How Guardsquare Helps Apps Comply with PCI Contactless Payments on COTS (CPoC) Requirements

Contactless payments are a convenient and fast way to pay by simply waving a banking app on a mobile device or a near-field communications (NFC)-enabled card near the merchant’s device at checkout. In the past, merchants needed a dedicated terminal to accept these types of payments securely, which limited the technology from taking off more broadly. 

Now, merchants can use commercial tablets or smartphones to accept these payments. To do so securely, the PCI Security Standards Council (PCI SSC) introduced standards in December 2019 for contactless payments on commercial off the shelf (COTS) devices (otherwise known as PCI CPoC). While these standards can seem daunting for mobile app developers, Guardsquare solutions support and improve the compliance of CPoC applications, the contactless kernel, and the CPoC API. We’ll explore that more in this post.

How Guardsquare can help with PCI CPoC

Our software – including DexGuard (Android), iXGuard (iOS), and ThreatCast – provides code hardening, tampering protection, and real-time threat monitoring to comply with specific aspects of the PCI CPoC. For example:

• Obfuscation is relevant in protecting the code that handles and stores credit card information 
• Runtime application self-protection (RASP) can protect payment apps against malicious users and execution in unsafe environments 
• Threat monitoring can provide real-time alerts of suspicious activity and malicious users.

Guardsquare solutions meet a series of PCI CPoC technical guidelines for contactless payment apps, merchant-facing COTS devices (the contactless kernel) and the CPoC API, within sections two and five. Guardsquare also invests in keeping its solutions updated against the latest attack scenarios and vectors. Specific areas of compliance are explained below:

2.1 Tamper and Reverse-engineering Protection

This requirement involves setting up the proper protections against tampering and reverse-engineering for the contactless mobile application, contactless kernel, and associated APIs. This protection prevents bad actors from interfering with transactions.

Guardsquare solutions help organizations meet this requirement in a variety of ways. Mobile application hardening applies multiple types of obfuscation and encryption techniques, as well as protects against runtime attacks. Specifically, Guardsquare solutions provide:

• An extensive range of measures to achieve tamper-resistance in the application code executed on the mobile COTS device. 
• Protection against execution in unsafe environments, such as rooted or jailbroken devices, where the isolation between processes may be compromised. 
• A way to terminate the execution of an application when it fails tampering checks. 
• A back end monitoring system (ThreatCast) to detect app threats and attacks in real time.
• Documentation on the types of code obfuscation and anti-tampering checks that are performed to achieve tamper-resistance.

2.2 Software-Protected Cryptography

This requirement applies to protecting cryptographic operations and sensitive data through software protections. Software-based cryptography methods are used to protect sensitive data so that it cannot be extracted from the device. All code obfuscation and anti-tampering measures that Guardsquare solutions provide can be applied to the software-based cryptography methods implementations. 

2.5 Secure Application

For the CPoC application to be considered secure, it has to be designed, developed, and maintained to ensure the integrity of payment transactions, as well as the confidentiality of all sensitive data. Guardsquare solutions help improve compliance to this requirement through environment safety checking and protection against dynamic attacks, which provides additional hardening on top of the basic protection provided by the device operating system. Guardsquare solutions also provide a data protection capability, which decrypts secret data dynamically before use. Developer documentation exists to help meet this compliance requirement, as well.

2.6 Secure Provisioning

The objective of this requirement is to make sure that the official application the developer has produced reaches the merchant. Guardsquare helps achieve compliance with Secure Provisioning through the following:

• Guardsquare solutions offer extensive application integrity checking to make sure that the payment application has not been modified since it was signed by the development team. If the application has been tampered with, it will not run on the merchant’s device.

• Guardsquare solutions support PCI CPoC requirements for developers to sign applications with a secure key.
• Downloading applications from third-party app stores on iOS requires a jailbroken device. Guardsquare’s jailbreak protection prevents protected applications from running on jailbroken devices, effectively preventing the use of third-party stores.

2.7 Audit Logs

This requirement is focused on providing the proper audit logs in case of an audit or forensic investigation. Guardsquare solutions generate mapping files for the obfuscated source code. This enables the applications to produce logs that do not contain sensitive code data, but, at the same time, support reconstructing this data on the developer’s side.

5.1 Contactless Kernel Security Requirements

For contactless payments to be conducted securely, the merchant’s device, or contactless kernel, must maintain its integrity, as well as the confidentiality of sensitive data transmitted through it. Guardsquare solutions provide software obfuscation and anti-tampering functionality to help meet this requirement.

Conclusion

As contactless payment applications play an increasingly central role in payments, app security and compliance become imperative for all stakeholders involved. Our security software helps ensure the overall effectiveness of your IT security architecture by safeguarding both the mobile endpoint and the merchant’s contactless kernel. Ensuring app and platform integrity, through preventing reverse engineering and tampering, is also key in meeting multiple security points listed in PCI CPoC.