Digital payments have sky-rocketed in popularity as consumers have sought new, more hygienic ways to pay. SoftPOS payments offer numerous benefits to consumers and merchants alike. Comprised of software solutions that run on Commercial Off-The-Shelf (COTS) devices, they can enable digital payment acceptance in a cost-effective and simple way.
However, SoftPOS solutions must live up to the seamless, consistent and trusted experience provided by traditional payment terminals. Security and confidence are part of this and fundamental to the ongoing adoption and success of the technology.
This blog, the final iteration in our SoftPOS series, explores the security considerations for SoftPOS solutions. Also, check out the rest of the series: the first blog provides an introduction to SoftPOS, the second blog covers the hardware considerations and the third blog offers insight into the software complexities.
Important: app security & back-end system must work together.
Some SoftPOS solutions rely on hardware-backed features such as Trusted Execution Environment (TEE) technologies to add additional security. However, most need to be hardware-agnostic to support as many devices as possible. In this case, devices could be rooted or jailbroken and infected with malware. So, it is extremely important to implement as many security features as possible within the mobile app itself to protect consumers and merchants. In addition, a back-end system seamlessly working with the application is required to bring additional security.
Another reason that security is so fundamental is that consumers need to feel safe and comfortable with tapping their card and in some cases entering their PIN on a stranger’s smartphone. While digital payments have recently seen a rise, in part due to the pandemic, not all consumers are on board yet. Having the relevant security certifications offers assurance that the technology is fit for purpose, valuable payment data is protected and paying will not expose consumers to fraud.
Technologies to rely on.
One important security element, that developers must ensure is in place on SoftPOS solutions, is attestation and monitoring. This feature is there to thoroughly check the security and integrity of the solution and constantly monitor that it has not been corrupted. The mobile application sends information about the status and integrity of the application to the attestation and monitoring back-end. The back-end then, checks the information, confirms that the integrity of the application has not been corrupted and, if needed, mitigates any detected threat which has not yet been resolved by the mobile app.
Other software-based security mechanisms, which can protect SoftPOS solutions and often need to be implemented on a mobile app, include:
Anti-Tampering
Anti-Rooting
Anti-Instrumentation
Anti-Emulation
Anti-Debugging
Device-Binding
Obfuscation
White-box Cryptography
Developers do not need to start from scratch to implement these measures. Most of these security features are available from software protection technology providers. In particular, it is advised that solution providers source their White-box Cryptography solution from a commercial vendor. This is because such a solution is tricky to develop in an efficient way to pass security evaluation. The good news is that a number of vendors already offer solutions which have passed the required security evaluation and are ready to be used.
Two paths to certification success.
Any SoftPOS security evaluation comprises of three steps: documentation and design review, source code review, and penetration testing. But not all solutions can take the exact same approach. When evaluating the security of your SoftPOS solution, the path you take currently depends on whether the solution supports PIN entry.
Solutions with PIN entry must undergo Payment Card Industry - Mobile Payments on COTS (PCI MPoC™) security evaluation. These solutions must meet multiple detailed and stringent requirements to achieve certification. It can be challenging to evaluate these types of solutions, since PIN entry has to be entered on the touch screen of a device, which can be complex to secure.
Solutions without PIN entry must be compliant with the PCI Contactless Payments on COTS (CPoC™) or PCI Mobile Payments on COTS (PCI MPoC™) specification, in line with payment scheme requirements. Both PCI CPoC and PCI MPoC comprise of a formal compliance process, which requires an exhaustive set of documents to be provided as evidence by solution providers and evaluated by a security lab. Along with documentation, the scope of the testing is expansive. It evaluates the full solution, including both the back-end and front-end systems.
Taking the next step.
In November 2022, the Payment Card Industry - Security Standards Council (PCI SSC) issued a new standard called PCI MPoC™ for Mobile Payments on COTS, which evaluates SoftPOS solutions with PIN entry. This new standard will also enable SoftPOS solution components (for example, Software Development Kits (SDK) and back-end systems) to be certified separately first and then in combination. This provides a much more standard approach to SoftPOS security evaluation and ensures that the full scope of these solutions is tested, rather than just the front-end.
Since solutions supporting PIN entry are most commonplace nowadays, those wanting to bring SoftPOS solutions to market know that they must undergo the new PCI MPoC process as of now.
Fortunately, you do not have to go through this process alone and product roadmaps can be set to take into account the inherent complexities. Fime’s experts can provide wide-ranging and global expertise to support the development, delivery and security evaluation of successful SoftPOS solutions. Whether it is delivering training sessions, writing the required evaluation documents or supporting you in developing solutions in line with the relevant security standards, we can help.
Learn more about Fime’s extensive range of SoftPOS services.
