FAQ #1283 Diff
If a merchant develops an application that runs on a consumer?s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant?s obligations regarding PCI DSS and PA-DSS for that application?
Earlier Version
Later Version
Removed
Added
If the consumer is also the cardholder and is using the device solely for his/hertheir own cardholder data entry, and the applicationsoftware is only used by that cardholder using his own credentials, then the device is treated similarly to a cardholder's payment card. The consumer's environment in which the software runs is not in scope for the organization's PCI DSS assessment.
Even though the consumer's environment is outside of the organization's PCI DSS scope, the development of the software is in scope, as the software is being developed for the purpose of facilitating a merchant's payment acceptance process. The software should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements — for example, those included in Requirement 6. Additionally, if the software developer stores, processes, or transmits payment account data on the consumer's behalf, then PCI DSS will apply to the developer's environment.
It is recommended that software be developed using the Software Security Framework (SSF) standards (the Secure Software Standard and Secure SLC Standard) as a baseline for the protection of payment account data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers.
For information about whether software that runs on a consumer's device is eligible for listing as Validated Payment Software according to the PCI Secure Software Standard, or whether the software vendors are eligible for listing as a Secure SLC-Qualified Vendor according to the PCI Secure SLC Standard, refer to the Secure Software Program Guide or the Secure SLC Program Guide, respectively, on the PCI SSC website.
Note that, while PCI DSS does not require the use of Validated Payment Software or a Secure SLC-Qualified Vendor, some payment brands may have specific requirements. Entities should contact organizations that manage compliance programs, such as their acquirer (merchant bank) the payment brands, or other entity directly for information about any such requirements. Contact details for the payment brands canonly be found in FAQ #1142 How do I contact the payment card brands?.
See also the following related FAQ:
FAQ 1574: If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is usedby that cardholder using his own credentials, then the device is treated similarly to a cardholder?s payment card: The consumer?s environment in which the application runs is outside the scope of PCI DSS, and the consumer-facing application is not eligible for PA-DSS listing.
Even though the consumer?s environment is outside of the merchant?s PCI DSS scope, the development of the application is in scope, as the application is being developed for the purpose of the merchant?s payment acceptance process. The application should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements ? for example, Requirements 6.3, 6.4 and 6.5.
It is recommended that applications be developed using PA-DSS as a baseline for the protection of paymentaccept payment account data, can the organization store card data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers.verification codes for those consumers?
Even though the consumer's environment is outside of the organization's PCI DSS scope, the development of the software is in scope, as the software is being developed for the purpose of facilitating a merchant's payment acceptance process. The software should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements — for example, those included in Requirement 6. Additionally, if the software developer stores, processes, or transmits payment account data on the consumer's behalf, then PCI DSS will apply to the developer's environment.
It is recommended that software be developed using the Software Security Framework (SSF) standards (the Secure Software Standard and Secure SLC Standard) as a baseline for the protection of payment account data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers.
For information about whether software that runs on a consumer's device is eligible for listing as Validated Payment Software according to the PCI Secure Software Standard, or whether the software vendors are eligible for listing as a Secure SLC-Qualified Vendor according to the PCI Secure SLC Standard, refer to the Secure Software Program Guide or the Secure SLC Program Guide, respectively, on the PCI SSC website.
Note that, while PCI DSS does not require the use of Validated Payment Software or a Secure SLC-Qualified Vendor, some payment brands may have specific requirements. Entities should contact organizations that manage compliance programs, such as their acquirer (merchant bank) the payment brands, or other entity directly for information about any such requirements. Contact details for the payment brands can
See also the following related FAQ:
FAQ 1574: If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used
Even though the consumer?s environment is outside of the merchant?s PCI DSS scope, the development of the application is in scope, as the application is being developed for the purpose of the merchant?s payment acceptance process. The application should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements ? for example, Requirements 6.3, 6.4 and 6.5.
It is recommended that applications be developed using PA-DSS as a baseline for the protection of payment
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.