Dr. Klaus Schenk is SVP Security and Threat Research at Verimatrix, where he leads a team of data scientists and runs VMX Labs, pioneering advanced cybersecurity research and developing innovative solutions to safeguard applications, APIs, and digital content.

Q1: Why is PCI DSS compliance critical for mobile applications?

Dr. Klaus Schenk: PCI DSS, or Payment Card Industry Data Security Standard, is a set of security requirements designed to protect payment card information during processing, storage, and transmission. It was established by major credit card companies like Visa, MasterCard, and American Express to reduce payment fraud and enhance cardholder data security. 

With more and more transactions taking place via mobile apps, PCI DSS needs to be at the forefront of app developers’ minds from the onset. It’s not just about meeting regulatory requirements; it’s about preserving customer trust and safeguarding brand reputation.

To illustrate the expansive reach of PCI DSS, it even extends to personal devices when they’re used as a point-of-sale (POS) device for a merchant. PCI Security Standards Council guidelines address “payment applications that operate on any consumer electronic handheld device that is not solely dedicated to payment-acceptance transaction processing.” 

This illustrates the need for developers to comprehensively and proactively address protection requirements amid a wide-ranging ecosystem of devices and usage. After all, POS is simply an example of an applicable mobile app, as nearly any app interacting with credit card data must meet PCI DSS requirements.

Q2: What are some common misconceptions about PCI DSS compliance for mobile apps?

Dr. Klaus Schenk: One of the biggest misconceptions is the idea that compliance equals security or that security equals compliance. Just because an app meets PCI DSS requirements doesn’t mean it’s fully secure, and just because an app is well-protected doesn’t mean it meets PCI DSS requirements. PCI is a baseline standard designed to minimize risk, but it doesn’t account for every possible threat.

Companies are often lulled into a false sense of security when they focus solely on compliance, failing to see the deeper and evolving threats lurking beneath the surface. Meeting PCI standards is just the beginning. It sets the floor, not the ceiling, for security measures.

Think of security as a moving target. Indeed, cybercriminals are constantly evolving their tactics. Compliance frameworks are built to address known risks, but they can’t anticipate every emerging threat. To truly protect sensitive payment data, companies must go beyond compliance and adopt a deliberately proactive security posture.

Q3: What are the most common security threats mobile apps face related to PCI DSS compliance?

Dr. Klaus Schenk: Imagine a point-of-sale (POS) app used by a popular restaurant chain. It’s designed to make transactions quick and seamless, allowing customers to pay directly at their table using a tablet or smartphone. From the outside, it seems like a perfect blend of convenience and technology. But beneath the surface, this type of mobile app is a goldmine for cybercriminals.

Why? Because it handles sensitive payment information every single day—credit card numbers, expiration dates, CVVs, and even customer names. If this data is compromised, the consequences can be catastrophic, not just for the affected customers but also for the business’ reputation. And the threats are everywhere:

  • Mobile malware: Cybercriminals, who may also work for the merchant operating the POS, can install malicious software designed to steal payment details or login credentials. This is especially dangerous when POS apps are connected to public Wi-Fi networks.
  • App tampering and reverse engineering: Hackers analyze the app to understand how it works, potentially exposing security mechanisms. Once they figure out the inner workings, they can create malicious versions that look and behave exactly like the original app but secretly steal data. 

PCI DSS compliance isn’t just about encrypting payment data; it’s about safeguarding the entire device ecosystem, from the front-end interface to the back-end servers.

Q4: How can mobile app developers ensure their applications are PCI DSS compliant?

Dr. Klaus Schenk: Start by understanding exactly what PCI DSS compliance means for mobile applications. I recommend reading the official PCI DSS documentation, which provides a detailed breakdown of requirements for securely processing, storing, and transmitting payment card data. You can find the latest guidelines here: PCI Security Standards Council.

Once you understand the requirements, the next step is to think about how your app’s code can be better protected. Remember, PCI DSS compliance isn’t just about encrypting payment data; it’s about safeguarding the entire application ecosystem from potential threats. This includes protecting APIs, third-party integrations, and user authentication mechanisms.

When considering an app protection platform, look for features such as:

  • Code obfuscation: This makes the app’s source code difficult to understand, preventing attackers from reverse engineering it.
  • White-box cryptography: This protects encryption keys even when they’re being used, ensuring sensitive data remains secure.
  • Mobile app shielding: Provides real-time protection against tampering, runtime attacks, and malware.
  • Runtime application self-protection (RASP): Monitors the app’s behavior in real-time and automatically responds to suspicious activities.
  • Secure communication protocols: Ensures that data transmitted between the app and server is encrypted and protected from man-in-the-middle and cryptographical attacks as well as attacks on the protocol.

I also suggest integrating the provisioning of protection into your CI/CD pipeline—adding automated and periodic manual penetration testing. This allows you to catch vulnerabilities early in the development process before they reach production. By automating these aspects of security, you maintain a rapid development cycle without sacrificing compliance or security.

Finally, choose a solution that supports ongoing compliance. PCI DSS isn’t a one-time event; it requires continuous monitoring and regular updates. A good app protection platform will help you maintain compliance by offering SIEM integration for centralized monitoring and detailed compliance reports tailored to PCI DSS requirements.

Building security into your development workflow not only simplifies compliance but also strengthens your product’s overall security posture. It’s about proactively protecting your product while continuing to innovate and deliver great user experiences.

Q5: What role does logging play in PCI DSS compliance?

Dr. Klaus Schenk: Logging is crucial for creating an audit trail of user and system activities. PCI DSS v4.0 has strict requirements around logging, including ensuring log integrity, controlling access, and setting retention policies.

Effective logging helps identify suspicious activity, unauthorized access, or potential breaches in real-time. It’s not just about collecting logs but also analyzing them for anomalies.

Centralized monitoring can drastically reduce detection and response times. It’s about maintaining visibility into the app’s behavior and being able to react swiftly to potential threats.

Q6: How should organizations handle log data to meet PCI DSS requirements?

Dr. Klaus Schenk: According to PCI DSS v4.0 Section 10, all organizations that process, store, or transmit payment card data must:

  • Log all access to cardholder data to create an audit trail.
  • Secure log files to prevent unauthorized changes and ensure integrity.
  • Review logs daily for security events and retain them for at least 12 months.
  • Limit access to logs to authorized personnel only.
  • Use time-synchronization technology to ensure consistent timestamps.

These requirements apply universally, but how they are implemented can vary by industry. For example, retailers are highly targeted by credential-stuffing attacks and payment fraud, especially with the rise of online shopping and mobile payments. PCI DSS requires logging of all authentication attempts, including failed logins, to detect unauthorized access and suspicious activities.

If a retail POS system sees multiple failed login attempts in rapid succession, this could indicate a credential-stuffing attack where automated bots are trying stolen passwords. By logging and monitoring these events, retailers can detect and block malicious activity before a breach occurs.

Q7: What trends do you see in PCI DSS compliance for mobile apps?

Dr. Klaus Schenk: One major trend is the shift towards continuous compliance. Organizations are moving away from annual audits to continuous monitoring and validation. This proactive approach helps them stay ahead of emerging threats.

There’s also a growing focus on securing APIs, which are increasingly being targeted by attackers. As more apps rely on APIs for communication and data exchange, securing them becomes critical for PCI DSS compliance.

I’m also excited about the role of artificial intelligence and machine learning in threat detection and compliance monitoring. These technologies are enhancing real-time security insights, helping organizations detect anomalies faster and respond more effectively.

Q8: Any parting advice for mobile app developers to enhance PCI DSS compliance for their apps?

Dr. Klaus Schenk: Far too often, my team and I run into scenarios where mobile app developers know they’re going to face an audit, so they quickly look for a security solution and end up choosing what may seem to be the simplest choice, but it ends up causing major headaches down the road. 

Despite the overwhelming benefits of a comprehensive, layered protection approach, developers can become laser-focused on price. That nearly always results in a basic, check-the-box solution that falls short. And it can even translate into a lack of certification by the bank. 

Lesson learned—cutting corners on security to save costs can end up costing much more in the long run. What seems like a bargain ends up delaying a launch and damaging one’s credibility with the bank. Compliance isn’t just about passing an audit; it’s about protecting your users and your company’s reputation.