PCI & Mobile Application Protection

Protect your Code, Validate the Environment, Protect your Customer’s Data.

To achieve compliance, businesses must meet a set of data security standards (DSS), a framework that outlines the steps necessary to protect customers’ data. PCI DSS applies to all organizations that collect, store, and transmit credit card information.

Maintaining full compliance was recently complicated by the fact that PCI DSS was updated, with version 4.0 issued on March 31, 2022. It is the first significant overhaul of the system since 2014 and will remain in place until 2024, so understanding the requirements is urgent.

Understanding PCI DSS Compliance

Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of running critical applications on compromised devices. For example, the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”
Because data is created, accessed, and changed through applications, protecting your applications (and validating the environment in which they run) is a key component to protecting your data.
Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them.

It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats – including those posed by unauthorized rooted devices.

Read our full article, here.

PCI Mobile Payment Security Guidelines – Section 4.3 Prevent Escalation of Privileges

Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors. Therefore, the device should be monitored for activities that defeat operating system security controls—e.g., jailbreaking or rooting—and, when detected, the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or disables the payment application.

Offline jailbreak and root detection and auto quarantine are key since some attackers may attempt to put the device in an offline state to further circumvent detection. Hardening of the application is a method to that may help prevent escalation of privileges in a mobile device. 

Help with Compliance and More

PreEmptive Solutions helps organizations protect their applications from hacker attacks by hardening and shielding their applications. This makes them more resilient to tampering and run time probing attacks; and also helps our customers be compliant with regulatory and industry standards including PCI, HIPAA, GDPR, OWASP, among others. By hindering application attacks, we help protect our customers from financial loss, intellectual property theft, brand damage, stolen credentials / fraud, and non-compliance with standards.

Start Your Free Trial Today!