Welcome to the MacNN Forums.

gwilliams · Mar 10, 2012, 08:38 PM

I'm a mobile apps developer for a Retail store. I was looking forward to working on an iPad app for store employees to use to check out customers in the store. A microsoft engineer brought up the fact that iOS has a keylogger therefore making iOS not a PCI Compliant device. Can anyone in this forum help me prove this guy wrong?

mduell · Mar 10, 2012, 10:14 PM

iOS is not PCI compliant. Neither is OS X, nor Windows, nor Linux. Applications are PCI certified, not operating systems. But iOS does not prohibit a PCI compliant app.

You can build PCI compliant apps that run on iOS. Swipe did and got a PCI QSA to review it and found it met the current PA-DSS standards. Compliance Labs says: "Apple iOS 5 provide enough security features to support ... PCI DSS requirements compliance."

Big Mac · Mar 10, 2012, 10:41 PM

Microsoft Engineer Fail

Salty · Mar 11, 2012, 04:37 AM

It has a key logger? What? That makes no sense. I could see one being in the wild if your device is jail broken, incidentally there's tons of key loggers for Windows and you still get people allowing that in secure environments.

mduell · Mar 11, 2012, 01:31 PM

Originally Posted by Salty

It has a key logger? What? That makes no sense. I could see one being in the wild if your device is jail broken, incidentally there's tons of key loggers for Windows and you still get people allowing that in secure environments.

I assume he was referring to Carrier IQ, which was removed in iOS 5, thus the statement from Compliance Labs.

Salty · Mar 12, 2012, 07:57 PM

But Carrier IQ wouldn't be put on by Apple on a WiFi iPad?

gwilliams · Mar 13, 2012, 11:43 PM

I'm still trying to figure out how he was able to prove that iOS itself retains everything that's ever been punched in on the device. But if that is true, that means no matter how compliant your application is, the device voids that compliance.

Waragainstsleep · Mar 14, 2012, 05:22 AM

Who proved that?
Any storage device can be scoured for data so if that were relevant then only a brand new, unused computer would ever be PCI compliant, right up until you used it and then it wouldn't be any more.

macroy · Mar 22, 2012, 11:19 AM

PCI is a standard for processes and controls with regards on how an "organization" secures the payment information they capture/process/store.

The PA-DSS certification is mainly for specific applications that were made for the industry. However, as mduell pointed out, you don't certify general use items like an OS or even a device since they are not exclusive to environments that need to be PCI compliant. In those cases, it comes down to how these tools are implemented and what other controls are in place. So the compliance is on the organization, not just the tool or application.

gwilliams · 08:49 PM

So does iOS log every single keystroke or not? I know they log your location, but does it log anything else? According to this microsoft engineer, who also moonlights as a part-time police officer, they use iOS devices as evidence because of all the data they can get off the device. Not sure how he proved it, but I came in one day and now we're using all microsoft products.

Now I understand that PCI compliance follows the applications not the os or the device. But if iOS does keep everything that is entered, that means anyone can steal the device and grab all the credit card numbers that was entered. As far as Swipe, the card numbers never get entered through iOS therefore, it's never logged.

I sure hope Apple doesn't do this, that is why I chose a forum that may be able to prove them wrong, hopefully.

Also I've searched Google even Yahoo and every other search engines maybe I could get a return about iOS logger but there are no entries regarding this.