With SoftPOS technology poised for widespread adoption, now is the time to seriously think about how to secure it for MPoC certification.
While SoftPOS technology is nothing new (smaller merchants and payment networks have been piloting corresponding mobile apps for accepting contactless payments on smartphones for a few years), this one was never widely adopted in the market due to the lack of an appropriate security standard defined by the payment card industry. This should change by the end of the year, with the arrival of a new industry standard, MPoC (Mobile Payments on COTS), defined by the PCI SSC body.
What does SoftPOS mean?
SoftPOS simply refers to the practice of using a smartphone to accept contactless and mobile payments from bank cards and e-wallets, via a mobile application. In the adoption phase since 2017 among early adopters, this technology has continued to gain momentum since then, particularly with publishers such as MyPinPad, Rubean, VivaWallet, PayFelix and recently Apple, which announced a SoftPOS solution.
If SoftPOS allows any merchant to accept electronic payments (by credit card or via a mobile wallet) rather than cash, the transition from a conventional technology based on a point-of-sale terminal (POS) or electronic payment (TPE) to a SoftPOS solution presents a challenge: security.
Securing SoftPOS: the difference between traditional payment terminals and SoftPOS
Until now, point-of-sale payment technologies have been limited to hardware devices, point-of-sale (POS) or electronic payment (TPE) terminals. These physical payment terminals are solely dedicated to processing transactions. Designed and manufactured to ensure information security, they are dependent on the hardware security provided by their platforms. Over time, these payment terminals have evolved towards Android operating systems, and their attack surface, which until now has been mainly hardware, has extended to software and mobiles.
SoftPOS technology completes this evolution, since it marks the transition between secure hardware solutions and mobile applications, purely software installed, on consumer smartphones.
SoftPOS solutions, running on various models of smartphones, with different underlying hardware and software components, their security has absolutely nothing to do with that of POS and TPE. While the platform of a traditional payment terminal is considered “trustworthy”, the smartphone, very often the target of cybercriminals, is considered “unreliable”. According to the latest “Mobile Threat” report published by Zimperium, the exploitation of zero-day vulnerabilities on mobiles increased by 466% in 2021. Mobile malware is also experiencing a major boom, with more than 2 million new strains in 2021.
Of course, the stakes are high. To protect against attacks and resulting fraud, SoftPOS solutions must be resistant to all relevant attacks and threat actors, including malware, criminal organizations, remote hackers, and malicious actors with physical access to the device. running the SoftPOS application. If the latter is not properly protected, the solutions can be misused and abused (false payments, unauthorized transactions on the merchant side, collection of bank card data, blocking of merchant accounts, etc.)
Securing SoftPOS solutions is far from simple. It requires an in-depth understanding of the solution in question, its design and the security technologies, not to mention the expertise needed by the engineers to implement it.
In practice, hardware technologies, such as TEE and SE, are confined to smartphone OEMs only since generic/regular application developers do not have access to this technology. In addition to this deprivation of access, the fragmentation of hardware technologies has led most SoftPOS developers to secure their solution by means of software security technology to be able to offer extended support to a number of brands and models of smartphones. different.
What does the appearance of the PCI MPoC standard imply for a SoftPOS application?
Unlike the existing PCI SPoC (Software-based PIN Entry on COTS) and CPoC (Contactless Payments on COTS) standards, the future MPoC (Mobile Payments on COTS) standard gives pride of place to modularity, new certification options and new use cases, including support for a software PIN without a dedicated Secure Card Reader (SCRP), offline transactions, and component certification.
This approach based on the objectives of the security specifications is driving a major change of direction since it is no longer a question of imposing on a developer what he must do (obfuscate the code by resorting to obfuscation techniques, for example) but to refocus on what the solution must accomplish (counter reverse engineering as much as possible, for example). This evolution in the nature of security requirements not only gives developers greater design and implementation freedom, but also transforms the security approach from simple compliance to true security assurance. It amounts to comparing the letter of the law to the spirit of the law.
To take a more current example, it is not simply a matter of applying a specific security measure such as obfuscation; what matters is the effect sought through this measure, namely to make reverse engineering almost impossible.