By Christian Damour, Pre-sales Manager – Security at Fime
Digital payments have sky-rocketed in popularity as consumers have sought new, more hygienic ways to pay. SoftPOS payments offer numerous benefits to consumers and merchants alike. Comprised of software solutions that run on Android Commercial Off-The-Shelf (COTS) devices, they can enable digital payment acceptance in a cost-effective and simple way.
However, SoftPOS solutions must live up to the seamless, consistent and trusted experience provided by traditional payment terminals. Security and confidence are part of this and fundamental to the ongoing adoption and success of the technology. This blog explores the security considerations for SoftPOS solutions.
Important: app security & back-end system must work together
Some SoftPOS solutions rely on hardware-backed features such as Trusted Execution Environment (TEE) technologies to add additional security. However, most need to be hardware-agnostic to support as many devices as possible. In this case, devices could be rooted and infected with malware. So, it is extremely important to implement as many security features as possible within the mobile app itself to protect consumers and merchants. In addition, a back-end system seamlessly working with the application is required to bring additional security.
Another reason that security is so fundamental is that consumers need to feel safe and comfortable with tapping their card and in some cases entering their PIN on a stranger’s smartphone. While digital payments have recently seen a rise, in part due to the pandemic, not all consumers are on board yet. Having the relevant security certifications offers assurance that the technology is fit for purpose, valuable payment data is protected and paying will not expose consumers to fraud.
Technologies to rely on
One important security element that developers must ensure is in place on SoftPOS solutions is attestation and monitoring. This feature is there to thoroughly check the security and integrity of the solution and constantly monitor that it has not been corrupted. The mobile application sends information about the status and integrity of the application to the attestation and monitoring back-end. The back-end then checks the information, confirms that the integrity of the application has not been corrupted and, if needed, mitigates any detected threat which has not yet been resolved by the mobile app.
Other software-based security mechanisms, which can protect SoftPOS solutions and often need to be implemented on a mobile app, include:
- White-box Cryptography
Developers do not need to start from scratch to implement these measures. Most of these security features are available from software protection technology providers. In particular, it is advised that solution providers source their White-box Cryptography solution from a commercial vendor. This is because such a solution is tricky to develop in an efficient way to pass security evaluation. The good news is that a number of vendors already offer solutions which have passed the required security evaluation and are ready to be used.
Two paths to certification success
Any SoftPOS security evaluation comprises of three steps: documentation and design review, source code review, and penetration testing. But not all solutions can take the exact same approach. When evaluating the security of your SoftPOS solution, the path you take currently depends on whether the solution supports PIN entry.
- Solutions with PIN entrymust undergo the payment schemes’ pilot security programmes. These solutions must meet multiple detailed and stringent requirements to achieve certification. It can be challenging to evaluate these types of solutions, since PIN entry has to be entered on the touch screen of a device, which can be complex to secure.
The payment schemes’ pilot security programmes focus on the strength of security. This means that the evaluation looks to find vulnerabilities and performs penetration testing to assess the robustness of solutions against attackers. Throughout this process, the main component which is evaluated is the mobile payment acceptance application. The back-end is not assessed, but what is being checked is the communication between the back-end and the front-end.
- Solutions without PIN entry must be compliant with the PCI Contactless Payments on COTS (CPoC™) specification in line with payment scheme requirements. This comprises of a more formal compliance process, which requires an exhaustive set of documents to be provided as evidence by solution providers and evaluated by a security lab. Along with more documentation, the scope of the testing is more expansive. It evaluates the full solution, including both the back-end and front-end systems.
Taking the next step
It is expected that next year PCI SSC will issue a new standard called mPoC™ for mobile Payments on COTS, which will evaluate SoftPOS solutions with PIN entry. This new standard will also enable SoftPOS solution components (for example, Software Development Kits (SDK), PIN entry solutions and back-end systems) to be certified separately first and then in combination. This will provide a much more standardised approach to SoftPOS security evaluation and ensure that the full scope of these solutions is tested, rather than just the front-end.
Since solutions supporting PIN entry are most commonplace nowadays, those wanting to bring SoftPOS solutions to market know that they must undergo the payment schemes’ pilot security programmes now, and then perform the new mPoC process in the future. While this is frustrating, with the growing momentum in SoftPOS solutions, they cannot afford to wait for this standard to come in before launching their solutions. Switching to this new process will no doubt bring a new set of complexities.
Fortunately, you do not have to go through these processes alone and product roadmaps can be set to take into account the forthcoming changes. Fime’s experts can provide wide-ranging and global expertise to support the development, delivery and security evaluation of successful SoftPOS solutions. Whether it is delivering training sessions, writing the required evaluation documents or supporting you in developing solutions in line with the relevant security standards, we can help.