Everything goes digital
More and more people are using Internet banking, e-wallets , mobile payment systems, and other things you can’t imagine modern life without. No wonder that most mobile apps allow their users to pay directly using it.
With the website, everything is easy: when integrating, it is enough to use a technical solution which redirects the payer to the card data entry form located on the PCI DSS certified website or loads this page in the frame also from the certified website. In this case the merchant is not subject to the security standard, as the card data is not stored and transmitted through its servers, and the frame of the payment gateway site of the merchant has no access due to the security policies of web-browsers.
But how does it happen in mobile apps?
With a mobile app, things are a little more complicated. There is a popular misconception that if a mobile application requests card data, then it is automatically subject to the PCI DSS. PCI DSS standard development organization (PCI SSC – Payment Card Industry Security Standards Council) has not yet released separate standard requirements for mobile applications. This means that there is still no certain standard, but there is an advisory for mobile applications, like payment applications running on any consumer handheld devices such as smartphones, tablets and PDAs. Whose functionality is limited to more than just accepting payments.
A mobile app cannot exist without the server side that provides billing and basic business logic (Back-end), one way or another, it transmits the information required for payment processing to the merchant’s server. This is where the nuance lies – so that intentionally or accidentally the developer of the mobile app does not program the app to transmit payment card data to some uncertified server, the payment mobile development kit must decrypt the card information data. PCI DSS may not apply directly to payment application providers if they do not process or transmit cardholder info, or do not have access to their customers’ cardholder data. And the sad part is that most of the custom made systems for mobile apps mostly can not provide 100% uptime in a case like that: at some point the connection with the database server or some other service may fail, and then your application will not be able to give the expected response.
But still you can add secured payment options. Such as :
- Android Pay – Android Pay does not store card numbers on your device and does not send information about them anywhere. Payment is made using tokens – randomly generated sets of numbers.
- Apple Pay – Apple Pay works in a similar way. The encrypted data is sent to Apple’s servers, and from there to the bank. The bank generates a device account number, which it sends back. Apple then generates the user’s account number, but doesn’t disclose it but sends it as an encryption to the smartphone, the Secure Element.
- Samsung Pay -Samsung Pay uses not only the token system, but also the KNOX security infrastructure and user authentication by fingerprint.
When you first ask yourself how to build a payment app, it can turn out that the road is long and winding. However, by seeking help from professionals in the payment development industry, the complexities can be overcome. Thats why its always better to use a mobile wallet application development services that can provide users with a secure and comfortable payment.
And that’s how at the end of the journey, you’ll find a significant reward. Because people worldwide are migrating from physical to digital money, which perhaps is the future of payments.