The last year has seen a lot of activity in the mobile payment ecosystem with regards to the risk associated with Consumer Off The Shelf (COTS) devices becoming not only a payment method (Google Pay, Samsung Pay etc) but more significantly becoming payment terminals ready to accept payments. A ‘COTS device’ is a mobile device (e.g. phones & wearables) intended for distribution and use by the mass-market, and traditionally were not designed exclusively for making or accepting payments.
Historically, COTS devices have been viewed with caution. Insecure and too risky to handle sensitive payment data, unless of course, they have a hardware tamper-proof Secure Element (SE). However, there was a significant shift in 2013 when Host Card Emulation (HCE) became mainstream, which meant an NFC enabled COTS device with no SE could be used to make payments. A combination of Tokenisation and software security techniques such as White-Box Cryptography meant the risk of exposure associated with COTS devices (with no SE) could be managed to levels acceptable to the stakeholders, hence Google Pay.
Whilst HCE was a big deal, something even more interesting and consequential is happening with regards to the use COTS devices for payment acceptance. In January of 2018, the Payment Card Industry Security Standards Council (PCI SSC) published a new standard – Software-Based PIN Entry on COTS Security Requirements (SPoC). This standard set out the security requirements for a payment acceptance solution where PIN entry is performed on a COTS device. This standard will be the first, in a series of software-based security standards published by PCI SSC. With the industry specifications becoming available, we are beginning to see a flavour of how these solutions will emerge. Square have deployed a “SPoC like” solution and both Worlpday and Mobeewave are deploying solutions which use the mobile device to accept NFC contactless payments.
A few weeks ago, PCI SSC published the PCI Software Security Framework – a collection independent standards and their associated validation processes that address the security of payment software. The standards within the framework thus far are: the PCI Secure Software Standard (PCI SSS) and the PCI Secure Software Lifecycle Standard (PCI Secure SLC), just what our world needs; more acronyms to remember.
The PCI SSS addresses the design, development and maintenance of payment software in a way that provides protection and minimises the risk of exposure to the payment data. The standard sets out requirements that ensures the integrity of sensitive data at rest, during processing and in transit. PCI Secure SLC in a similar vein provides baseline requirements that ensures software vendors integrate security at every stage of the Software Lifecycle. So, whilst PCI SSS is about specific payment software(s), PCI Secure SLC addresses security in the processes of payment software vendors.
Finally, in what has been a relentless churn of exciting standards over past year, PCI SSC has recently announced it is working on the PCI Contactless Payments on COTS Standard, to be published by the end of the year. The goal of the standard will be to define the security requirements that will allow the use of COTS mobile devices to accept payments, without the need for an additional hardware adaptor or dongle. Similarly, EMVCo also established the Software-Based Mobile Payment (SBMP) Approval Process, which checks that software payment solutions meet the minimum levels of security to protect against known attacks.
The implications of these developments could be profound, potentially turning every mobile device into a POS for payment acceptance. No more need for the small or mobile merchant to purchase dongles which they need to pair with their mobiles and keep charged up in order to accept card payments, just download the app and start taking payments.
Will this mean the end of traditional POS? Not in the near term. Software mobile POS is more about enabling more merchants to accept card payments.
At Consult Hyperion we’ve worked with Standards bodies, software and hardware vendors and the mobile industry for over three decades to ensure our Clients design and product aspirations are met to the highest levels of security. We interrogate architecture, we assess risk and identify vulnerabilities before our Clients reputations are put at risk.