Cardpliance: PCI DSS Compliance of Android Applications


Samin Yaseer Mahmud and Akhil Acharya, North Carolina State University; Benjamin Andow, IBM T.J. Watson Research Center; William Enck and Bradley Reaves, North Carolina State University


Smartphones and their applications have become a predominant way of computing, and it is only natural that they have become an important part of financial transaction technology. However, applications asking users to enter credit card numbers have been largely overlooked by prior studies, which frequently report pervasive security and privacy concerns in the general mobile application ecosystem. Such applications are particularly security-sensitive, and they are subject to the Payment Card Industry Data Security Standard (PCI DSS). In this paper, we design a tool called Cardpliance, which bridges the semantics of the graphical user interface with static program analysis to capture relevant requirements from PCI DSS. We use Cardpliance to study 358 popular applications from Google Play that ask the user to enter a credit card number. Overall, we found that 1.67% of the 358 applications are not compliant with PCI DSS, with vulnerabilities including improperly storing credit card numbers and card verification codes. These findings paint a largely positive picture of the state of PCI DSS compliance of popular Android applications.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {251522,
author = {Samin Yaseer Mahmud and Akhil Acharya and Benjamin Andow and William Enck and Bradley Reaves},
title = {Cardpliance: {PCI} {DSS} Compliance of Android Applications},
booktitle = {29th USENIX Security Symposium (USENIX Security 20)},
year = {2020},
isbn = {978-1-939133-17-5},
pages = {1517--1533},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video