iCCPay

iCCPay Payment Application Security

We believe iCCPay does meet PA-DSS requirements and facilitates compliance with the PCI DSS through its PCI DSS compliant payment gateways (either SecurePay, eWAY or DPS PaymentExpress). Please note that iCCPay has not been submitted to be validated or approved by the PCI Security Standards Council (PCI SSC).

Below are steps we have taken to protect your security:

  1. iCCPay connects directly to PCI DSS certified payment gateways (either SecurePay, eWAY or DPS PaymentExpress using commercial-grade SSL encryption of 128-bit or higher) and never passes through any other intermediary server
  2. There is no sensitive card holder data ever retained on your iPhone
    1. Cardholder name, card expiry, and the first 4 and last 4 digits of the credit card are only retained
    2. CVV numbers are never retained
    3. iCCPay will never ask for a card PIN number, all transactions are performed as a “card not present” internet transaction
  3. Merchant/Customer ID’s and passwords are encrypted inside the iPhone’s keychain
  4. iCCPay can be PIN protected if you want the app to ask for a PIN number before it launches (which is also encrypted inside the iPhone’s keychain). We highly recommend you set a passcode lock on your iPhone.

We will be keeping an eye out on any developments regarding Payment Application Security, specifically Phase 5 requirements for use of PA-DSS compliant applications, which comes into play 1st July 2010.

Below is an excerpt from VISA USA’s Cardholder Information Security Program:
“While the use of PA-DSS validated payment applications is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications. Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.”
Source: http://usa.visa.com/.../cisp_payment_applications.html#anchor_4