PCI DSS Mobile Application Payment and Credit Card Data

0
votes

I need to implement a solution that allows a Mobile APP make a payment against a payment gateway service.

The data I send are the card details and payment data itself.

It is impractical to enter card details each time you want to make a payment, so...so i has been analyzed the following alternatives :

  1. Save the data card into your smartphone. Discarded by security.

  2. Use a third party to store card data, such as PayPal Vault. Discarded by assign the data to a third party.

  3. Save the card data on a own "central server" and using a token strategy. This has the disadvantage that this infrastructure should fullfill[PCI-DSS regulations][1]

  4. Save some data card on a smartphone and the rest in a central service (infraestructure), for example half of the PAN in the mobile, an the other half on the smartphone.

According to the fourth alternative :

The question is, if just ONLY part of the data card is stored, should also this central service fulfill with PCI-DSS standard ??

Thank you

1
javamobilepayment-gatewaypayment-processingpci-dss

1 Answers

1
votes

That's quite an interesting approach. From my point of view, storing the data on the handset is actually more secure (in a mass) than on server side, because losing an individual mobile has much less impact than having the central database breached.

Nevertheless, PCI DSS is pretty clear and unfortunately does not leave too much space for this kind of creativity. Basically, if your system (and the mobile app as its part) is processing card data, it needs to comply to the PCI DSS rules:

PCI DSS applies to all entities involved in payment card processing — including merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are defined as follows:

Account Data

  • Cardholder Data includes:*
    • Primary Account Number (PAN)
    • Cardholder Name
    • Expiration Date
    • Service Code
  • Sensitive Authentication Data includes:
    • Full track data (magnetic-stripe data or equivalent on a chip)
    • CAV2/CVC2/CVV2/CID
    • PINs/PIN blocks

See PCI Standards Council v3 doc

Considering the above, you have two options:

  1. outsourcing processing of the payment data to a PCI-compliant party (disclaimer: I'm working for one)
  2. taking on the burden of compliance yourself. This does not have to be this hard, provided you can limit the scope affected. Look for early tokenisation, detokenising proxies, separated PCI zone (so most of your system never see the card data at all).