Frequently Asked Question
If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?
Even though the consumer’s environment is outside of the merchant’s PCI DSS scope, the development of the application is in scope, as the application is being developed for the purpose of the merchant’s payment acceptance process. The application should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements – for example, Requirements 6.3, 6.4 and 6.5.
It is recommended that applications be developed using PA-DSS as a baseline for the protection of payment card data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers.