How to Secure SoftPOS Mobile Apps to Comply with PCI MPoC

Key takeaways

• MPoC certification requires real-world attack resilience that goes beyond what mobile OS security alone can provide.
• Achieving MPoC certification requires using mobile app protection that makes potential attacks  highly resource-intensive and challenging to complete
• Maintaining PCI MPoC compliance requires annual security assessments. Failure to maintain compliance means delisting from the certified product list and losing major credit card acceptance. 
• Watch the full webinar now

Introduction

Digital wallets and SoftPOS (point-of-sale) apps are exploding in popularity, offering a future of frictionless payments. With a projected 475% growth by 2027, SoftPOS use is poised to dominate payment acceptance in brick and mortar retail shops. However, convenience comes with a security challenge. SoftPOS uses smartphones, which are vulnerable to attacks. To ensure user financial data remains safe, robust security measures are essential.

The PCI MPoC standard addresses this by mandating strong security practices for SoftPOS apps. This blog post, summarizing a recent webinar presented by Guardsquare and Riscure, provides developers with the knowledge on how to navigate PCI MPoC compliance complexities, the certification lifecycle, and mobile application protection requirements. 

MPoC was designed to protect against real threats

Smartphones have become ubiquitous, offering apps for every need, including business functions. Merchants can now ditch hardware at their point-of-sale (POS and mPOS) in favor of mobile apps on phones or tablets (SoftPOS). However, these devices weren't originally designed for secure payment processing.

The PCI MPoC standard addresses this very concern. It recognizes that commercial off-the-shelf devices (COTS) like smartphones and tablets are inherently untrusted. App developers must assume an attacker could gain full access to software running on any unknown or compromised device.

• Fake apps: These disguised apps trick users into installing malware that steals credit card credentials from customers.
• Tampered/Cloned apps: Threat actors can modify legitimate apps to steal data.
• Man-in-the-Middle (MitM): Threat actors can intercept communication between the SoftPOS app and payment servers.

To protect against these attacks and many other Man-at-the-End (MatE) attacks that could result in fraud, the Payment Card Industry Security Standards Council (PCI SSC), backed by major credit card networks, mandates compliance with the PCI MPoC security standard for SoftPOS apps.

The MPoC standard is modular, covering every aspect of a secure mobile payment solution. This includes:

• The merchant's mobile app (SoftPOS): Used for collecting payments.
• Back-end systems: Monitor and verify financial transactions on the SoftPOS.
• SDKs and their integration: Guidelines for secure integration of software development kits into the app.

The MPoC standard supports a diverse range of players in the mobile mobile payment ecosystem:

• SDK developers: Focus on secure SDK development.
• Application developers: Build secure SoftPOS apps.
• Attestation and monitoring providers: Offer services for verifying app integrity and monitoring transactions.
• Full solution providers: Develop and manage the entire mobile payment solution.

Core requirements apply to everyone, but the webinar by Guardsquare and Riscure specifically addressed those relevant to mobile apps and SDKs used in SoftPOS solutions. To fulfill such requirements, SoftPOS apps need additional app protection that goes beyond the functionalities offered by mobile operating systems like Android. Guardsquare's approach to mobile app protection ensures ongoing resilience for your SoftPOS apps and SDKs and helps you comply with MPoC requirements.

Beyond one-time threats: MPoC tests scalable attacks

Traditional security compliance assessments often have limitations. They might rely on checklists or theoretical vulnerabilities, not reflecting real-world attack scenarios. The PCI MPoC standard addresses this by incorporating practical attack simulations. Here is how it works:

Pre-launch security evaluation

Before releasing your SoftPOS app, certified labs like Riscure perform a thorough penetration test. This involves simulating real attacker tactics to identify weaknesses. Imagine a threat actor trying to compromise your app – the test replicates those attempts.

Scoring resilience

Based on how well your app defends itself during the simulated attack, it receives a score. Factors considered include:

• Attack difficulty: How much expertise does a threat actor need to attack your SoftPos? A complex attack requiring high skill would score lower risk.
• Attack time: How long does it take to successfully compromise the app? A quicker attack signifies higher risk.
• Attack scalability: Can the attack be easily automated and repeated on multiple apps or app versions? A scalable attack is more concerning.

To be MPoC certified, your SoftPOS app needs a minimum score of 25 points on every simulated attack. This score demonstrates that your app can withstand a significant level of attack effort. Here's where choosing the right security approach matters:

The importance of robust security solutions

Simple solutions won’t suffice. Avoid basic "one-click" wrappers, as attackers can easily bypass them, and scale the attack quickly. On a PCI MPoC penetration test, your app would lose up to 12 points making it extremely difficult to reach the 25 point threshold for certification.

Compiler-based protection offers a stronger defense. Consider solutions that integrate protection at a deeper level (the compiler) within your app's code. This approach makes it much harder for attackers to circumvent and more complex to scale. These solutions can also be applied to both your SoftPOS apps and any SDKs.

MPoC certified? Great! Now stay compliant

While PCI MPoC certification lasts for three years, it's not a one-time achievement. To maintain this valuable security certification annual assessments are crucial.

This ensures your mobile SoftPOS app continues to meet the evolving security landscape.

Why maintaining MPoC matters

Loss of certification: Failing to maintain compliance can lead to being delisted from the official MPoC certified product list. This can significantly impact your business, as major credit card processors often require MPoC certification for mobile payment acceptance.

Protect against the latest threats: The threat landscape is constantly shifting. Threat actors develop new techniques, so your mobile apps security needs to adapt and evolve as well. Annual MPoC assessments ensure your app remains protected against the latest attack methods.

Maintaining MPoC with confidence: Guardsquare's products

Guardsquare offers products to help you achieve and maintain MPoC compliance.

DexGuard (Android) & iXGuard (iOS):

MPoC certification demands robust security. Guardquare mobile app protection products go beyond basic OS measures by hardening your app with a compiler-based approach. This multi-layered defense makes it extremely difficult for attackers to:

• Reverse engineer your SoftPOS: Trying to reconstruct your app's code becomes a lengthy and extremely time-consuming challenge.
• Tamper with your SoftPOS: Modifications for malicious behavior are easily detected.
• Scale up attacks against your SoftPOS: Complex protection hinders automated attacks.

AppSweep:

This automated testing product provides continuous feedback on your mobile app's security posture. It identifies vulnerabilities and provides proactive recommendations to address the security risks, allowing you to address them before attackers can exploit them. This  the pentesting needed to score the resiliency of your SoftPOS app according to the MPoC Attack scoring framework.

ThreatCast:

This real-time threat monitoring product keeps an eye on your app after it's deployed. It detects suspicious activity and potential attacks in real-time, providing your development team with insights to mitigate risks in future builds.