Compliance & Standards
PCI Mobile Payment Acceptance Security Guidelines
An ever-increasing number of credit card and peer-to-peer transactions are being executed on mobile devices. With this trend in mind, PCI SSC updated the Mobile Payment Acceptance Guidelines concerning mobile applications in September of 2017. These guidelines are important to any business that relies on its users’ mobile devices to accept payments. However, they are especially important for banking, retail and gaming companies.
In order to follow the updated PCI SSC guidelines, Arxan’s app protection capabilities close the loop involving app development, deployment, threat detection/notification, and response. Applications protected by Arxan can respond to threats in a number of ways—whether an app detects it is operating in a compromised environment, or if it recognizes it is being directly attacked:
- Per PCI SSC guideline 4.3, multiple responses should be triggered when jailbreak/root devices are detected, ranging from disabling portions of the application, lowering approvable transfers/rates of approval, or even force the application to close. Arxan Threat Analytics can alert app logic to respond appropriately to compromises at the app level. They also notify the fraud prevention team helping customers who operate their apps in compromised environments. Most importantly, Arxan prevents escalation of privileges by limiting account access.
- Per PCI SSC guideline 4.7, Arxan hardens applications by providing strong obfuscation capabilities covering control flow, function renaming, and even static string hiding to make static analysis extremely difficult. Additionally, checksum detection capabilities can detect app code modifications as well as attacks against other Arxan protection code elements. These protection capabilities raise an alert when attacked, signaling app logic to respond and to notify the fraud team to take additional action at the backend.
Arxan Application Protection shields apps against reverse engineering and tampering while safeguarding critical data communication keys. This strategy protects businesses from brand damage, financial loss, intellectual property loss, and government penalties. Arxan’s multi-layered protection includes jailbreak/root detection, anti-debug, anti-tampering, key/data encryption and White-Box Cryptography. Arxan protection is integrated directly in the application itself, creating a protected app that can operate securely in zero-trust environments.
Also, the ability to collect attack data with Threat Analytics, a monitoring service that provides visibility into the security posture of protected applications, is integrated into all Arxan app protections. The service delivers timely threat data to help customers quickly understand the difference between an app operating safely vs. one operating in a risky environment or that is actively being attacked.
Learn how Arxan can help.