PCI DSS compliant related to the Mobile Application payment

0
votes

I am developing an Android application (native) which contains a module to make reservations on hotels \ taxi etc . I am planning to accept the payment details (amount, credit card number, expiry date etc ) from a screen of my application and pass them to my middle layer ( hosted in IIS server in my company premises ) via a API call. Then my middle layer will call the payment gateway APIs and will pass the payment info to them for processing.
Communication between both mobile app to middle layer , and middle layer to payment gateway happens via secure channels ( Https ). I am not storing any payment information in either mobile or in the middle layer.

My questions are : 1. To implement the above scenario, do I (my company) have to be PCI DSS compliant? 2. If I directly call payment gateway API via mobile Application rather than routing through the middle layer, would the PIC DSS compliant is still required? I am hoping that since the application is in Google Play, PCI requirement will not be applicable here.

Any suggestions /clarifications are greatly appreciated. Thanks.

2
pci-dss
I strongly encourage you to take this up on some other forum, or perhaps with qualified legal counsel, as none of these are programming questions. That being said, my understanding is that #1 definitely requires PCI DSS compliance, and #2 would depend a bit on the nature of the gateway API. Google Play has nothing to do with matters, as you are accepting credit card information directly.CommonsWare
Thanks you for your time and answer.Apsara Wanasinghe
This question appears to be off-topic because it is about security and not programmingJohn Conde

2 Answers

3
votes

The standards documentation states that you need to be PCI compliant if you "store, process, or transmit cardholder data". It's clear you transmit card data, hence you need to be PCI compliance.
You can easily avoid being compliant by using a 3rd party hosted payment service where the order page and card capture is not served by your application. PayPal is the most popular example, but there are others like BlueSnap, Zooz, Cybersource, BrainTree, etc.
The effort of becoming PCI compliant is relative to the complexity of your solution. The more software/IT layers the card flows through, the harder it'll be to get compliant. If you implement direct communication between the app and the processor (as you suggested), than it should be pretty easy to become compliant. Basically all you need to do is fill out the self assessment questioner and send it to your processor.

0
votes

Apart from Tal's answer, it is important to look at the level of your client on PCI level.

http://usa.visa.com/clients-partners/acquirers/data-security/pci-dss-compliance.jsp

The level of PCI requirements that needs to satisfy may change depending on your Merchant's Credit card transaction behavior.

If you prefer to use some of the information ( for loyalty program) for your application, it better to use a VAULT with tokenization implementation. https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf

As a practice, it important have a diagram of data path ( how the information flows ) to understand what vulnerabilities you will come across in your application. This will help to review the security that you need to incorporate in order to protect customer data.

https://www.voltage.com/wp-content/uploads/Voltage_WP_SecureData_Streamlining_InformationProtection_DataCentricSecurityApproach.pdf