PCI DSS core requirements for client applications
Applications that use the API must comply with the following PCI DSS requirements: Protection of stored cardholder data- It is prohibited to store CVV/CVC codes.
- Do not store full card numbers (PANs) in unencrypted form.
- Use card number masking when displaying (4111 **** **** 1234).
- Use TLS 1.2+ for all API requests.
- Make sure client applications do not send card numbers in URL parameters (GET /api/payment?card=4111111111111111 - not allowed!).
- Limit access to data
- Do not transmit or store redundant data that is not required for the application.
- Implement a role-based access model - for example, administrators can manage accounts and users can only view balances.
- Never store API tokens in application code or .env files accessible from the repository.
- Use secure storage (e.g., Vault, AWS Secrets Manager, Azure Key Vault).
- If the token is not used, it should be removed or disabled in Dev Space.
- Validate all input data passed to the API.
- Do not allow arbitrary code execution via user inputs.
- Use HTTP security headers (Content-Security-Policy, X-Frame-Options, X-XSS-Protection, etc.).
- In Dev Space, you can specify a list of trusted IP addresses from which API requests are allowed.
- If the application runs on a server, specify a fixed IP in the API token settings.
- Enable logging of API requests with user information, but without storing sensitive data (e.g., don’t log full card numbers).
- Set up notifications for suspicious activity (e.g., login attempts from an unknown IP).
- Regularly check event logs for anomalies.
Regular security audits
To ensure that the client application remains secure and PCI DSS compliant, it is recommended that you:- ✅ Perform regular Vulnerability Scanning.
- ✅ Perform Penetration Testing.
- ✅ Update libraries and frameworks, especially those related to security.
- ✅ Educate developers on secure programming principles.