Skip to main content

In September 2017, PCI SSC updated the Mobile Payment Acceptance Guidelines concerning mobile applications due to the ever increasing credit card and peer to peer transactions that are being executed on mobile devices. Any business that allows users’ mobile devices to accept payments should be mindful of the new guidelines in the PCI SSC; however, it’s especially important for Banking, Retail and Gaming companies.

How Arxan Supports PCI SSC Guidelines

Arxan Application Protection shields apps against reverse engineering and tampering and safeguards critical data communication keys to protect businesses from brand damage, financial loss, intellectual property loss and government penalties. Arxan’s multi-layered protection includes jailbreak/root detection, anti-debug, anti-tampering, key/data encryption and White-Box Cryptography. Arxan protection is integrated directly in the application creating a protected app that can operate securely in zero-trust environments.

Integrated into all Arxan app protections is the ability to collect attack data with Threat Analytics, a monitoring service that provides visibility into the security posture of protected applications. It delivers timely threat data to help customers quickly understand the difference between an app operating safely vs. one operating in a risky environment or that is actively being attacked.

Arxan protected apps can respond in a number of ways when they detect they are operating in a compromised environment, or they are being directly attacked:

  • Per PCI SSC guideline 4.3, multiple responses should be triggered when jailbreak/root devices are detected, ranging from disabling portions of the application, lowering approvable transfers/rates of approval, or even force the application to close. Arxan Threat Analytics can alert app logic to respond appropriately to compromises at the app level, as well as notify the fraud prevention team of customers operating their apps in compromised environments and respond by limiting account access.

  • For PCI SSC guideline 4.7, Arxan provides strong obfuscation capabilities covering control flow, function renaming, and even static string hiding to make static analysis extremely difficult. Additionally, checksum detection capabilities can detect app code modifications as well as attacks against other Arxan protection code elements. These protection capabilities alert when attacked, signaling app logic to respond as well as notifying the fraud team to take additional action at the backend.

Arxan’s app protection capabilities close the loop between app development, deployment, threat detection/notification and response, in order to follow the updated PCI SSC guidelines.

PCI Mobile Payment Acceptance Security Guidelines that application protection supports:

4.3 Prevent Escalation of Privileges: Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors. Therefore, the device should be monitored for activities that defeat operating system security controls — e.g., jailbreaking or rooting — and, when detected, the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or disables the payment application. Offline jailbreak and root detection and auto-quarantine are key since some attackers may attempt to put the device in an offline state to further circumvent detection. Hardening of the application is a method to that may help prevent escalation of privileges in a mobile device. Controls should include, but are not limited to: providing the capability for the device to produce an alarm or warning if there is an attempt to root or jailbreak the device; providing the capability within the payment-acceptance solution for identifying authorized objects9 and designing controls to limit access to only those objects.

4.7 Harden the Application: Mobile payment-acceptance applications should be hardened to prevent unintended logical access or tampering with the app such as code injection or reverse engineering. Numerous techniques can be used for hardening of the mobile payment-acceptance application that will reduce the attack surface.