iPinPay Payment Application Security
We believe iPinPay does meet PA-DSS requirements and facilitates compliance with the PCI DSS through Pin Payments as it is a PCI DSS compliant gateway. Please note that iPinPay has not been submitted to be validated or approved by the PCI Security Standards Council (PCI SSC).
Below are steps we have taken to protect your security:
- iPinPay connects directly to Pin Payments using commercial-grade SSL encryption of 128-bit or higher and never passes through any other intermediary server
- There is no sensitive card holder data ever retained on your iPhone
- Cardholder name, card expiry, and the first 4 and last 4 digits of the credit card are only retained
- CVV numbers are never retained
- iCCPay will never ask for a card PIN number, all transactions are performed as a “card not present” internet transaction
- API Secret Key’s and passwords are encrypted inside the iPhone’s keychain
- iPinPay can be PIN protected if you want the app to ask for a PIN number before it launches (which is also encrypted inside the iPhone’s keychain). We highly recommend you set a passcode lock on your iPhone.
We will be keeping an eye out on any developments regarding Payment Application Security, specifically Phase 5 requirements for use of PA-DSS compliant applications, which comes into play 1st July 2010.
Below is an excerpt from VISA USA’s Cardholder Information Security Program:
“While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.”