Early Tap-to-Phone trials started in 2015 and the approach was officially approved in 2019 with the launch of PCI’s Contactless Payments on COTS specification (COTS stands for “Consumer of the Shelf” – a standard Android phone in this case). The launch of formal standards has accelerated the number of solutions in development.
PCI is an organization focused on payment security, so it is not surprising that the recent specification defines strict measures that must be implemented. As a security-focused organization, PCI will never compromise on security just to aid a more convenient deployment model.
Modern in-store card payments are based around a cryptographic challenge-response. The terminal generates the challenge, which the card then signs to authorize the transaction. Keeping that cryptographic operation secure is the aim of the PCI specification. If this operation is safe, then the payment transaction is secure.
An important step when launching a new Tap-to-Phone implementation is the required audit by an approved security lab. These labs conduct an independent assessment to ensure compliance with the PCI specification. For consumers, compliance means that they can continue to trust payment networks. For vendors, compliance should be viewed as more than an entry requirement, its real aim is to minimize exposure to risk for them and all other stakeholders.
Protecting Transactions on COTS with App Shielding Solutions
Tap-to-phone raises massive security questions. There is a move from an established and trusted security model to a new model that has not been seen before in the POS market. Of course, mobile payments and the associated security have been proven elsewhere – such as HCE cloud-based payments.
Like HCE, Tap-to-Phone has all of the transaction processing within the mobile app, on the same mobile device which the merchant will do his own Mobile Banking, messaging via WhatsApp and play Fortnite. This demands that the transaction flows and the processing of the transaction be secure and ring-fenced. Exactly as with certified secure HCE Payment Applications.
Operating on COTS devices means that the payment processing cryptography must be performed in a pure software environment – which requires whitebox cryptography and wider app shielding technologies. Without this hardening, the SoftPOS application will be vulnerable to attack and payment processing will be exposed.
For added assurance that the components in the solution are in a secure state, an Attestation framework is required. This needs to have the ability to react and mitigate risks to the overall security of the solution – checking the application and runtime environment.
The Attestation framework is split into two parts: the application running on the COTS device and a back-end server. Firstly, the application will perform local Attestation of the runtime environment (called type 1 by the specification), taking action to mitigate any immediate threats – Application Shielding Environmental Checks can provide this functionality. These checks can either be run at predetermined times and events or upon request of the server with the result sent to the server as proof. Secondly, runtime monitoring data will be collected and sent to the server component for independent verification (type 2).
Enabling Card Acceptance with Software Security
Verimatrix’s new eBook investigates the benefits that SoftPOS solutions like Tap-to-Phone bring and provides clear guidelines that will benefit anyone concerned with implementation the correct security smoothing the path to certification and ultimately market launch.