How to secure mobile payment applications?
Payment terminals are undergoing a revolution! These objects used to be cumbersome and monotonous, but they have evolved towards other flexible and affordable models. First, you had Standalone Point of Sales that has popularized bank card payments.
More and more credit card schemes require internet connections to perform transaction monitoring and poinbecame connected devices.
The mPOS (Mobile point of sale) was launched and popularised by Square with the arrival of smartphone: a more discreet device than its predecessors but, above all, more mobile, less expensive and connected via the mobile phone.
The latest innovation is the SoftPOS (Software point of sale), a software payment terminal in the form of a smartphone application that no longer depends on a single object dedicated to this service.
If SoftPOS offers a new model that is much more practical than traditional payment terminals, what about its security? How can the information between the bank card and this software solution be transmitted without fault? Here are some explanations.
SoftPOS was created with a specific goal in mind: to be able to use COTS (Commercial off the shelf) or otherwise known as “consumer” devices for payments with a bank card, such as an iPhone, a Samsung, a Xiaomi, or any other recent smartphone model.
So, after downloading the SoftPOS application, the smartphone activates its NFC antenna – an electromagnetic data exchange protocol – to accept bank cards.
Therefore, in a SoftPOS transaction, the steps are as follows:
The transaction should be authorized in seconds.
At a time when consumers prefer to pay by credit card or smartphones, the innovative SoftPOS system has many advantages for sellers:
While contactless payments are increasingly common, accepting them with smartphones presents a significant technical challenge. Not all smartphones have built-in security, and their versatility presents a higher risk. As a result, they may be more vulnerable to fraud!
Fortunately, the phone industry already made great strides in security. Major technology players such as Apple, Google and Samsung have built contactless mobile payment systems to emit payments and to store virtual credit cards: Google Pay, Apple Pay, etc. Therefore, we can expect increased security for receiving payments as a sale.
Furthermore, with the increase in the use of dematerialised payment, it is more than necessary to encrypt the data exchanges between the bank card and the smartphone. The aim is to ensure that cardholder data is safe and will not be stolen.
To compensate for the possible lack of security of devices, it is possible to rely on a reference organisation: the Payment card industry security standard council, or PCI SSC. This association brings together the major players in the payment industry who can set up security standards and certifications for each solution. Their objective is to ensure the security of transactions and the security of transaction data, both for sellers and providers.
This organisation has implemented various standards, including PCI Contactless Payments on COTS (PCI CPoC), which was introduced at the end of 2019. It removes the need to use a bank card reader and uses the contactless capabilities of a COTS device, such as a smartphone. Since then, software-based payment solutions need to pass the PCI CPoC certification.
PCI CPoC requires using security functions that are very difficult to develop. SoftPos players often turn to providers who offer ready-to-implement security solutions. However, it can be challenging to know where to turn. The American organisation EMVco has therefore created an additional certification. This means that EMVCo-certified resolutions have passed the requirements for PCI CPoC certification. Thus, by choosing an EMVCo-certified security solution, the SoftPOS payment solution provider will be PCI CPoC certified without the need for a laboratory to evaluate the strength of the security functions.
As you can see, SoftPOS solution providers need to be PCI CPoC certified to market their solutions. The easiest way to get it is to buy an EMVCo-certified security solution.
QShield, a security software developed by Quarkslab, is one of the essential software solutions for securing the SoftPOS application.Indeed, our Software ProtectionTool allows you to benefit from security bricks that are EMVCo certified, which guarantees PCI CPoC certification.
It is the easiest technological solution to obtain the necessary certification to market your SoftPOS application with peace of mind! So contact us!
How to secure mobile payment applications?