A Deep Dive into SoftPOS Security

We now live in a world where a software application can enable a smartphone to accept payments from contactless cards, mobile phones, and smartwatches. The shift from traditional hardware-based payment solutions to software-based solutions presents a big opportunity for micro-merchants but it also brings new challenges. The largest of those challenges is security.

Here's an in-depth overview of the security aspects of a SoftPOS solution:

1. Device Diversity and the "Untrusted Device" Paradigm:

SoftPOS solutions are designed to run on various models of smartphones, known as Commercial Off-the-Shelf (COTS) devices. These devices come with diverse underlying hardware and software configurations, making it challenging to rely solely on the security of the device or its mobile operating system. Consequently, the security approach for SoftPOS revolves around treating the mobile device as "Untrusted," where the software must provide robust protection against a wide range of potential threats.

2. Security Testing and Evaluation:

Before SoftPOS solutions can start accepting payments, they undergo rigorous testing and security evaluations. These assessments are crucial to ensure that the software can withstand various forms of attacks, from malware and remote intrusions to physical access by malicious actors.

3. Industry Standards and Certification Bodies:

Two prominent industry bodies play a pivotal role in certifying and ensuring the security of SoftPOS solutions:

• EMVCo manages the EMV specifications (Europay, Mastercard, and Visa) and testing programs. EMVCo focuses on ensuring that card payment solutions correctly and securely implement payment acceptance for various card schemes.

• PCI SSC (Payment Card Industry Security Standards Council) serves as a global forum for the development and adoption of data security standards in payment solutions. PCI SSC concentrates on payment data security, which is essential for secure transactions in the SoftPOS world.

4. EMVCo SoftPOS Certifications:

• EMV L2: This certification addresses the software’s ability to implement payment acceptance on COTS devices to validate the payment correctly.
  The two components evaluated in this certification include;
• The App/SDK – This is the payment acceptance application or SDK that contains the payment kernels used for processing the various card schemes supported by the SoftPOS application.
• The back-end system – which handles the actual payment transaction and includes the attestation and monitoring server used for security management.

The security evaluation assesses whether the two components work seamlessly to perform regular checks on the security status and integrity of the solution and if necessary, mitigate any detected threats. These checks include but are not limited to device tampering, rooting, debug mode, emulation, malware protection, side-loading and device binding amongst other checks.

• EMV L3: Assesses and verifies the compatibility of an EMV-compliant payment acceptance terminal with merchant or bank systems, ensuring it can successfully process end to end transactions. This testing is crucial to guarantee that any newly developed or upgraded terminal, whether it involves hardware, software, or both, aligns with the unique requirements of the various payment systems involved in a live transaction.

5. PCI SSC SoftPOS Certifications:

• PCI-DSS: The Payment Card Industry Data Security Standard (PCI DSS) was developed to help standardise payment card account data security. PCI DSS provides a baseline of technical and operational requirements designed to protect account data or cardholder data. PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment account processing – merchants, processors, acquirers, issuers, and other service providers.

• PCI-PIN Security Standard: Contains a complete set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and point-of-sale (POS) terminals.

• PCI MPoC: The PCI MPoC Standard is a recently developed specification aimed at addressing the growing demand for secure, faster, and more seamlessly integrated payment processing solutions. This new PCI MPoC standard takes the existing scenarios covered by the PCI Contactless Payments on COTS (CPoC) and PCI Software-based PIN entry on COTS (SPoC) standards and expands upon them, introducing fresh payment capabilities and certification methods. Notably, it introduces the ability to conduct PIN-based transactions without the need for an extra security device attached to the merchant's smartphone. The existing SPoC standard pertains to tools that utilise an external card reader combined with a mobile device for accepting a cardholder's PIN. The CPoC standard, on the other hand, applies to technology that utilises the near-field communication (NFC) receiver in a COTS device but does not allow the cardholder to input a PIN. MPoC encompasses both of these use cases while also introducing additional flexibility for solution implementation.

6. Monitoring and Attestation 

SoftPOS solutions require a monitoring and attestation system for terminals to swiftly identify any potential intrusion or tampering, thus ensuring the security of all transactions. Solutions must implement comprehensive mechanisms to assess the softPOS terminals' well-being, temperature, security, and root status, among other factors. The provision of real-time reporting, remote management, and device access empowers efficient device management and enhances overall security.

SoftPOS solutions have evolved to offer a flexible and versatile way of accepting payments using mobile devices. Security remains paramount in this space. With certifications from EMVCo and the PCI SSC solutions are robust, capable of withstanding threats, and compliant with industry standards. This commitment to security is essential to maintain customer trust and confidence in the ever-evolving world of digital payments. At Lipa Payments, we handle all necessary certifications, ensuring that when you white-label our solution or utilise our SDK, you can do so with confidence, free from security concerns.

Try our Lipa SoftPOS payment system today to see how easy it is to use, or contact us for a personalised consultation and we will help you get started with digital payments.