PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Industry Opinions
  • News
  • Events
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Industry Opinions
  • News
  • Events
No Result
View All Result
PaymentsJournal
No Result
View All Result

mPOS Security: Defending the Newest Mobile Point of Sale Solutions

Asaf Ashkenazi by Asaf Ashkenazi
January 31, 2019
in Featured Content, Merchant, Point-of-sale, Security
0
mPOS Security: Defending the Newest Mobile Point of Sale Solutions

mPOS Security: Defending the Newest Mobile Point of Sale Solutions

13
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Businesses that accept payment cards, which is nearly every business in the world, can look forward to taking advantage of a new generation of Mobile Point of Sale (mPOS) solutions. These include innovations that enable a merchant to accept payment via a Commercial Off-The Shelf (COTS) device like an iPhone or Android smartphone. It is now even possible to accept payment from cards that use the EMV chip that is quickly becoming standard around the world.

Such new mPOS options are more affordable than traditional POS systems, and they enable new levels of in-store mobility. However, a number of mPOS security issues emerge at the same time. Making POS available on any device creates a newly widened attack surface. Luckily, countermeasures are available to facilitate a secure transition to this new generation of mPOS systems.

The Business Potential of the New Generation of mPOS Solutions

Over the last decade, there has been a gradual transformation of the payment card industry as technology liberated cards from traditional payment terminals. Products like Square put payment card processing into the hands of small businesses who were previously unable to afford a POS system.  Making payments possible on a generic mobile device let salespeople move more freely in a retail environment or take payment processing on the road. The revolution continues.

While mPOS continues to grow in popularity, the advent of EMV chips on payment cards throws up a temporary obstacle for mPOS. Security breaches in retail led merchants to use EMV chips rather than magnetic stripes for payment processing. Since older mPOS solutions couldn’t process these chips, they were rendered inadequate for modern payments.

The answer has appeared in the form of a new generation of mPOS tools. These include smartphone downloadable mPOS applications, which allow any Android phone to conduct “tap-to-pay” transactions using Near-Field Communication (NFC) radio signals from another device or contactless card.

EMV chip enabled cards typically follow one of two methods of user verification. Chip and PIN, where the cardholder is verified using a Personal Identification Number (PIN), and Chip and Signature, where the cardholder signature is used to verify the cardholder. In the USA, Mexico and parts of South America and Asia, chip and signature is more popular, whereas Chip and PIN cards are more common in most European countries as well as in Brazil, India, Canada, Australia and New Zealand.

Tap-to-pay transactions are limited to low dollar amounts which don’t require a PIN or a signature.

PCI, the payment card industry’s standards body, has also issued a new specification that will permit standard mobile devices to accept payment cards with EMV chips. Referred to as PIN-on-COTS or  more generally as “PIN on Glass”, these mPOS systems represent a breakthrough, as they are able to accept higher value payments as well as the required PIN.

PIN-on-COTS systems feature a detached chip reader and downloadable payment processing software. The customer places his or her card in the chip reader and then enters their PIN right onto the smartphone’s touchscreen, or “glass”. There is no need for a separate PIN entry device (PED) — more cost savings for merchants.

mPOS Security Risks in the New Platforms

The new mPOS solutions, convenient and economical as they may be, threaten to expose merchants and their customers to new cybersecurity risks. Unlike closed payment processing systems, they rely on the security of the commercial off-the-shelf device and the downloadable app. This means attackers might be able to access the card processing app if they can penetrate the mobile device’s operating system or app that’s running on it in parallel with the mPOS app.

A malicious actor might be able to eavesdrop on the connection between the EMV card reader and the mPOS app. Without proper encryption safeguards and diligent patching of known mobile code exploits, this would let the attacker steal the card number and its PIN. That’s the kind of data that’s valuable for hackers, who often trade it on the Dark Web. It’s reasonable to assume that new mPOS PIN-on-COTS systems would be frequent, desirable targets for cybercrime.

Solving mPOS Security Risks

Countermeasures for mPOS need to focus on creating a separation between the PIN and the card’s credentials – the cardholder’s name, card number and expiration date. With PIN-on-COTS, the chip reader should protect the card’s credentials. Given the variability of mobile devices, however, it may be difficult for mPOS app-makers to keep up with required security duties. Even for the  Tap-to-Pay solution, which does not require PINs, there is still the issue of cryptographic key management within the app. This key management must be secure and maintained to in order to protect the cardholder’s personal data.

Securing Software at the Coding Stage

One approach to mPOS security that’s gaining traction in the industry is to embed security into the coding framework itself. This aligns with secure engineering principles. By using pre-designed, pre-tested secure code modules, mPOS app developers can avoid the rigorous and risky work of creating security countermeasures in their own original code.

mPOS security means more than just encrypting data. Developers must secure the entire application, including its code, processes, data and cryptographic keys. The best practice is to utilize software protection tools for mPOS that make it challenging and prohibitively time-consuming for attackers to break in.

New mPOS innovations introduce many possibilities for businesses that want the advantages of mobile payments. mPOS security is an issue, however, and it must be addressed. It is not reasonable to expect app makers to shoulder the entire burden of securing mPOS solutions. Frameworks that build security countermeasures into the code offer a way forward.

Asaf Ashkenazi is vice president of strategy at Inside Secure (www.insidesecure.com), a global cybersecurity company.

Summary
mPOS Security: Defending the Newest Mobile Point of Sale Solutions
Article Name
mPOS Security: Defending the Newest Mobile Point of Sale Solutions
Description
The new generation of mobile point of sale (mPOS) solutions offers many business advantages, including reduced costs and increased mobility. mPOS security is a challenge, however, requiring novel countermeasures.
Author
Asaf Ashkenazi
Publisher Name
PaymentsJournal
Publisher Logo
Tags: EMVmPOSSecurity
13
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Analyst Coverage, Payments Data, and News Delivered Daily
Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

Must Reads

Why ‘Explainable Ai’ Is the Next Frontier in Financial Crime Fighting

Why ‘Explainable AI’ Is the Next Frontier in Financial Crime Fighting

February 22, 2019
Middle-Market Companies Progressing Toward Digital B2B Payments Adoption

Middle-Market Companies Progressing Toward Digital B2B Payments Adoption

February 21, 2019
An ID-eal Position: Banks and Trusted Digital Identity

An ID-eal Position: Banks and Trusted Digital Identity

February 20, 2019
Speedpay® Pulse Trend Report Delves into the Benefits of Mobile Wallet Payments

Speedpay® Pulse Trend Report Delves into the Benefits of Mobile Wallet Payments

February 19, 2019
What Is the Difference Between PCI-Certified and Non-Certified Encryption?

What Is the Difference Between PCI-Certified and Non-Certified Encryption?

February 18, 2019
Does the Answer to POS Consumer Financing Lie in Bank-Fintech Collaboration?

Does the Answer to POS Consumer Financing Lie in Bank-Fintech Collaboration?

February 15, 2019
Faster Payments Need Faster Identity Verification

Faster Payments Need Faster Identity Verification

February 14, 2019
Can AI Help Small Companies Better Compete with Market Leaders

Can AI Help Small Companies Better Compete with Market Leaders?

February 13, 2019

Connect With Us

  • Advertise With Us
  • About Us
  • Terms of Use

Analyst Coverage, Payments Data, and News Delivered Daily

Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Industry Opinions
  • News
  • Events

© 2019 PaymentsJournal.com

  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Industry Opinions
  • News
  • Events
No Result
View All Result
×

Login

Register

Forgotten Password?

Register | Lost your password?
| Back to Login