PCI DSS Compliance for Payment Processing
PCI DSS Compliance for Payment Processing
Payment Card Industry Data Security Standard compliance is mandatory for apps handling credit card data.
// Android - PCI DSS compliance implementation
class PCIDSSCompliance(private val context: Context) {
// PCI DSS Requirement 1: Firewall Configuration
class NetworkSecurityConfig {
fun generateSecurityConfig(): String {
return """
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<!-- Pin certificates for payment endpoints -->
<domain-config>
<domain includeSubdomains="true">payment.example.com</domain>
<pin-set expiration="2025-01-01">
<pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
<pin digest="SHA-256">BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=</pin>
</pin-set>
<trustkit-config>
<report-uri>https://report.example.com/pin-failure</report-uri>
</trustkit-config>
</domain-config>
</network-security-config>
""".trimIndent()
}
}
// PCI DSS Requirement 2: Default Security Parameters
class SecurityConfiguration {
fun hardenApplication() {
// Remove default accounts
removeDefaultAccounts()
// Disable unnecessary services
disableUnnecessaryServices()
// Configure secure defaults
configureSecureDefaults()
}
private fun configureSecureDefaults() {
// Encryption settings
SecurityConfig.apply {
setMinimumTLSVersion(TlsVersion.TLS_1_2)
setPreferredCipherSuites(
listOf(
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
)
)
// Key management
setKeyRotationInterval(90) // days
setKeyDerivationIterations(100_000)
}
}
}
// PCI DSS Requirement 3: Protect Cardholder Data
class CardholderDataProtection {
// Never store sensitive authentication data
private val prohibitedData = setOf(
"cvv", "cvv2", "cvc", "cvc2", "cid",
"pin", "pin_block",
"track1", "track2", "track3"
)
fun processPaymentData(cardData: CardData): ProcessedPayment {
// Validate card data
validateCardData(cardData)
// Tokenize immediately
val token = tokenizeCard(cardData)
// Clear sensitive data from memory
cardData.secureWipe()
return ProcessedPayment(
token = token,
lastFourDigits = cardData.number.takeLast(4),
expiryMonth = cardData.expiryMonth,
expiryYear = cardData.expiryYear,
cardholderName = maskName(cardData.cardholderName)
)
}
private fun tokenizeCard(cardData: CardData): String {
// Use payment processor's tokenization
val tokenRequest = TokenizationRequest(
number = cardData.number,
expiryMonth = cardData.expiryMonth,
expiryYear = cardData.expiryYear,
cvv = cardData.cvv
)
// Send over encrypted channel only
return PaymentGateway.tokenize(tokenRequest)
}
// Data retention and disposal
fun implementDataRetention() {
DataRetentionPolicy.configure(
tokenizedCards = RetentionPeriod.Days(365),
transactionLogs = RetentionPeriod.Days(365),
auditLogs = RetentionPeriod.Years(3)
)
// Secure deletion
DataDisposal.configure(
method = DisposalMethod.CRYPTOGRAPHIC_ERASURE,
verification = true,
certification = true
)
}
}
// PCI DSS Requirement 4: Encrypt transmission
class TransmissionEncryption {
fun setupSecureTransmission() {
val paymentApiClient = OkHttpClient.Builder()
.addInterceptor(PCIInterceptor())
.connectionSpecs(listOf(
ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_3)
.cipherSuites(
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
)
.build()
))
.certificatePinner(createCertificatePinner())
.build()
}
inner class PCIInterceptor : Interceptor {
override fun intercept(chain: Interceptor.Chain): Response {
val request = chain.request()
// Ensure HTTPS only
if (request.url.scheme != "https") {
throw SecurityException("Payment data must be transmitted over HTTPS")
}
// Add security headers
val secureRequest = request.newBuilder()
.header("X-Content-Type-Options", "nosniff")
.header("X-Frame-Options", "DENY")
.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
.build()
val response = chain.proceed(secureRequest)
// Validate response
validateSecureResponse(response)
return response
}
}
}
// PCI DSS Requirement 8: Identify and authenticate access
class AccessControl {
fun implementStrongAuthentication() {
// Multi-factor authentication for payment access
val mfaManager = MFAManager(context)
mfaManager.configure(
factors = listOf(
AuthFactor.PASSWORD(
minLength = 12,
requireUppercase = true,
requireLowercase = true,
requireNumbers = true,
requireSpecialChars = true,
preventReuse = 4
),
AuthFactor.BIOMETRIC,
AuthFactor.OTP(
algorithm = OTPAlgorithm.TOTP,
digits = 6,
period = 30
)
),
requiredFactors = 2
)
// Session management
SessionManager.configure(
maxIdleTime = 15 * 60, // 15 minutes
absoluteTimeout = 8 * 60 * 60, // 8 hours
lockoutPolicy = LockoutPolicy(
maxAttempts = 6,
lockoutDuration = 30 * 60 // 30 minutes
)
)
}
}
// PCI DSS Requirement 10: Track and monitor access
class AuditLogging {
private val secureLogger = SecureAuditLogger()
fun logPaymentEvent(event: PaymentEvent) {
val auditEntry = AuditEntry(
timestamp = System.currentTimeMillis(),
eventType = event.type,
userId = event.userId,
sourceIP = event.sourceIP,
outcome = event.outcome,
affectedData = event.affectedData.map { it.tokenized() },
details = event.details
)
// Tamper-proof logging
secureLogger.log(
entry = auditEntry,
signature = generateSignature(auditEntry),
encryption = true
)
}
fun configureLogRetention() {
secureLogger.setRetention(
period = RetentionPeriod.Years(3),
archival = true,
integrityChecks = true
)
}
}
}