SoftPOS is gaining traction in the Point of Sale market.
While SoftPOS isn’t new — small merchants and payment brands have been piloting mobile applications to accept contactless payments for a few years now — it’s never been fully adopted by the larger market because there has been no appropriate industry-wide standard by PCI for SoftPos. This is expected to change later this year; when the new industry standard by PCI, MPoC (Mobile Payments on COTS) is expected to be introduced.
With SoftPOS on the brink of large market adoption, now is the time to think seriously about how to secure your SoftPOS solution in preparation for PCI MPoC certification.
What is SoftPOS?
SoftPOS is, simply, the practice of using a smartphone to accept contactless cards and mobile payments via a mobile application. SoftPOS has been in an early adopter phase since 2017 and has been growing in momentum ever since with solution providers like MyPinPad, Rubean, VivaWallet, PayFelix, and recently even Apple announcing a SoftPOS solution.
SoftPOS solutions are predominantly available for Android devices; Apple does not provide access to its contactless interface (NFC) to third-party app developers. While Apple did acquire Mobeewave – one of the first SoftPOS solution providers – in 2020, it was only recently that Apple disclosed further details of its Tap to Pay on iPhone solution for large payment platform providers like Stripe and Adyen.
While SoftPOS enables any merchant to accept electronic (card or mobile-based) payments instead of cash, moving from traditional hardware-based POS technology to SoftPOS solutions comes with a challenge: security.
Securing SoftPOS: The difference between traditional payment terminals and SoftPOS
Traditionally, in-person POS technology has been limited to hardware devices, the physical Point of Sale terminals. These physical payment terminals are purpose-built; the only thing they do is process transactions. POS terminals were designed and built with security in mind and relied primarily on hardware security provided by the platform. While there are always ways to compromise such payment terminals, those attack vectors were tested against the PCI-PTS requirements which have a strong focus on hardware security. Over time, these purpose-built payment terminals evolved and transitioned to Android-based platforms, widening the attack surface from predominantly hardware attacks to also software and mobile attacks.
SoftPOS makes this evolution complete, as it marks the transition from purpose-built hardware secured solutions, to pure software-based mobile applications on consumer smartphones.
SoftPOS solutions run on many different models of smartphones, comprising different underlying hardware and software, making its security a different story entirely from traditional POS terminals. Whereas with the traditional hardware-based payment terminal the platform was considered ‘trusted’, smartphones are a popular target for cybercriminals and are very much “not trusted.” According to Zimperium’s most recent Mobile Threat report, 2021 saw a 466% increase in exploited zero-day mobile vulnerabilities. Mobile malware has also been on the rise, with more than 2 million new strains in 2021.
In other words, with SoftPOS, the underlying platform provided by the smartphone can’t be considered ‘trusted’ and as a result, the SoftPOS application can’t rely on the security of the device or its mobile platform operating system. This should not come as a surprise as smartphones, in contrast to payment terminals, have not been designed, developed, or secured as payment terminals. There are also numerous examples of zero-day and remote exploits for both Android and iOS smartphones, including exploits that impact the hardware-based security, source code, and Trusted Execution Environments (TEEs) inside these devices.
And of course, the stakes are high. If a SoftPOS app is compromised, the scalability of attacks increases the scale of potential fraud, impacting both consumers and merchants.
To guard against attacks and subsequent fraud, SoftPOS solutions need to be resistant to all relevant attacks and threat actors, including malware, criminal organizations, remote attackers, and malicious actors with physical access to the device running the SoftPOS app. If the SoftPOS app is inadequately protected, the solutions can be abused in several ways as described earlier by the PCI Accredited Security Lab Riscure. Examples include consumers or attackers faking or refunding payments, merchants performing unauthorized transactions, collection of card data for Card-Not-Present Fraud (CNPF), and blocking merchant accounts.
Securing SoftPOS solutions is not an easy task. Doing so requires a thorough understanding of the solution, its design, and the security technologies as well as the expertise to implement it with your engineers. In theory, SoftPOS solution developers have three main technologies available to help secure their SoftPOS app:
- Software-based security technology
- Trusted Execution Environment (TEE)
- Secure Element (SE)
In practice, however, hardware-based technology, such as TEEs and SEs, has proven to be restricted to smartphone OEMs as common application developers don’t have access to this technology. In addition to the lack of access, fragmentation of the hardware-based technology has led most SoftPOS developers to secure their solution with software-based security technology to be able to offer extensive support for many different device brands and smartphone models.
What does the PCI MPoC standard mean for your SoftPOS app?
In contrast to the existing PCI SPoC and CPoC standards, the upcoming Mobile Payments on Cots (MPoC) standard introduces modularity, new certification options, and new use cases, including support for software PIN without the need for an SCRP (Secure Card Reader for PIN), offline transactions and certification of components.
Next to the functional expansion and advancements in the certification options, the MPoC standard introduces a fundamental change for PCI in the security requirements themselves, changing the nature of the requirements from highly prescriptive to objective-based.
The objective-based requirements bring an important shift from prescribing what a developer must do (e.g. obfuscate the code) to what the solution needs to achieve (e.g. be highly resistant to reverse engineering). This change in the nature of security requirements not only brings more designer and implementation freedom for the developers but also changes the approach to security from simplistic compliance to actual security assurance. This shift is like comparing the letter of the law to the spirit of the law.
Or put in a more topical example, it’s not only about applying a specific security measure like obfuscation; it’s about the intended effect it should achieve by being highly resistant against reverse engineering.
How Zimperium enables robust PCI-compliant mobile application security
With security being a key aspect of SoftPOS solutions and PCI MPoC certification, it’s important to use proven mobile application security tools. Zimperium’s Mobile Application Protection Suite (MAPS), enables mobile payment solution developers worldwide to develop secure and compliant mobile applications in a straightforward and secure manner.
MAPS takes a holistic view of mobile application security and addresses all the security needs of a mobile application developer. This suite of four leading mobile application security tools enables SoftPOS developers to meet PCI MPoC requirements:
- zKeyBox: state of the art white-box cryptography that protects your encryption keys and secrets, while obscuring cryptographic algorithms so an app’s execution logic is not visible to an attacker, even if the device is in their hands.
- zShield: advanced protection for an app’s source code, intellectual property (IP), and data from potential attacks like reverse engineering and code tampering.
- zDefend: our machine learning-based device attestation tool with runtime awareness through RASP delivers a vast amount of telemetry and analytics from the on-device ML engine for the MPoC Monitoring & Attestation needs. zDefend protects against 0-day attacks and can be updated Over-The-Air without the need for rebuilding and redistributing the app itself.
- zScan: a tool that scans your app binary for risks that can be exploited by an attacker
While the large-scale global adoption of contactless SoftPOS is just around the corner, Zimperium has been working with SoftPOS developers for years now. Since 2017, we’ve helped dozens of SoftPOS developers achieve their security certification with payment brands and PCI.
While security is a continuous cat and mouse game, Zimperium provides proven and ongoing protection for your mobile applications, even against the newest attacks and attacker tools. Our sole mission is to secure mobile devices and apps while helping our partners get their solutions to market as soon as possible to be ready for the SoftPOS rush.
Zimperium is a global leader in mobile device and app security. The Zimperium Mobile Application Protection Suite (MAPS) helps mobile application developers build secure and robust mobile apps, resistant against expert attacks. These tools are widely used in the financial industry to secure mobile banking, mobile payment, and SoftPOS applications.
MAPS is the only unified platform that combines comprehensive in-app protection with centralized threat visibility. The platform provides app shielding, key protection, app scanning, and runtime protection capabilities. To learn more on how to secure your SoftPOS application for MPoC, contact us today.