Businesses that accept payment cards, which is nearly every business in the world, can look forward to taking advantage of a new generation of Mobile Point of Sale (mPOS) solutions. These include innovations that enable a merchant to accept payment via a Commercial Off-The Shelf (COTS) device like an iPhone or Android smartphone. It is now even possible to accept payment from cards that use the EMV chip that is quickly becoming standard around the world.
Such new mPOS options are more affordable than traditional POS systems, and they enable new levels of in-store mobility. However, a number of mPOS security issues emerge at the same time. Making POS available on any device creates a newly widened attack surface. Luckily, countermeasures are available to facilitate a secure transition to this new generation of mPOS systems.
The Business Potential of the New Generation of mPOS Solutions
Over the last decade, there has been a gradual transformation of the payment card industry as technology liberated cards from traditional payment terminals. Products like Square put payment card processing into the hands of small businesses who were previously unable to afford a POS system. Making payments possible on a generic mobile device let salespeople move more freely in a retail environment or take payment processing on the road. The revolution continues.
While mPOS continues to grow in popularity, the advent of EMV chips on payment cards throws up a temporary obstacle for mPOS. Security breaches in retail led merchants to use EMV chips rather than magnetic stripes for payment processing. Since older mPOS solutions couldn’t process these chips, they were rendered inadequate for modern payments.
The answer has appeared in the form of a new generation of mPOS tools. These include smartphone downloadable mPOS applications, which allow any Android phone to conduct “tap-to-pay” transactions using Near-Field Communication (NFC) radio signals from another device or contactless card.
EMV chip enabled cards typically follow one of two methods of user verification. Chip and PIN, where the cardholder is verified using a Personal Identification Number (PIN), and Chip and Signature, where the cardholder signature is used to verify the cardholder. In the USA, Mexico and parts of South America and Asia, chip and signature is more popular, whereas Chip and PIN cards are more common in most European countries as well as in Brazil, India, Canada, Australia and New Zealand.
Tap-to-pay transactions are limited to low dollar amounts which don’t require a PIN or a signature.
PCI, the payment card industry’s standards body, has also issued a new specification that will permit standard mobile devices to accept payment cards with EMV chips. Referred to as PIN-on-COTS or more generally as “PIN on Glass”, these mPOS systems represent a breakthrough, as they are able to accept higher value payments as well as the required PIN.
PIN-on-COTS systems feature a detached chip reader and downloadable payment processing software. The customer places his or her card in the chip reader and then enters their PIN right onto the smartphone’s touchscreen, or “glass”. There is no need for a separate PIN entry device (PED) — more cost savings for merchants.
mPOS Security Risks in the New Platforms
The new mPOS solutions, convenient and economical as they may be, threaten to expose merchants and their customers to new cybersecurity risks. Unlike closed payment processing systems, they rely on the security of the commercial off-the-shelf device and the downloadable app. This means attackers might be able to access the card processing app if they can penetrate the mobile device’s operating system or app that’s running on it in parallel with the mPOS app.
A malicious actor might be able to eavesdrop on the connection between the EMV card reader and the mPOS app. Without proper encryption safeguards and diligent patching of known mobile code exploits, this would let the attacker steal the card number and its PIN. That’s the kind of data that’s valuable for hackers, who often trade it on the Dark Web. It’s reasonable to assume that new mPOS PIN-on-COTS systems would be frequent, desirable targets for cybercrime.
Solving mPOS Security Risks
Countermeasures for mPOS need to focus on creating a separation between the PIN and the card’s credentials – the cardholder’s name, card number and expiration date. With PIN-on-COTS, the chip reader should protect the card’s credentials. Given the variability of mobile devices, however, it may be difficult for mPOS app-makers to keep up with required security duties. Even for the Tap-to-Pay solution, which does not require PINs, there is still the issue of cryptographic key management within the app. This key management must be secure and maintained to in order to protect the cardholder’s personal data.
Securing Software at the Coding Stage
One approach to mPOS security that’s gaining traction in the industry is to embed security into the coding framework itself. This aligns with secure engineering principles. By using pre-designed, pre-tested secure code modules, mPOS app developers can avoid the rigorous and risky work of creating security countermeasures in their own original code.
mPOS security means more than just encrypting data. Developers must secure the entire application, including its code, processes, data and cryptographic keys. The best practice is to utilize software protection tools for mPOS that make it challenging and prohibitively time-consuming for attackers to break in.
New mPOS innovations introduce many possibilities for businesses that want the advantages of mobile payments. mPOS security is an issue, however, and it must be addressed. It is not reasonable to expect app makers to shoulder the entire burden of securing mPOS solutions. Frameworks that build security countermeasures into the code offer a way forward.
Asaf Ashkenazi is vice president of strategy at Inside Secure (www.insidesecure.com), a global cybersecurity company.
