How Mobile App Security Standards Can Protect SoftPOS During the Shopping Season

The holiday season is here with people flocking to stores, kiosks, and pop-ups in search of the best deals on gifts for family, friends, and maybe even themselves. When it’s time to pay, many shoppers will tap their card, mobile wallet, or a banking app to a mobile device — also known as a Software Point of Sale (SoftPOS).

SoftPOS allows merchants to accept payments using a smartphone. It doesn’t require a physical card reader, but instead the phone’s near-field communication (NFC) technology to gather the card or mobile app data.

With a global market value of $248.5 million in 2022 and an estimated value of more than $1 billion in 2030, SoftPOS’s popularity with merchants is clear. In fact, the payment technology has several advantages that make it more attractive than traditional POS systems:

• Affordability: SoftPOS does not require additional hardware, such as a POS terminal or card reader. Merchants can just use their own smartphone.
• Portability: Merchants can accept payments anywhere they have their phone or tablet, which is especially convenient for small business owners that operate in multiple locations.
• Integrability: SoftPOS can be integrated with existing point-of-sale software. Merchants can switch to SoftPOS without having to change their entire POS system.

While SoftPOS has many advantages, it’s important for the SoftPOS makers to consider the risks the technology poses for merchants and buyers. For example, if a SoftPOS device is compromised, attackers could steal sensitive customer data, such as credit card numbers and PINs.

Mobile application security standards can help to mitigate these security risks with guidance on how to develop and deploy secure mobile applications to accept payments on smart devices. Created by industry experts, they also cover a wide range of topics, such as data, device, and application security as well as authentication, authorization, and transaction monitoring.

By implementing mobile app security standards, SoftPOS app publishers help merchants to protect their customers' data and reduce the risk of fraud.

Why are mobile app security standards important for SoftPOS applications?

Top threats to merchants and their SoftPoS systems

Once an app is published, it’s out of the publishers’ control and potentially in the hands of malicious third parties. This type of threat is known as man-at-the-end (MATE), and it makes smart devices like phones and tablets untrustworthy.

Because of this vulnerability to MATE attacks, markets with the most to lose from MATE threats — such as financial institutions — were among the first to create and require security standards. After all, financial breaches can leak sensitive customer data resulting in fraud.

Additionally, according to research by the European Union Agency for Cybersecurity (ENISA), merchants' SoftPoS mobile apps used in retail shops may be subject to one or more of the following threats:

• POS malware, which can be uploaded to SoftPOS contactless payment terminals by exploiting security weaknesses, such as rooted or jailbroken phones. Once installed, the malware can steal payment data, including EMV credit card data.
• Man-in-the-middle (MiTM) attacks that can be carried out against the POS contactless terminal and POS server connections by exploiting vulnerabilities in the contactless communication channel or by not using SSL/TLS encryption. Attackers may also attempt to exploit network security weaknesses, vulnerabilities, and misconfigurations in POS software.

MiTM attacks and POS malware can be addressed by implementing the proper mobile app security solutions, as described in the section on applying mobile app security standards.

How security standards can help SoftPos app publisher businesses thrive

The major benefits of adopting security standards include:

• Ensuring quality and reliability in your application’s security measures based on the latest, proven best practices.
• Assisting app publishers in meeting and maintaining internal compliance requirements.
• Mitigating risk and avoiding the negative impact of security threats, such as revenue and reputation loss, and regulatory fines.

Due to the customer financial data collected from each transaction, the need for security standards and the benefits of implementing them also apply to SoftPOS. In response, credit card companies introduced security requirements that SoftPOS developers must comply with in order to accept credit card payments.

The PCI Security Standards Council, a trade association formed by the major credit card companies — American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc. — has issued a series of security standards to cover mobile payments on commercial-off-the-shelf (COTS) devices like phones and tablets used by merchants as SoftPOS.

Common security standard misconceptions for SoftPOS app developers

In addition to believing that standards rarely change or can be applied once, there are three other common misconceptions around mobile app security standards that impact SoftPOS app developers:

• Misconception: Meeting compliance with external privacy regulations will meet your SoftPOS app’s security needs
• Truth: While privacy regulations like GDPR play a vital role in security user data, they don’t offer holistic security recommendations to protect against threat actors. Threat actors aren’t just after user data or confidential information — malicious motivations for attacks run the gamut, from fraud to intellectual property theft.
• Misconception: MPoC supersedes previous PCI standards like SPoC and Contactless Payment on COTS (CPoC)
• Truth: While it is reasonable to expect that the MPoC will eventually supersede all of the previous standards, especially since it comprises use cases covered by PCI’s SPoC and CPoC standards, all three of the standards remain valid.
• Misconception: Mobile operating systems like iOS offer enough security to make MPoC-compliant SoftPOS
• Truth: MPoC uses a scoring system to evaluate whether a mobile app complies with MPoC requirements. App developers earn points for each layer of security they add to their SoftPOS apps. Mobile operating systems offer some capabilities, such as the trusted execution environment, that can help developers increase their security score. However, without adopting app protection, it is impossible to earn enough points to comply with MPoC.

With these misconceptions in mind, it’s important that SoftPOS mobile app developers and their security teams consider where these viewpoints may be impacting the overall security of their apps, and how to begin applying the right security standards.

How should I apply mobile app security standards for my SoftPOS?

Released in 2022, the MPoC standard combines elements of both the CPoC and the SPoC standard. SPoC applies to tools using an external card reader and paired with a mobile device that accepts a PIN, while the CPoC standard covers NFC payments that don’t require a PIN . MPoC includes both the use cases of SPoC and CPoC and, most notably, it allows for PIN entry for COTS NFC payments without the need of external card readers.

The PCI considers MPoC as a modular and objective-based security standard. According to the standard, mobile app publishers “are expected to possess a robust risk-management practice as an integral part of their ‘business-as-usual’ operational process.” This supports a holistic mobile app security strategy that extends beyond MPoC’s requirements.

MPoC’s security recommendations are broken down into:

• Security objectives: High-level, intentionally broad objectives that allow for flexibility in how app publishers and security experts achieve them
• Security requirements: The specific security controls or activities that should be implemented to support the overarching security objective
• Test requirements: The tests needed to validate the security requirements
• Guidance: Additional information that PCI provides to help app publishers and security experts understand the intent behind the security requirements

Here are some of the requirements for developing secure SoftPOS applications according to the standard:

• Secure software development lifecycle (SDLC): Ensuring that vulnerabilities are discovered quickly and earlier in the development of the app reduces remediation costs and pentesting efforts down the line.
• App protection: Adding software protection mechanisms to the mobile app to help it maintain its integrity against attacks. This includes using techniques such as code obfuscation, encryption, and tamper detection to protect the app from tampering, reverse-engineering attempts or modification.
• Secure communication: Ensuring financial data being securely shared with back-end systems. This includes using encryption and other security measures to protect sensitive payment data from being intercepted or stolen.
• App attestation and monitoring: Collecting and sending app attestation data to back-end systems. This information can be used to identify and prevent fraudulent transactions.

When adopting the MPoC standard, SoftPOS merchants should also pay attention to the suggested frequency for certain requirements and tests. For example, some security requirements should be performed daily while others only annual. PCI also recommends that you consider the individual needs of your business when defining frequency.

How Guardsquare helps SoftPOS app publishers

Whether your SoftPOS app is required to meet and maintain compliance standards or not, it’s best to work with an industry-recognized mobile app standard like PCI’s MPoC. Doing so provides your app with a baseline for security and benchmarks to ensure that your app is protected against the most relevant attacks in the current threat landscape.

In the same way that standards like MPoC provide an efficient approach to security, using the right tools to implement the standards is also key. Guardsquare’s DexGuard and iXGuard solutions offer automated, comprehensive mobile app protection for Android and iOS apps with multiple layers of code hardening and RASP. These solutions obfuscate sensitive app data and code, making it harder for attackers to reverse engineer the SoftPOS, extract sensitive payment data, or modify the app to commit fraud.

Guardsquare also offers AppSweep, a free mobile app security testing product that helps SoftPOS app developers meet MPoC’s requirement of securing the SDLC. AppSweep accomplishes this by routinely scanning apps during the development process, identifying potential security issues early, and providing recommendations for correcting them.

Accomplishing continuous monitoring for your SoftPOS app is possible with ThreatCast. Once your app has been published, ThreatCast, collects information that can be fed into the attestation and monitoring software required by MPoC to detect and avoid fraudulent transactions.

Set your SoftPOS app up for success this holiday season (and beyond). Connect today with a Guardsquare expert.

Executive Summary (TL;DR)

• SoftPOS usage is on the rise with retailers, and implementing mobile app security standards is necessary to protect sensitive financial and client data from theft and fraud.
• PCI MPoC’s standard can help app publishers (and the retailers that use them) protect their SoftPOS app from reverse engineering, tampering attempts, and data theft. Applying the standard requires security experts and app publishers to follow PCI’s objective-based security and testing requirements.
• Guardsquare helps SoftPOS mobile app publishers meet regulatory security standards like MPoC, with its protect, test, monitor approach.