Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

FINANCE

By Christian Damour, Pre-sales Manager – Security at Fime

Digital payments have sky-rocketed in popularity as consumers have sought new, more hygienic ways to pay. SoftPOS payments offer numerous benefits to consumers and merchants alike. Comprised of software solutions that run on Android Commercial Off-The-Shelf (COTS) devices, they can enable digital payment acceptance in a cost-effective and simple way.

However, SoftPOS solutions must live up to the seamless, consistent and trusted experience provided by traditional payment terminals. Security and confidence are part of this and fundamental to the ongoing adoption and success of the technology. This blog explores the security considerations for SoftPOS solutions.

Important: app security & back-end system must work together

Some SoftPOS solutions rely on hardware-backed features such as Trusted Execution Environment (TEE) technologies to add additional security. However, most need to be hardware-agnostic to support as many devices as possible. In this case, devices could be rooted and infected with malware. So, it is extremely important to implement as many security features as possible within the mobile app itself to protect consumers and merchants. In addition, a back-end system seamlessly working with the application is required to bring additional security.

Another reason that security is so fundamental is that consumers need to feel safe and comfortable with tapping their card and in some cases entering their PIN on a stranger’s smartphone. While digital payments have recently seen a rise, in part due to the pandemic, not all consumers are on board yet. Having the relevant security certifications offers assurance that the technology is fit for purpose, valuable payment data is protected and paying will not expose consumers to fraud.

Technologies to rely on

Christian Damour

Christian Damour

One important security element that developers must ensure is in place on SoftPOS solutions is attestation and monitoring. This feature is there to thoroughly check the security and integrity of the solution and constantly monitor that it has not been corrupted. The mobile application sends information about the status and integrity of the application to the attestation and monitoring back-end. The back-end then checks the information, confirms that the integrity of the application has not been corrupted and, if needed, mitigates any detected threat which has not yet been resolved by the mobile app.

Other software-based security mechanisms, which can protect SoftPOS solutions and often need to be implemented on a mobile app, include:

  • Anti-Tampering
  • Anti-Rooting
  • Anti-Instrumentation
  • Anti-Emulation
  • Anti-Debugging
  • Device-Binding
  • Obfuscation
  • White-box Cryptography

Developers do not need to start from scratch to implement these measures. Most of these security features are available from software protection technology providers. In particular, it is advised that solution providers source their White-box Cryptography solution from a commercial vendor. This is because such a solution is tricky to develop in an efficient way to pass security evaluation. The good news is that a number of vendors already offer solutions which have passed the required security evaluation and are ready to be used.

Two paths to certification success

Any SoftPOS security evaluation comprises of three steps: documentation and design review, source code review, and penetration testing. But not all solutions can take the exact same approach. When evaluating the security of your SoftPOS solution, the path you take currently depends on whether the solution supports PIN entry.

  • Solutions with PIN entrymust undergo the payment schemes’ pilot security programmes. These solutions must meet multiple detailed and stringent requirements to achieve certification. It can be challenging to evaluate these types of solutions, since PIN entry has to be entered on the touch screen of a device, which can be complex to secure.

The payment schemes’ pilot security programmes focus on the strength of security. This means that the evaluation looks to find vulnerabilities and performs penetration testing to assess the robustness of solutions against attackers. Throughout this process, the main component which is evaluated is the mobile payment acceptance application. The back-end is not assessed, but what is being checked is the communication between the back-end and the front-end.

Taking the next step

It is expected that next year PCI SSC will issue a new standard called mPoC™ for mobile Payments on COTS, which will evaluate SoftPOS solutions with PIN entry. This new standard will also enable SoftPOS solution components (for example, Software Development Kits (SDK), PIN entry solutions and back-end systems) to be certified separately first and then in combination. This will provide a much more standardised approach to SoftPOS security evaluation and ensure that the full scope of these solutions is tested, rather than just the front-end.

Since solutions supporting PIN entry are most commonplace nowadays, those wanting to bring SoftPOS solutions to market know that they must undergo the payment schemes’ pilot security programmes now, and then perform the new mPoC process in the future. While this is frustrating, with the growing momentum in SoftPOS solutions, they cannot afford to wait for this standard to come in before launching their solutions. Switching to this new process will no doubt bring a new set of complexities.

Fortunately, you do not have to go through these processes alone and product roadmaps can be set to take into account the forthcoming changes. Fime’s experts can provide wide-ranging and global expertise to support the development, delivery and security evaluation of successful SoftPOS solutions. Whether it is delivering training sessions, writing the required evaluation documents or supporting you in developing solutions in line with the relevant security standards, we can help.

 

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts