As PCI-DSS 3.1 is nearing its final months it’s time to think a bit more about PCI mobile app security testing under PCI-DSS 3.2 which comes into force on 31st October 2016.
PCI-DSS Version 3.2
Version 3.2 will be the 8th release of PCI-DSS 3.2 from PCI SSC. The numerous release show the concern and need to adapt the ways the payment card industry interacts with consumers, whether in person, via the web, or on mobile as well as reports on data breaches and industry feedback.
One of the most notable sub requirements is the use of multi factor authentication for every instance of non console administrative access and all remote access in the environments used for cardholder data.
The new addenda regarding migration timeframe from Secure Sockets Layer(SSL)/early Transport Layer Security(TLS) as well as “Designated Entities Supplemental Validation” (DESV)
PCI mobile app security testing
For those with concerns about PCI app security the PCI-SSC created a data standard for developer of payment apps under PA-DSS. The PA-DSS sets the standard for PCI mobile app security testing and for third party payment software that stores sensitive data.
A lot the PCI app security requirements in PA-DSS 3.2 support the standards of PCI-DSS 3.2.
Security controls
New requirement 6.4.6 enforces high level change control to monitor security after modification of the cardholder data environment. The response to security incidents is also formalised in 10.8 and 10.8.1 for service providers to create formal processes for mobile app security testing to identify and fix failures. This is also reflected in the biannual penetration testing requirement of 11.3.4.1 that gives a clear picture of the security profile of payments applications.
Codified Security will help you to meet PCI-DSS standards including 6, developing and maintaining secure software and applications, and 11 regularly testing security systems. For PCI mobile app security testing issues sign up to Codified Security.