Mobile payment methods have revolutionized how different sectors such as banking, commerce, and retail can do business and how consumers can efficiently perform transactions, purchases, and payments. But with new payment methods comes new challenges and possibilities for cybercriminals to access sensitive customer information.
So how can you make sure you keep your customers’ card data safe from attacks?
As an app provider, keeping data safe is always a crucial matter. If your app accepts, processes, stores, or transmits payment card information, you will need to meet specific accepted industry standards for handling and protecting payment card information to become PCI compliant.
The guidelines and PCI compliance
The purpose of the PCI Mobile Payment Acceptance Security Guidelines for Developers is to “educate stakeholders responsible for the architecture, design, and development of mobile applications and their associated environment within a mobile device that merchants might use for payment acceptance.” Following these guidelines will help you on your way to becoming PCI compliant.
For an app to be PCI compliant, it needs to meet an accepted industry standard for handling and protecting users’ payment card information. Meeting these standards can be achieved by following some objectives and guidelines for the security of payment transactions and the risk and controls in the supportive environment found in the PCI Mobile Payment Acceptance Security Guidelines for Developers.
Implementing Application Shielding for PCI Mobile Payment Acceptance Compliance
Mobile applications that handle payment card data are attractive targets for attackers due to the value and sensitivity of the information processed. To address this, the PCI Security Standards Council (PCI SSC) developed the Mobile Payment Acceptance Security Guidelines for Developers, offering specific recommendations to secure mobile apps against threats.
One of the most impactful defensive strategies developers can implement is application shielding. This approach helps prevent unauthorized access, reverse engineering, and tampering by adding layers of protection directly into the mobile application’s code and runtime environment.
What Is Application Shielding?
Application shielding is a set of security techniques integrated into mobile apps to protect them from runtime and static analysis attacks. Unlike perimeter-based defenses (e.g., network firewalls), application shielding embeds protection directly into the app. This ensures that even when a device is compromised or operating in a hostile environment, the app maintains a secure operational state.
Common application shielding techniques include:
Code obfuscation: Makes source code difficult to read or reverse engineer.
Anti-tampering: Detects and responds to attempts to modify the app binary or behavior.
Anti-debugging: Prevents the app from being analyzed by debuggers during runtime.
Jailbreak/root detection: Identifies whether the mobile device is compromised.
Runtime self-protection (RASP): Monitors the app in real-time to block suspicious behaviors or injections.
By combining these techniques, developers can make it substantially harder for attackers to extract sensitive logic, insert malicious code, or subvert authentication and encryption functions.
PCI Guidelines Section 4: Supporting a Secure Environment
Section 4 of the PCI Mobile Payment Acceptance Security Guidelines for Developers outlines controls necessary to protect cardholder data and secure the execution environment of mobile payment apps. Application shielding directly addresses several of these areas, notably:
1. Secure Code Practices (4.1)
Developers must ensure their code is resilient to static and dynamic attacks. Application shielding supports this through:
Obfuscation of logic and control flow, which makes reverse engineering harder.
White-box cryptography, which helps prevent keys from being exposed during decryption or signing processes.
Removal of debug information, preventing attackers from using log files or debugging output to infer sensitive operations.
2. Detection and Reaction to Environmental Threats (4.2)
PCI guidelines recommend apps be aware of their operating environment and respond to security threats such as rooted devices or dynamic instrumentation.
Application shielding can:
Detect emulators, virtual machines, or instrumentation frameworks like Frida or Xposed.
Monitor for runtime changes, such as unauthorized code injection or function hooking.
Enforce runtime policies, such as terminating the app or disabling payment functionality if a threat is detected.
3. Protection of Sensitive Data in Memory (4.3)
Even if data is encrypted in storage or during transmission, it can be exposed during processing in memory.
Application shielding addresses this by:
Implementing secure memory handling to avoid plain-text exposure of sensitive data like PAN, CVV, or authentication tokens.
Preventing memory scraping tools from accessing critical memory areas.
Ensuring ephemeral key usage, where encryption keys are generated and discarded securely within memory.
4. Secure Data Storage and Removal (4.4)
While PCI guidelines discourage storing sensitive card data on mobile devices, some use cases (like offline processing or temporary caching) may necessitate it.
Shielding helps ensure:
Data is encrypted with device-bound keys that can’t be extracted or reused.
Data is securely wiped after use, using best practices to avoid remnants in storage or RAM.
File-level protection enforces integrity checks and restricts unauthorized access to app-private storage.
Use Case: Threat Modeling with Application Shielding
To illustrate how shielding maps to real-world threats, consider the following scenario:
Attack Scenario: A malicious user installs a rootkit on their Android phone to bypass app restrictions and intercept cardholder data processed by a mobile POS (Point-of-Sale) app.
Without Shielding:
The attacker runs a memory-dumping tool to extract decrypted card information.
They hook functions related to encryption and logging to redirect outputs to external storage.
The app runs unaware on a rooted device with disabled SELinux policies.
With Shielding:
The app detects the root environment and halts critical functions.
Attempts to hook functions or inject code are intercepted and blocked in real-time.
Decryption keys are embedded using white-box techniques and never exposed in memory.
This example highlights how application shielding significantly elevates the security posture of a PCI-relevant mobile app in hostile environments.
Integrating Application Shielding into the SDLC
For effective PCI compliance, security must be built into the software development lifecycle (SDLC), not bolted on as an afterthought. Application shielding should be integrated during key stages:
Development: Obfuscation and anti-debugging tools should be incorporated into the CI/CD pipeline.
Testing: Apps must be validated under simulated attacks (e.g., using rooted/jailbroken devices).
Release: Shielding configurations should vary based on environment (e.g., higher strictness for production).
Monitoring: Post-release telemetry can inform developers of attack attempts or failures.
Additionally, developers should maintain up-to-date threat intelligence and adapt their shielding configurations to account for new attack methods.
Limitations and Complementary Controls
While application shielding is powerful, it’s not a silver bullet. It should be viewed as part of a defense-in-depth strategy. Other complementary controls include:
Secure network communications: Using TLS 1.2+ with certificate pinning.
Tokenization: Replacing sensitive card data with irreversible tokens.
Multi-factor authentication (MFA): Ensuring strong user identity verification.
Continuous security testing: Including penetration testing and code scanning.
Moreover, developers must ensure that application shielding doesn't significantly impact performance or user experience. Overzealous security measures can sometimes lead to legitimate functionality being flagged, resulting in user frustration.
The Path to PCI Compliance
The PCI Mobile Payment Acceptance Security Guidelines for Developers are designed to help you build secure apps, but achieving compliance is a multi-faceted endeavor. Application shielding supports the following compliance goals:
Confidentiality: Prevent unauthorized disclosure of cardholder data.
Integrity: Ensure code and data are not tampered with during runtime.
Availability: Secure the app without interrupting its critical functions.
By adopting application shielding early in your development process and aligning with PCI DSS and the Mobile Guidelines, you can significantly reduce your app’s attack surface and assure users, partners, and regulators of your commitment to secure mobile payments.
Conclusion
As mobile payments continue to grow, so do the security expectations for mobile application providers. Attackers are becoming increasingly sophisticated, and traditional security measures may not suffice in today’s mobile threat landscape. Application shielding is a proactive and adaptive measure that plays a crucial role in achieving and maintaining PCI compliance for mobile payment acceptance.
By protecting against threats like reverse engineering, tampering, and runtime attacks, application shielding enables mobile developers to adhere to PCI Mobile Payment Acceptance Security Guidelines and build secure, trusted applications for the digital economy.
