Frequently Asked Questions

< Back to search page

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

FAQ Response

If the consumer is also the cardholder and is using the device solely for his/her own cardholder data entry, and the application can only be used by that cardholder using his own credentials, then the device is treated similarly to a cardholder’s payment card: The consumer’s environment in which the application runs is outside the scope of PCI DSS, and the consumer-facing application is not eligible for PA-DSS listing. 

Even though the consumer’s environment is outside of the merchant’s PCI DSS scope, the development of the application is in scope, as the application is being developed for the purpose of the merchant’s payment acceptance process. The application should therefore be developed in accordance with industry best practices and applicable PCI DSS requirements – for example, Requirements 6.3, 6.4 and 6.5.

It is recommended that applications be developed using PA-DSS as a baseline for the protection of payment card data. Sources of industry guidance for developing mobile applications include ENISA and OWASP, as well as the PCI Mobile Payment Acceptance Security Guidelines for Developers. 

June 2014
Article Number 1283