Society of Payment Security Professionals - Payment Security Blog

iPhone PA-DSS applications

It was only a matter of time before someone wrote a credit card virtual terminal application for the iPhone.  It requires you to have a Merchant ID and processes transactions through Authorize.net.  You simply enter the PAN, expiration date, amount, and zip code.  It does basic address verification (AVS) via the zip code and processes the transaction as if using a virtual terminal.

This brings up an interesting question.  “What will be the first PA-DSS validated application for the Apple iTunes Apps Store?”  Should this application be PA-DSS validated?

The scope for the PA-DSS states:

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

This language certainly leads one to believe that iPhone payment applications should be PA-DSS validated.  But it’s just a virtual terminal, those aren’t in scope are they?  Well, it depends on what you mean by a virtual terminal.

A traditional virtual terminal is one that resides on the gateway or processor’s website and permits the Merchant to login and submit transactions.  This iPhone application is one that “sold, distributed, or licensed to third parties”.  This application clearly falls within the scope of the PA-DSS.