After years of helping developers implement SDKs to add mobile payment processing to their POS solution, the Apriva Integration Services team has learned several best practices for effective implementation. In the coming months, we will be sharing these tips and recommendations to help your team prepare for integration, make the process as smooth as possible, and keep your solution up to date long after launch.
This month’s tip is about maintaining compliance with merchant processors and taking mobile payments security into consideration up-front.
Your payment app will need to take into consideration certain prescriptive industry-level security requirements in order to comply with card brand compliance programs and payment security frameworks such as PCI-DSS, PA-DSS, and PTS. By planning to incorporate security into your solution early, you will be supporting not only your organization’s responsibilities with mobile payments security, but also your customers and their respective security and compliance responsibilities. Fortunately, resources exist and are freely available to assist you with these efforts. One such resource to begin with is the PCI-DSS Quick Reference Guide, available from the PCI Security Standards Council which breaks down and helps with prioritizing and addressing potential vulnerabilities from multiple dimensions, including people, processes and technology.
- Educate development staff on secure coding best practices and quality assurance resources to spot potential software vulnerabilities.
- Program the app to only store the information that is absolutely necessary to meet PCI-DSS requirements. (See PCI-DSS Quick Reference Guide pages 14 and 17.)
- For any data that must be stored, make sure it is captured, transmitted, and stored securely through a central data feed or a local log on the handset. (See PCI-DSS Quick Reference Guide page 14.). Remember, if you don’t need it, don’t store it!
- Be aware of your merchant’s data storage and removal policy, and build the payment app to comply with that policy. (See PCI-DSS Quick Reference Guide page 22.)
- When you are in debug mode, only log the minimum data required to effectively troubleshoot and correct issues, and ensure no sensitive card data (e.g., full track data or PIN number or block) is stored. When troubleshooting is completed, fully remove or delete any sensitive data stored in debug mode. (See PCI-DSS Quick Reference Guide page 22.)
- Throughout the process, adhere to secure coding best practices to prevent issues, such as cross-site scripting, broken authentication, session management, malware, viruses, and improper error handling. See the OWASP Secure Coding Practices, the PCI Mobile Payment Acceptance Security Guidelines, and other PCI-DSS fact sheets for details.
- Maintain a vulnerability management program, and address malware or other critical issues immediately.
- Stay current with the latest card association merchant processing rules, payment card security guidance, trends, and common vulnerabilities.
- Patch any issues that arise as quickly as possible.
- Use the latest versions of all development tools and platforms to ensure they are using the most recent patches and security components.
- Separate development, testing, and production environments and roles. This will promote quality and objectivity with the product development and launch process. (See PCI-DSS Quick Reference Guide pages 17-18.)