How to Secure Mobile Payments with Advanced Cybersecurity

Mobile Devices Have Revolutionized How We Make Transactions

Mobile devices have ushered in a seismic shift in how payments are made around the world. In this new paradigm, mobile phone-based contactless payments, authentication, and point-of-sale transactions have become commonplace—and created entirely new security and compliance risks.

It is for these reasons that banks, processors, FinTechs, merchants, and other enterprises around the world are relying upon Zimperium and its Mobile Application Protection Suite (MAPS). As a leading mobile payment security provider, Zimperium enables teams to take a comprehensive, holistic approach to mobile payments security. MAPS offers these core capabilities:

  • Vulnerability assessments. With zScan, teams can continuously discover and fix compliance, privacy, and security issues—before mobile payment apps are submitted for pentesting or go into production.
  • Conceal and obscure keys. zKeyBox protects cryptographic keys so they cannot be discovered, extracted, or manipulated when transmitted, stored, and used
  • Protect IP and data. zShield safeguards mobile payment app source code, intellectual property (IP), and data from a range of potential attacks, including reverse engineering and code tampering.
  • On-device protection and threat telemetry. With zDefend, teams can gain in-depth threat visibility and employ machine-learning-based run-time protection against device, network, phishing, and malware attacks.
Get a Demo
Woman Using Mobile Smart Phone

Mobile Payment Solutions Must Comply with Policies and Regulatory Mandates

For organizations that conduct or support mobile payments, and the customers they serve, it is essential to establish robust security early and ensure compliance with relevant mandates. Following are three critical mobile payment security standards in effect today.


Payment Card Industry Security Standards Council Standards

Since 2018, the Payment Card Industry Security Standards Council (PCI SSC) has introduced payment standards for smartphones, including the Secure PIN on COTS (SPoC) and Contactless Payments on COTS (CPoC). The newest standard, Mobile Payments on COTS (MPoC), which will replace SPoC and CPoC, was published in November 2022. The PCI MPoC program is focused on applying security objectives for point-of-sale transactions that are running on standard mobile platforms and includes support for PIN entry on the COTS device. The MPoC program requires that SoftPOS applications have security controls built-in to protect payment assets (e.g. PIN and Cardholder data), cryptographic keys, and the SoftPOS application itself. A pivotal change with MPoC are the requirements regarding attacker resistance of the solution, meaning that only solutions meeting the attacker resistance threshold are secure enough to pass the security certification and be featured on the PCI council’s website.


EMVCo Software-Based Mobile Payment

In 2018, EMVCo introduced the Software-Based Mobile Payment program. This program is focused on testing the security robustness of mobile payment SDKs and wallets against the SBMP security requirements. These requirements cover protecting the code, the payment assets and the cryptographic keys and require advanced obfuscation, anti-tampering, runtime protection and white-box cryptographic solutions. Only solutions that have been evaluated by an accredited security laboratory, validated by EMVCo, are listed on the EMVCo website. By employing validated solutions, issuing banks gain the assurance that the integrity and confidentiality of mobile payment applications and its data will be protected.


Payment Service Directive 2

Teams that offer mobile payments and operate or serve customers in the EU must also comply with the Payment Service Directive 2 (PSD2), which includes requirements for increasing the protection of consumers and their data. To comply with PSD2, teams need to establish robust mobile payment security solutions. PSD2 recognizes the need for multi-vector protection by specifying requirements for device and software integrity, secure communication, and data protection.

Why SoftPOS Vendors Are Embracing Zimperium’s Application Security

Halo Dot has chosen to use Zimperium’s enterprise-grade Mobile Application Security Suite (MAPS) to achieve their security goals. Zimperium MAPS allows Halo Dot to deliver their SoftPOS application and Software Development Kit (SDK) to their customers at the best price point in a hyper-competitive and rapidly evolving SoftPOS space.

Download Case Study

Harden & Protect Mobile Apps with App Shielding

Once a mobile payment app is deployed into production, attackers will download and inspect the app to find coding errors and vulnerabilities that they can exploit. Zimperium’s zShield hardens and protects mobile apps from these risks. This security solution for mobile payment apps provides advanced obfuscation and anti-tampering functionality that protect an app’s source code, intellectual property (IP), and data. With zShield, teams can safeguard finance, banking, payment, and mobile point-of-sale apps and SDKs against a broad array of attacks, including code analysis and tampering, malware injection, and discovery of cryptographic keys.

zShield hardens and protects mobile payment apps, offering these key capabilities:

  • Obfuscation. Leverage patented source code-level obfuscation that delivers unsurpassed protection against reverse engineering while maintaining performance.
  • Tampering defense. Embed robust tamper-detection mechanisms and automated defense responses to prevent any attempts at compromising code.
  • Seamless development and security integrations. Harness automated capabilities that protect native, hybrid, and embedded apps.

Leverages White-Box Cryptography to Protect Cryptographic Keys

Virtually all mobile payment apps use cryptographic keys to encrypt communications containing sensitive data. But encryption alone is not sufficient. Today, cybercriminals are not trying to break advanced encryption algorithms; they are focused on stealing the keys. Even the strongest encryption methods fail when cryptographic keys are compromised, and the reality is that most cryptographic implementations are vulnerable.

Zimperium zKeyBox leverages white-box cryptography to protect keys and secrets within mobile payment applications. This solution transforms and obscures cryptographic algorithms so that keys never appear in the clear and the execution logic is untraceable. Consequently, keys cannot be extracted—even if the device itself has been compromised, rooted or jailbroken.

zKeyBox also offers an add-on tool that enables developers to implement a secure graphical user interface (GUI)-based PIN entry in Android applications. The add-on is designed to meet the relevant security requirements regarding PIN entry as defined in the MPoC standard, while providing a highly configurable solution to SoftPOS developers.

Detect Risks with Runtime App Self-Protection (RASP)

Today’s mobile payment apps continue to be targeted by increasingly sophisticated cyberattacks. Zimperium’s zDefend enables teams to safeguard these apps against evolving attacks without the need for continuous updates of the app binary, and ensure they remain compliant with relevant mobile payment security standards and regulations.

The solution helps teams detect and remediate threats to an app, including identifying suspicious user behavior, compromised devices, network attacks, and interference from other apps. Further, with the solution, teams can establish strong customer authentication capabilities, which are vital in mitigating the risk posed by failures elsewhere in the security ecosystem.

zDefend features an innovative software development kit (SDK) that is highly configurable, so mobile payment security providers can seamlessly embed Zimperium’s machine learning-based detection engine, z9, directly into mobile payment apps. With the engine embedded, mobile apps can immediately determine if the smartphone is compromised, if any network attacks are occurring, and if malicious apps are installed. The zDefend engine is continuously updated, all without requiring a new binary app to be built and delivered.

Get a Demo

Sign Up For Our Newsletter

Get the latest Mobile Security News and Updates in your inbox

Get started with Zimperium today