Just over ten years ago, in 2009, Jack Dorsey of Twitter fame launched Square, changing the PoS industry as it existed. Square used a simple magnetic-stripe card-reading dongle that plugged into the headphone jack of smartphones, enabling them to accept standard card payments. Hailed as a transaction democratizer, it gained significant publicity and traction, but was primarily limited to the US market as it lacked support for the EMV chip cards used in Europe and many other regions.  

Square was followed a year later by iZettle, a Swedish company that delivered a chip card capable device. It gained a decent customer base in Scandinavia and Europe and continues to grow globally.

Square and iZettle were followed by a raft of other companies as the market evolved and solutions became more sophisticated. The card reading devices gained pin-pads, contactless interfaces, Bluetooth and Wifi connections. As devices evolved and became more sophisticated, the lines between mPOS and traditional payment terminals started to blur. mPos solutions were taken up by traditional merchants, not just the sole traders and mobile users which were its initial target market. 

With complexity comes cost

With the increased capabilities also came higher cost for the devices. The readers capable of accepting PINs need to go through complex and costly PCI (Payment Card Industry) certification. This increased cost led to a subsidized pricing model, where companies sold the devices below cost in the hope of recouping the discount through transaction fees.

One reaction to this cost increase and challenging business model was to investigate alternative solutions. A number of companies including Worldpay developed proof of concept solutions where the phone alone became the mPOS device, making use of the NFC interface built into the handset to read contactless cards. They deployed these solutions under waivers, meaning that the card schemes (i.e. Visa, Mastercard) allowed them to deploy the solution within a limited scope to test the market, to understand the risks and user acceptance. 

The rapid evolution of mPOS

The next mobile payment innovation was to use the phone touchscreen to accept the PIN entry, whilst using a cheaper and simpler card reader called a Secure Card Reader for PIN (SCRP). The SCRP has no PIN entry capability; it’s basically just an encrypting chip and contactless card reader, with no support for magnetic stripe cards. New specifications were developed by PCI to support this, called Software-Based PIN on COTS (SPoC), where COTS stands for Commercial Off The Shelf device. This required a significant mindset change for PCI, as prior to this a PIN was only ever entered into a physically secure hardware device with special certification. The phone with its open Android operating system has no such certification. Security is maintained by ensuring that the card data and PIN data are encrypted with separate encryption keys that are securely held in physically separate devices. One key is loaded into the SCRP to encrypt the card data, while a different key loaded into the application on the COTS encrypts the PIN. In addition, the specification mandates a back end monitoring service to spot rogue transactions. This solution, whilst released in 2018, has seen limited deployments so far. 

With SPoC yet to gain traction, alternatives are already being developed. Perhaps the most interesting of these is a new specification called PCI Contactless Payments on COTS (CPoC). Totally phone-based, this solution requires no additional hardware and enables payments from contactless cards or NFC wallets like Apple Pay to be accepted. 

Challenges and solutions for new age mPOS

The challenge that these new mobile-based approaches face is that there is no built-in security for the applications to rely on. The Android operating system provides little protection for apps, and the free obfuscation provided with the Android developers kit is really designed for optimization, not protection. From a security standpoint, it offers little benefit. The Android keystore provides adequate protection for keys if the device hasn’t been rooted, but on compromised devices, you cannot rely on it to provide security for your keys. The reality is that you have to assume all devices are untrusted.

Developers need to make use of third-party application shielding tools to protect the application from tampering and to keep the keys safe. Application shielding solutions typically consist of two major components, application protection and white-box cryptography. Application protection utilizes a number of techniques to prevent your applications from being modified or tampered with. These methods employ obfuscation and code flattening techniques, making your application undecipherable should someone manage to reverse engineer it. In addition, active protection measures should be deployed including overlapping checksums and debugger checks to prevent real-time analysis. 

Locking away the keys

In addition to application shielding, and possibly even more important, is the need to protect your cryptographic keys. Hackers no longer try to break cryptographic algorithms, they instead go after your keys. White-box cryptography libraries utilise sophisticated methods to ensure keys remain protected even when in use. They are essential when deploying solutions to untrusted devices such as Android smartphones. Make sure that the code protection and white-box libraries you choose to deploy are proven to be secure and are designed to be easy to use.

Mobile point of sale innovations bring great value to small retailers and consumers alike, but vendors need to design in security from the ground up to mitigate the risks and ensure safe and successful large scale adoption.