What PCI Compliance Means for Mobile App Security
If your organization is looking at PCI-DSS compliance, also known as the Payment Card Industry Data Security Standard, be sure you don’t overlook the mobile app security aspect.
For a bank or payments processor, the apps on your customers’ smartphones are a growing security risk looming just in the periphery. While most of us know that cybercriminals will use aggressive tactics to harvest data, it’s easy to overlook some of the most obvious places they can attack. With mobile apps keeping everyone connected to everything from social media networks to financial institutions, this is bringing a lot of attention to the need to focus on security when developing mobile apps.
What are the Most Common Security Threats in Mobile Apps?
There’s no shortage of opportunities for hackers to get valuable information by attacking popular apps. Sometimes, the value is in accessing an app or retrieving sensitive data, such as credit card information, from the app with stolen credentials. Many hackers will use credential harvesting schemes to collect login and password information or other authentication data to execute fraud attacks or to resell on the dark web.
Other common threats include:
- Mobile malware
- Mobile IP theft
- App tampering
Cybersecurity breaches that originate in an app can look bad for your business. Imagine if thousands of customers trusted you with their debit card and credit card transactions and then had money stolen from their bank accounts with information that you left exposed. The fallout from that breach could be severe with financial fines and a significant loss in revenue as users scramble to cancel their accounts and clean up the mess. You may discover the damage to your brand alone could be severe.
How Can You Protect App Users?
With so much on the line for companies that accept, process, store, or transmit payment card data and card transactions, you may be wondering what your business can do to add layers of protection to your mobile app. A good starting point would be to:
- Harden your mobile application with obfuscation and white-box cryptography, to mitigate repackaging attacks.
- Secure the core components of your app, such as communications, storage, and interface.
To safeguard communications, look for a tool like OneSpan Mobile Security Suite that provides end-to-end encryption between server and client applications; essentially giving you an encrypted secure channel for almost anything, whether that’s text, photos, or QR codes. For secure storage, look to encrypt all application data in a way that’s independent of any operating system or device.
One of the most powerful security practices involves reverse-engineering your app to uncover its vulnerabilities and then addressing those risks to prevent bad actors from manipulating security controls and spoofing your app.
Developers should also create a system to monitor app behavior around the clock and identify insecure activities. This takes a diligent approach to penetration testing to detect and address vulnerabilities. Developers can also build reactive sequences into their code that disrupts potential attacks by reacting to the detection of malicious activity.
What is PCI Compliance?
Payment Card Industry (PCI) compliance enforces a standard security protocol for all companies that process, store, or transmit credit card data. The PCI security standards council has established security measures intended to protect the financial information of consumers who do business with you – including in mobile app environments.
Achieving PCI compliance involves (among other factors):
- Secure data transmission
- Secure storage of cardholder information and customer data
- Use of security logging to monitor for incidents
- Disaster recovery & business continuity planning
- A sound information security policy
What PCI Compliance Means for Mobile App Development
Meeting the PCI requirements isn’t a simple checklist item that you mark off just before releasing your app to the AppStore. It’s a fundamental part of the DevOps process. In many ways, addressing the complexities and security vulnerabilities of an app in development is as important as developing the app's features. A PCI-compliant app doesn’t sacrifice features for security or vice versa. The two are developed simultaneously so that security enhancements are always a primary concern.
In addition to implementing strong encryption of sensitive data and transmission of cardholder data, here are some concrete examples of security features to apply to your app to protect stored cardholder data:
- Mobile app shielding: It’s important to proactively protect your Android and iOS apps against intrusions, runtime attacks, and other threats in real time. Mobile app shielding helps organizations defend against tampering, thwart app spoofing, impede reverse-engineering and cloning, and detect and mitigate malware attacks. It accomplishes this with an invisible, always-on layer of mobile app security.
- Restricted access to app data through code obfuscation: If an attacker attempts to extract your app’s encryption keys, white-box cryptography will use encryption and obfuscation to keep keys hidden in the source code - even during runtime.
- Device binding: Better prevent app cloning, stop the repurposing of cryptographic keys, and maintain a secure bond between the authorized user and the mobile device.
- Device identification: With unique ID attributes, you can identify a mobile device and provide persistent identification that remains unimpacted by mobile OS updates and can defeat attempts to spoof the device.
Meeting Critical Components of PCI DSS Requirements
There are different compliance levels depending on the number of transactions your company processes. This ranges from less than 20,000 transactions to more than 6 million annual transactions. The compliance requirements and noncompliance fines vary with each level. Expect things like an annual audit, quarterly network scans, self-assessment questionnaires, reporting, and special situations in the event of a data breach.
How to Select the Right Security Service Provider to Stay in Compliance
There is no shortage of companies that claim to have the right tools for monitoring your apps and meeting your business needs. So, how do you compare apples to oranges when choosing the right product?
- Diligent Background Research: Find out as much as you can about the security vendor and the security systems they offer. How long have they been in business, their track record, and who else is using them? If you can find a reputable provider with experience in your industry, that’s even better.
- Scrutinize their Approach: Really dig into the scope of the services being offered. No two security software solutions are the same. Make sure that the company is actually able to offer the services that you need. This would be a good time to break down their business model and figure out if you’re buying a packaged service or signing up for a flexible partnership. There’s nothing wrong with either if it is what you need – the point is that you know what you’re getting.
- Service: Get really clear on the level of service that the provider offers. If you use their products and experience a data breach, how will they be there to help? If you have questions during an audit, will you be able to get in touch? Again, no two companies are the same.
The Bottom Line on Mobile App Security
App security and data protection should be a top concern if you’re developing a mobile app. Across the board, the market has been a little slow to catch on to the security needs of mobile apps, leaving up to three-quarters of apps on the marketplace vulnerable. OneSpan can help you protect your mobile users, data and transactions with solutions beyond firewalls and anti-virus software. From cloud-based multi-factor authentication (MFA) to mobile app shielding, our solutions empower banks, payment providers, and mobile app developers with proven security tools to protect sensitive customer and cardholder data.
To learn more about protecting your mobile app, see our guide to Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue.