PCI Compliance and In-app Payments

By Shane Spears, Director, Global Payment Solutions February 24, 2017

Share:

As more businesses experience growth in purchases made via mobile phones, the ability to make payments within an app has become a hot topic.

Many businesses use a payment gateway and tokenization for online payments to reduce their PCI scope and are looking to expand this functionality to their in-app payments.  Merchants use payment gateways to eliminate the need to store sensitive card data, thereby significantly reducing PCI issues.  Utilizing a Software Development Kit (SDK) provided by a gateway to eliminate the card number from the merchant’s systems reduces PCI scope and provides additional security against data breaches.  One of the key recommendations of the PCI Security Standards Council is to isolate sensitive functions and data in trusted environments.  By utilizing the SDK a Level I certified PCI compliant gateway, merchants can help meet this recommendation.  The Accertify® Payment Gateway offers such an SDK. 

It is important to note that PCI compliance covers the entire payment infrastructure of the merchant, and no individual component such as the SDK or the mobile app is considered PCI compliant in and of itself.  All apps that offer payment acceptance as part of their functionality require a Qualified Security Assessor (QSA) to provide guidance regarding PCI compliance. 

Merchants used to the comparatively easier SAQ (Self-Assessment Questionnaire) for hosted payment functionality (a primary functionality of a payment gateway) will find that the requirements for mobile apps are more stringent and detailed.  A full PCI audit, however, is not generally required.  This represents a significant reduction of effort and underscores the value a payment gateway can offer.  Currently, the mobile SDK offered by the Accertify Payment Gateway falls under the SAQ-D, and we are working to bring it to the level of SAQ-A EP (a lower level of scrutiny) in the future.

For more specific recommendations from the PCI Security Standards Council regarding payment acceptance within a mobile app, please refer to the below link:

https://www.pcisecuritystandards.org/documents/Mobile_Payment_Acceptance_Security_Guidelines_for_Developers_v1-1.pdf?agreement=true&time=1486675696108

If you have any questions or comments, please inquire with Shane Spears at sspears@accertify.com.

About the Author

Shane is the Director of Global Payment Solutions at Accertify. When he's not chasing bears off his Montana property, he manages the company’s global payment gateway.