How to Secure Mobile Payments with Advanced Cybersecurity

Mobile Devices Have Revolutionized How We Make Transactions

Mobile devices have ushered in a seismic shift in how payments are made around the world. In this new paradigm, mobile phone-based contactless payments, authentication, and point-of-sale transactions have become commonplace—and created entirely new security and compliance risks.

It is for these reasons that banks, processors, FinTechs, merchants, and other enterprises around the world are relying upon Zimperium and its Mobile Application Protection Suite (MAPS). As a leading mobile payment security provider, Zimperium enables teams to take a comprehensive, holistic approach to mobile payments security. MAPS offers these core capabilities:

  • Vulnerability assessments. With zScan, teams can continuously discover and fix compliance, privacy, and security issues—before mobile payment apps are submitted for pentesting or go into production.
  • Conceal and obscure keys. zKeyBox protects cryptographic keys so they cannot be discovered, extracted, or manipulated when transmitted, stored, and used
  • Protect IP and data. zShield safeguards mobile payment app source code, intellectual property (IP), and data from a range of potential attacks, including reverse engineering and code tampering.
  • On-device protection and threat telemetry. With zDefend, teams can gain in-depth threat visibility and employ machine-learning-based run-time protection against device, network, phishing, and malware attacks.
Get a Demo
Woman Using Mobile Smart Phone

5 Steps to Securing Mobile Payment Apps

Download Now

Mobile Payment Solutions Must Comply with Policies and Regulatory Mandates

For organizations that conduct or support mobile payments, and the customers they serve, it is essential to establish robust security early and ensure compliance with relevant mandates. Following are three critical mobile payment security standards in effect today.


Payment Card Industry Security Standards Council Standards

In 2019, the Payment Card Industry Security Standards Council (PCI SSC) introduced the Contactless Payments on COTS program. This program is focused on applying guidelines for securing point-of-sale transactions that are running on standard mobile platforms. This program requires that solutions have security controls that are built into applications as well as ongoing monitoring and integrity checks performed by back-end systems. Only solutions that the PCI SSC has validated are featured on the council’s website. By employing validated solutions, merchants gain the assurance that the integrity and confidentiality of mobile payment data will be protected.


EMVCo Software-Based Mobile Payment

In 2018, EMVCo introduced the Software-Based Mobile Payment program. This program is focused on testing the security robustness of mobile payment SDKs and wallets against the SBMP security requirements. These requirements cover protecting the code, the payment assets and the cryptographic keys and require advanced obfuscation, anti-tampering, runtime protection and white-box cryptographic solutions. Only solutions that have been evaluated by an accredited security laboratory, validated by EMVCo, are listed on the EMVCo website. By employing validated solutions, issuing banks gain the assurance that the integrity and confidentiality of mobile payment applications and its data will be protected.


Payment Service Directive 2

Teams that offer mobile payments and operate or serve customers in the EU must also comply with the Payment Service Directive 2 (PSD 2), which includes requirements for increasing the protection of consumers and their data. To comply with PSD 2, teams need to establish robust mobile payment security solutions. PSD 2 recognizes the need for multi-vector protection by specifying requirements for device and software integrity, secure communication, and data protection.

Harden & Protect Mobile Apps with App Shielding

Once a mobile payment app is deployed into production, attackers will download and inspect the app to find coding errors and vulnerabilities that they can exploit. Zimperium’s zShield hardens and protects mobile apps from these risks. This security solution for mobile payment apps provides advanced obfuscation and anti-tampering functionality that protect an app’s source code, intellectual property (IP), and data. With zShield, teams can safeguard finance, banking, payment, and mobile point-of-sale apps and SDKs against a broad array of attacks, including code analysis and tampering, malware injection, and discovery of cryptographic keys.

zShield hardens and protects mobile payment apps, offering these key capabilities:

  • Obfuscation. Leverage patented source code-level obfuscation that delivers unsurpassed protection against reverse engineering while maintaining performance.
  • Tampering defense. Embed robust tamper-detection mechanisms and automated defense responses to prevent any attempts at compromising code.
  • Seamless development and security integrations. Harness automated capabilities that protect native, hybrid, and embedded apps.

Leverages White-Box Cryptography to Protect Cryptographic Keys

Virtually all mobile payment apps use cryptographic keys to encrypt communications containing sensitive data. But encryption alone is not sufficient. Today, cybercriminals are not trying to break advanced encryption algorithms; they are focused on stealing the keys. Even the strongest encryption methods fail when cryptographic keys are compromised, and the reality is that most cryptographic implementations are vulnerable.

Zimperium zKeyBox leverages white-box cryptography to protect keys and secrets within mobile payment applications. This solution transforms and obscures cryptographic algorithms so that keys never appear in the clear and the execution logic is untraceable. Consequently, keys cannot be extracted—even if the device itself has been compromised, rooted or jailbroken.

Detect Risks with Runtime App Self-Protection (RASP)

Today’s mobile payment apps continue to be targeted by increasingly sophisticated cyberattacks. Zimperium’s zDefend enables teams to safeguard these apps against evolving attacks without the need for continuous updates of the app binary, and ensure they remain compliant with relevant mobile payment security standards and regulations.

The solution helps teams detect and remediate threats to an app, including identifying suspicious user behavior, compromised devices, network attacks, and interference from other apps. Further, with the solution, teams can establish strong customer authentication capabilities, which are vital in mitigating the risk posed by failures elsewhere in the security ecosystem.

zDefend features an innovative software development kit (SDK) that is highly configurable, so mobile payment security providers can seamlessly embed Zimperium’s machine learning-based detection engine, z9, directly into mobile payment apps. With the engine embedded, mobile apps can immediately determine if the smartphone is compromised, if any network attacks are occurring, and if malicious apps are installed. The zDefend engine is continuously updated, all without requiring a new binary app to be built and delivered.

Get a Demo

Global Mobile Threat Report

Download Now
Recommended Reading

Complying with the PCI CPoC Standard

Download our report for an in-depth look at PCI CPoC requirements and how to meet them.

5 Tips to Secure Your Retail App and Your Business

Download our report for tips on how to secure your retail app and protect the transactions it processes every day.

Top 5 Ways To Build a Compliant SoftPOS App

Learn how to build SoftPOS apps that are compliant, keep your customers safe, and preserve a frictionless payment experience.

Sign Up For Our Newsletter

Get the latest Mobile Security News and Updates in your inbox

Get started with Zimperium today