences, or hardware-backed keystores.
Only store what's absolutely necessary and purge data when no longer needed.
Never log card numbers, CVVs, or authentication credentials.
Pin your server's certificate or public key to prevent MITM attacks.
Disable older protocols like SSLv3, TLS 1.0, and TLS 1.1.
Never disable certificate validation, even in development.
Configure your app to reject all HTTP connections.
Use biometrics, secure PINs, or multi-factor authentication.
Use short-lived tokens and implement proper session timeout.
Never send passwords in URL parameters or cleartext.
Prevent brute force attacks with exponential backoff.
Strip debug flags, test credentials, and verbose logging in production.
Use code obfuscation to protect payment processing code.
Sanitize user inputs to prevent injection attacks.
Use cryptographically secure random number generators.
Warn users or restrict functionality on compromised devices.
Detect app modification and respond appropriately.
Prevent screenshots of sensitive payment screens.
Use secure text entry for sensitive fields.
AES-256 for encryption, SHA-256+ for hashing. Avoid MD5/SHA1.
Store keys in hardware-backed keystores, never in code.
Prefer AES-GCM over AES-CBC for encryption.
Use PBKDF2, Argon2, or scrypt for password-based keys.
Upload your app to automatically check against these best practices and 847 PCI-DSS requirements.
We use necessary storage for security and login. With your permission, we also use analytics to understand page journeys and marketing pixels to measure ad campaigns.