PCI DSS (Payment Card Industry Data Security Standard) compliance
The PCI Security Standards Council is a global organization that maintains, evolves, and promotes security standards for organizations handling credit card data. It explicitly requires all merchants using mobile payments to protect cardholder data by maintaining a secure environment. PCI DSS notes that mobile devices are not inherently secure and must be reinforced with additional protection measures.
PCI DSS requirements applying to mobile devices and apps handling credit card data
Requirement 5
Protect all systems against malware and perform regular antivirus updates. Malware can infiltrate systems through various channels, including the internet, emails, mobile devices, or storage media.
Requirement 6
Develop and maintain secure systems and applications. Vulnerabilities can grant attackers unauthorized access. Security patches must be applied immediately to fix flaws and protect cardholder data from exploitation.
How to comply
To comply with PCI DSS, organizations must secure all mobile applications handling cardholder data.
Runtime Application Self-Protection (RASP) strengthens application security by detecting and blocking threats in real time during app execution. It adds an essential layer of defense beyond traditional security controls.
Application Security Testing (AST) complements RASP by analyzing source code to identify and remediate vulnerabilities before they are exploited.