Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
Smartphones have indisputably changed how consumers pay for goods and services. By 2026, more than 60% of consumers worldwide will use mobile wallets and payment apps, such as Apple Pay, Google Pay, and Samsung Pay.
It isn’t just consumers who enjoy the ease and convenience of mobile financial transactions. Merchants are also shifting their payment processing to mobile through Software Point of Sale (SoftPOS) technology. Unlike traditional POS devices or even “dongles,” like Square, where consumers swipe or tap their payment cards on a terminal or other device, SoftPOS doesn’t require additional hardware. Today, all a merchant needs is an NFC-enabled mobile device (like a smartphone or a tablet) and a mobile POS app to sell goods and/or services to its customers.
By 2027, more than 34.5 million merchants will use SoftPOS technology to accept customer payments. With the increase in popularity, these mobile applications and devices are quickly becoming prime targets for malicious actors. Merchants using these might be subject to man-at-the-end (MATE) attacks, POS malware, and man-in-the-middle (MiTM) attacks, among others.
To account for this shift in the industry and evolving threat vectors, the Payment Card Industry (PCI) has designed a security standard called PCI MPoC. Developers of mobile applications with SoftPOS functionality must become familiar with and comply with the requirements outlined in PCI MPoC to avoid costly risks.
Before diving into the PCI standard designed for SoftPOS applications, let’s quickly review the many industry-specific acronyms:
The Payment Card Industry (PCI) standards govern how cardholder data — card numbers, PINs, and personally identifiable information (PII) — are used throughout a financial transaction. In 2022, the organization released PCI Mobile Payments on COTS (MPoC), which outlines the latest security requirements for SoftPOS apps.
“The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.”
This standard is changing how mobile payment app developers approach security because it’s more objective-based rather than prescriptive. While it provides minimum resiliency requirements, it leaves the “how” up to developers. This results in greater flexibility in both the SoftPOS applications’ design and the security measures implemented.
Because SoftPOS payments don’t require a physical point-of-sale terminal or external card reader that plugs into a mobile device, using them removes a degree of separation between the threat actor and the SoftPOS app. There is no intermediary device for the threat actors to target, so instead, they target the mobile application directly.
Lack of compliance with PCI MPoC standards may signify the presence of vulnerabilities that could expose the mobile application, the merchant, and the customer to attack. Credit card fraud, brandjacking, and data theft are just some possible outcomes that can erode trust and damage the mobile app’s brand. The financial implications can be severe, including loss of revenue, compounding chargeback fees, and regulatory fines.
Additionally, major credit card companies, like VISA and Mastercard, are pressuring mobile payment app providers to secure their apps against reverse engineering or tampering through PCI MPoC certification. Depending on the situation, either the credit card company or the merchant is responsible for refunding a fraudulent transaction and any related chargeback fees. Regardless of who foots the bill, fraudulent transactions can damage the reputation of both the merchant and the credit card company — so it’s in everyone’s interest to avoid them.
Merchants should implement mobile payment processing applications that can protect them against fraud. Mobile SoftPOS apps that obtain stringent PCI MPoC compliance certification demonstrate commitment to protecting their end users from fraudulent transactions and compliance with regulatory requirements. For these reasons, mobile app security is both a compliance requirement and a strategic imperative for mobile payment app providers.
SoftPOS applications process large quantities of sensitive data — personally identifiable information (PII), bank account information, transaction-related data, and so on — which can be stolen or exploited for fraudulent transactions. PCI MPoC’s primary objective is to safeguard that sensitive data, which requires robust protection mechanisms. Specifically, MPoC requires this sensitive data to be encrypted as soon as it's available in the app, and each payment transaction needs to be encrypted with a unique encryption key.
These measures include (but aren’t limited to):
A SoftPOS application is vulnerable to reverse engineering and tampering without these protections. If successful, a threat actor may gain access to what they need to escalate their permissions, modify the app, execute “brandjacking,” make fraudulent transactions, steal sensitive information, and more.
Guardsquare’s DexGuard and iXGuard provide comprehensive static and dynamic protection through multiple layers of code hardening. Our RASP injections include the most advanced strategies, including entry point, checkpoint, and spray injection techniques, as well as configurable invoked app termination.
Both tools are compiler-based, meaning they provide more robust protection than app shielding or wrapper solutions.
Threat monitoring comes into play after a mobile app has been released to the market and provides information about what threats the app faces in real time. Not only does it track what protection mechanisms are being triggered, but it should also gather information on the threat actors themselves, the device and method they use to perform their attack, what version of the app is being attacked, and so on.
Within the context of PCI MPoC, threat monitoring is part of the broader attestation and monitoring requirements. The backend attestation process additionally tests the integrity of the COTS device and the app for signs of tampering, while the monitoring requirements focus both on monitoring of the correct execution of the attestation process as well as on the monitoring of the client-side app while in use.
Guardsquare's RASP combined with ThreatCast real-time threat monitoring can be used as a critical feeder service for the broader attestation and monitoring solution. With ThreatCast's data integration capabilities, the attestation and monitoring solution can safely be fed, in real-time, with detected app and device integrity violations.
This threat monitoring data can be used to:
ThreatCast allows developers to customize filters for specific threat vectors. When malicious activity triggers these filters, ThreatCast uses webhooks to send this data to a selected endpoint. In this case, that would be the required attestation and monitoring solution.
PCI MPoC requires app publishers to establish a secure SDLC to support the design, development and release of SoftPos solutions. One of the most important components of an SDLC is implementing security testing to sweep the app’s code and 3rd party libraries after each build and search for vulnerabilities, such as exposed encryption keys. By resolving issues early, developers improve the app’s security posture, avoiding interdependencies on faulty components and costly impediments just before publication.
Specifically, MPoC requires SoftPos App vendors, or third parties on behalf of them:
AppSweep, Guardsquare’s free mobile app security testing product, integrates seamlessly into the development process by allowing SoftPOS developers to scan their app after each build within their CI/CD pipelines. It automatically analyzes the app’s code and dependencies, including 3rd party, open-source or shared components, to identify security issues that threat actors could exploit. AppSweep provides an inventory report of all detected vulnerabilities, together with actionable recommendations, helping developers to remediate identified risks quickly and effectively.
This FinTech company serves retail, transportation, and hospitality businesses. In 2022, they launched a SoftPOS mobile application that allows merchants to accept contactless payments via their NFC-enabled Android devices. The company knew it needed to implement robust security measures to protect its customers from fraudulent transactions and data theft and to meet stringent compliance requirements.
DexGuard allowed the company to meet PCI MPoC and other relevant compliance requirements. DexGuard gave them peace of mind, and the company estimated it saved them the work of two to three full-time developers who would be required to maintain the same level of security.
The increase in SoftPOS popularity with merchants — and subsequent shifts in threats and security standards — means mobile payment app publishers must adapt accordingly.
Guardsquare empowers developers to integrate security into every facet of the development lifecycle while also monitoring and proactively responding to emerging threats in real time. Together, these tools provide a holistic approach to improving mobile app security and meeting PCI MPoC requirements.
Executive Summary (TL;DR)