Secure PIN-entry for PCI MPoC using Zimperium

Share this blog

The Payment Card Industry’s (PCI) Mobile Payments on COTS (MPoC) provides an industry-wide standard for software-based point-of-sale (SoftPOS) solutions. These SoftPOS solutions enable merchants to receive payments from NFC-enabled devices, such as Android or iOS smartphones and tablets.

In our earlier blog post, we explained that the upcoming MPoC standard replaces the existing PCI SPoC and PCI CPoC standards. We also examined how MPoC introduces a modular standard that offers different certification options and supports offline transactions and software-based PIN entry. MPoC enables software-based PIN entry on the same COTS device that interacts with the NFC-enabled consumer payment method, including debit and credit cards, wearable devices, and mobile wallets. As a result, this standard represents a significant breakthrough within the payment card industry. However, to employ this standard, organizations must address significant security requirements in order to safeguard the PIN data.

The upcoming MPoC standard is expected to accelerate merchants’ global adoption of SoftPOS solutions. To gain PCI certification, solution developers will need to ensure their SoftPOS solutions are compliant with the MPoC’s robust security requirements. This includes requirements for ensuring solutions protect cryptographic keys and are resistant to advanced reverse engineering and tampering of the SoftPOS mobile applications. In addition, solutions must offer visibility into threats and compromise of the COTS platform as part of the attestation and monitoring system. Finally, and most importantly, the solution must prevent the disclosure or manipulation of such assets as the cardholder’s primary account number (PAN) and PIN data.

The Need for Secure PIN Entry

Software-based PIN entry on COTS mobile devices introduces significant security risks. That’s because traditional graphical user interfaces (GUIs) are built using components provided by the operating system. These user-interface components are vulnerable to several attack techniques that enable malicious actors and malware to intercept or retrieve PIN data.

Following are a few of the common techniques that attackers can use to steal sensitive information, including PINs:

  • Screen recording
  • Activity hijacking
  • Clickjacking / Tapjacking

The above attacks are typically deployed by first tricking the merchant into installing a malicious app. This malicious app then begins monitoring the activities of the SoftPOS app and attempts to intercept sensitive information.

If a malicious actor acquires elevated device privileges, an even stronger class of attacks is possible. (This technique is customarily called “rooting” in Android devices or “jailbreaking” in iOS devices). This access gives the attacker additional power, enabling them to monitor, record, and analyze all memory and execution processes on the mobile device. These access methods can even enable side-channel attacks in which threat actors use device peripherals, such as the gyroscope or accelerometer, to capture the PIN. All these threats have to be considered and mitigated.

To combat these threats, solution providers must ensure that the PIN entry component not only thwarts as many attacks as possible but also keeps the PIN data and its encryption keys secret, even if the attacks cannot be prevented.

Zimperium Secure PIN add-on feature provides both of these capabilities.

Benefits of Using Zimperium Secure PIN

zKeyBox provides a set of tools that enable SoftPOS developers to implement a secure GUI-based PIN entry mechanism in Android applications. Combined, these tools form an add-on feature called Secure PIN. This highly configurable add-on is designed to help SoftPOS developers meet the relevant MPoC standard’s requirements for securing PIN entry.

Modern and high-end Android smartphones typically secure ‘generic’ PIN entry (for user authentication) through Trusted User Input (TUI) functionality as part of the device’s Trusted Execution Environment (TEE). However, this functionality has not been a viable option for SoftPOS solution developers for a number of reasons:

  1. The TUI functionality, as part of the device TEE, requires adaptations to be useful for SoftPOS solutions. However, as smartphone manufacturers restrict access to the TEE and its TUI functionality, this is not a viable option for SoftPOS solution developers.
  2. The TUI functionality is platform specific, which introduces significant technical fragmentation and associated complexity for SoftPOS developers.
  3. Given it is implemented within a TEE, the security of TUI depends on how secure the TEE is. TEEs are frequently subject to attacks, which can result in threat actors gaining complete access and control over the TEE. As the patching cycles for TEEs are typically long, often spanning multiple months, this would result in an unacceptably long time frame in which the solutions would be vulnerable.

Secure PIN secures PIN entry for SoftPOS solutions. This security is independent of the underlying COTS platform, meaning PIN data will remain secure even when the Android platform:

  • Is offline.
  • Is outdated or not receiving security patches.
  • Is not Google GMS (Google Mobile Service) certified, such as in the case of Android AOSP.

Build Versus Buy

It is possible to build capabilities for securing PIN entry in-house. While at first glance, this may be an appealing option, the reality is that this requires considerable development effort, and is typically too time-consuming and cost-prohibitive for most developers. The main reason to avoid building it yourself is that creating a secure solution requires ongoing expertise in several areas:

  1. Cryptographic design and protection of cryptographic keys
  2. Advanced attack techniques being employed against mobile applications and platforms
  3. Android platform security and mobile application security capabilities
  4. Regulatory compliance standards
  5. Fundamentally, teams that take on this effort must stay current on evolving threats and protection capabilities—and do so indefinitely.

With Zimperium Secure PIN, SoftPOS developers get access to a Secure PIN library developed by mobile security experts. This library is easy to integrate and compliant with the applicable security requirements of PCI MPoC. Using Secure PIN will accelerate your time to market and help you optimize your engineering efforts, so you can better support key business objectives.

Secure PIN ensures that the PIN digits entered, the entire PIN, and the PIN encryption keys are never revealed in clear text. Secure PIN provides full support for advanced key management standards, including TR-31 and DUKPT, helping to ensure compatibility with payment industry standards.

How Zimperium Enables Robust, PCI-Compliant Mobile Application Security

With security being a key aspect of SoftPOS solutions and PCI MPoC certification, it’s important to use proven mobile application security tools from solutions providers that are committed to the space.  Zimperium’s Mobile Application Protection Suite (MAPS) enables mobile payment solution developers worldwide to quickly and efficiently develop secure and compliant mobile applications.

MAPS offers comprehensive capabilities, addressing all the security needs of a mobile application developer. MAPS enables SoftPOS developers to meet PCI MPoC requirements. This suite features these leading mobile application security solutions:

  • zScan: With this solution, you can scan your app binary for security, privacy, and regulatory vulnerabilities that can be exploited by an attacker.
  • zKeyBox: zKeyBox offers state-of-the-art, white-box cryptography that protects your encryption keys and secrets while obscuring cryptographic algorithms, so an app’s execution logic is not visible to attackers, even if they gain control over the device. Secure PIN is a key capability within the zKeyBox solution. Throughout the PIN entry and encryption process, the PIN encryption key, the PIN, and individual PIN digits are always protected and never appear in the clear in device memory.
  • zShield: This solution offers advanced protection for an app’s source code, intellectual property (IP), and data. zShield safeguards code from a range of potential attacks, including reverse engineering and code tampering.
  • zDefend: zDefend is a machine learning-based device attestation tool. The tool offers runtime awareness through RASP. It delivers a vast amount of telemetry and analytics from the on-device machine learning engine to address PCI MPoC monitoring and attestation needs. zDefend protects against zero-day attacks and can be updated over the air, without requiring the app itself to be rebuilt or redistributed.

While the large-scale global adoption of contactless SoftPOS is just around the corner, Zimperium has been working with SoftPOS developers for years now. Since 2017, we’ve helped dozens of SoftPOS developers achieve their security certification with payment brands and PCI.

While security is a continuous cat-and-mouse game, Zimperium provides proven and ongoing protection for your mobile applications, even against the newest attacks and attacker tools. Our sole mission is to secure mobile devices and apps while helping our partners get their solutions to market as soon as possible, so they’ll be ready for the SoftPOS rush.

About Zimperium

Zimperium is a global leader in mobile device and app security. The Zimperium Mobile Application Protection Suite (MAPS) helps mobile application developers build secure and robust mobile apps, resistant to expert attacks. These tools are widely used in the financial industry to secure mobile banking, mobile payment, and SoftPOS applications.

MAPS is the only unified platform that combines comprehensive in-app protection with centralized threat visibility. The platform provides app shielding, cryptographic key protection, binary app scanning, and runtime protection and attestation capabilities.

To learn more on how to secure your SoftPOS application for MPoC, contact us today.

Avatar photo
Author: Tim Hartog
Mobile App Security & Payments Expert. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today