Frequently Asked Question
If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?
Even though the consumer’s environment is outside of the merchant’s PCI DSS scope, the development of the application is in scope, as the application is being developed for the purpose of the merchant’s payment acceptance process. The application should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements – for example, Requirements 6.3, 6.4 and 6.5.
It is recommended that applications be developed using PA-DSS as a baseline for the protection of payment card data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?