Five tips to build a compliant SoftPOS app

The post Five tips to build a compliant SoftPOS app appeared first on Intertrust Technologies.

Contactless payments were already growing before the Covid-19 pandemic, but stricter rules around surface cleanliness and the use of cash have accelerated their use significantly. In a global study, Mastercard found that 80% of people surveyed preferred contactless payments, and 74% intended to continue with the payment form post-pandemic. Similarly, Accenture forecasts that $7 trillion worth of transactions will have moved from cash to cards and digital payments by 2023. 

One of the strongest forces driving this growth has been the pre-existing near-field communication (NFC) technology built into many smartphones and tablets. With NFC, commercial off-the-shelf (COTS) devices can be turned into payment devices known as software point of sale (SoftPOS) terminals. 

The benefits of SoftPOS for both businesses and payment processors are manifold and include:

• No need for specialized hardware
• Can be used on a wide variety of already owned or cheap smart devices
• Reconciles payments over cellular connection, allowing them to be used from virtually anywhere
• Can speed up payment processes to improve till throughput
• Widens access for accepting digital payments in emerging markets

Excellent growth potential and global scalability means that many software developers and digital payment providers are publishing SoftPOS apps to either enter or expand their presence in the field. To do so, they need to consider the security and compliance elements that will determine the success and uptake of their SoftPOS software. Here we take a look at some of the most important factors to consider.

Five tips to build a compliant SoftPOS app 

1. Understand the standards

The Payment Card Industry (PCI) Security Standards organization is a global body that delineates the obligations and standards expected of companies in the field. The PCI has different compliance standards for merchants and payment processors and has also recently published its security standards for Contactless Payments on COTS (CPoC) and SoftPOS technology, which we explored in detail in this whitepaper. 

Compliance with the PCI standards for SoftPOS includes following requirements about data usage, cryptography, and cryptographic key management. Compliance is necessary to be an accepted vendor for most major credit cards. While not federally mandated in the U.S., it is regarded as mandatory for card payment processors through legal precedent.

2. Use a white-box cryptography solution that facilitates certification

The PCI standards for SoftPOS prioritize the protection of consumer data, payment information, and funds. Strong cryptography and encryption key security are necessary to ensure security throughout the entire lifecycle of a SoftPOS transaction. This would normally be achieved using hardware support, such as a trusted execution environment (TEE), but not all COTS devices come with these built-in and accessible. Where they do, they’re not uniform in standard. 

To be compliant, SoftPOS apps must employ either software-based or hybrid security for payments to protect transactions when hardware support isn’t available. The requirements for a software-only, white-box security approach are delineated in the PCI CPoC Standard. Opting for a white-box only approach can significantly improve time-to-market and potential range of use as it works across all devices. White-box cryptography solutions specifically geared toward PCI CPoC requirements will further accelerate development and certification timelines. For example, look for support for Derived Unique Key Per Transaction DUKPT and TR-31 key blocks so that you do not need to develop these types of controls internally.

3. Deploy strong application protection measures

Virtually all attacks on software applications start with the attacker reverse engineering the app’s code to determine the structure and logic. They then test for flaws they can exploit via tampering. The PCI CPoC Standard is very clear on the importance of deploying tamper-resistance—section 2.1 outlines eight different measures that app publishers must comply with. These include rooting and jailbreak detection and any application where tampering is detected to be cut off from accepting account data.

4. Get the testing right

In order to achieve and maintain certification, SoftPOS applications must be submitted to periodic, rigorous penetration testing. It’s critical to engage an accredited testing lab versed in PCI compliance that can help guide you through the certification process.

If you deploy a third-party anti-tampering or white-box cryptography solution, make sure it is also  regularly subjected to penetration testing. New threats constantly emerge and you want to make sure that your app’s security mechanisms provide the protection needed. Moreover, the PCI CPoC Standard requires software-based key protection mechanisms to be evaluated, at least annually, against current attack scenarios and vectors.

5. Keep on top of evolving regulations

As the usage of SoftPOS applications grows and the technology changes, the standards governing contactless transactions will continue to evolve. For PCI, the next update is expected to include major additions, such as the requirements governing PIN protection on SoftPOS. Going by the working title of “Mobile Payments on COTS”, the update is expected to be published in the first half of 2022. The merging of requirements for PIN and card details to be protected through separate encryption will add a new layer to the security implementations on SoftPOS apps, most likely requiring discrete white-box deployments for each. 

These changes and others will be the norm, so it is essential for app vendors in the SoftPOS sphere to have a security team or third-party vendor who can keep their product in compliance.

Choose the right partners for SoftPOS success

The current and potential growth of SoftPOS usage is great news for app developers in the field. However, risk reduction and trust between merchants, payment providers, and individual customers are paramount for product success and revenue security. These can be achieved by implementing robust security technology that keeps data and your customers safe and helps you comply with global industry regulations, while preserving a frictionless payment experience.

Intertrust’s whiteCryption application shielding and white-box cryptography solutions meet and exceed the highest standards for payment app security and compliance. With Secure Key Box, get white-box technology built for PCI certification, including out-of-the-box support for specifications such as changing the white-box implementation and cryptographic keys monthly, DUKPT key management, TR-31 key blocks, the separation of payment card and PIN cryptographic modules, and other key protection requirements. whiteCryption Code Protection embeds powerful anti-reverse engineering and anti-tampering protections into your SoftPOS app that go well beyond regulatory requirements.

To learn more about how whiteCryption application protection combined with Intertrust expertise can help you build a secure, compliant SoftPOS application more quickly, download our whitepaper or talk to our team.

*** This is a Security Bloggers Network syndicated blog from Intertrust Technologies - Security Blogs authored by Prateek Panda. Read the original post at: https://www.intertrust.com/blog/five-tips-to-build-a-compliant-softpos-app/