Even though the consumer’s environment is outside of the merchant’s PCI DSS scope, the development of the application is in scope, as the application is being developed for the purpose of the merchant’s payment acceptance process. The application should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements – for example, Requirements 6.3, 6.4 and 6.5.
It is recommended that applications be developed using PA-DSS as a baseline for the protection of payment card data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers.
Article Number 1283