Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
The holiday season is here with people flocking to stores, kiosks, and pop-ups in search of the best deals on gifts for family, friends, and maybe even themselves. When it’s time to pay, many shoppers will tap their card, mobile wallet, or a banking app to a mobile device — also known as a Software Point of Sale (SoftPOS).
SoftPOS allows merchants to accept payments using a smartphone. It doesn’t require a physical card reader, but instead the phone’s near-field communication (NFC) technology to gather the card or mobile app data.
With a global market value of $248.5 million in 2022 and an estimated value of more than $1 billion in 2030, SoftPOS’s popularity with merchants is clear. In fact, the payment technology has several advantages that make it more attractive than traditional POS systems:
While SoftPOS has many advantages, it’s important for the SoftPOS makers to consider the risks the technology poses for merchants and buyers. For example, if a SoftPOS device is compromised, attackers could steal sensitive customer data, such as credit card numbers and PINs.
Mobile application security standards can help to mitigate these security risks with guidance on how to develop and deploy secure mobile applications to accept payments on smart devices. Created by industry experts, they also cover a wide range of topics, such as data, device, and application security as well as authentication, authorization, and transaction monitoring.
By implementing mobile app security standards, SoftPOS app publishers help merchants to protect their customers' data and reduce the risk of fraud.
Once an app is published, it’s out of the publishers’ control and potentially in the hands of malicious third parties. This type of threat is known as man-at-the-end (MATE), and it makes smart devices like phones and tablets untrustworthy.
Because of this vulnerability to MATE attacks, markets with the most to lose from MATE threats — such as financial institutions — were among the first to create and require security standards. After all, financial breaches can leak sensitive customer data resulting in fraud.
Additionally, according to research by the European Union Agency for Cybersecurity (ENISA), merchants' SoftPoS mobile apps used in retail shops may be subject to one or more of the following threats:
The major benefits of adopting security standards include:
Due to the customer financial data collected from each transaction, the need for security standards and the benefits of implementing them also apply to SoftPOS. In response, credit card companies introduced security requirements that SoftPOS developers must comply with in order to accept credit card payments.
The PCI Security Standards Council, a trade association formed by the major credit card companies — American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc. — has issued a series of security standards to cover mobile payments on commercial-off-the-shelf (COTS) devices like phones and tablets used by merchants as SoftPOS.
In addition to believing that standards rarely change or can be applied once, there are three other common misconceptions around mobile app security standards that impact SoftPOS app developers:
With these misconceptions in mind, it’s important that SoftPOS mobile app developers and their security teams consider where these viewpoints may be impacting the overall security of their apps, and how to begin applying the right security standards.
Released in 2022, the MPoC standard combines elements of both the CPoC and the SPoC standard. SPoC applies to tools using an external card reader and paired with a mobile device that accepts a PIN, while the CPoC standard covers NFC payments that don’t require a PIN . MPoC includes both the use cases of SPoC and CPoC and, most notably, it allows for PIN entry for COTS NFC payments without the need of external card readers.
The PCI considers MPoC as a modular and objective-based security standard. According to the standard, mobile app publishers “are expected to possess a robust risk-management practice as an integral part of their ‘business-as-usual’ operational process.” This supports a holistic mobile app security strategy that extends beyond MPoC’s requirements.
MPoC’s security recommendations are broken down into:
Here are some of the requirements for developing secure SoftPOS applications according to the standard:
When adopting the MPoC standard, SoftPOS merchants should also pay attention to the suggested frequency for certain requirements and tests. For example, some security requirements should be performed daily while others only annual. PCI also recommends that you consider the individual needs of your business when defining frequency.
Whether your SoftPOS app is required to meet and maintain compliance standards or not, it’s best to work with an industry-recognized mobile app standard like PCI’s MPoC. Doing so provides your app with a baseline for security and benchmarks to ensure that your app is protected against the most relevant attacks in the current threat landscape.
In the same way that standards like MPoC provide an efficient approach to security, using the right tools to implement the standards is also key. Guardsquare’s DexGuard and iXGuard solutions offer automated, comprehensive mobile app protection for Android and iOS apps with multiple layers of code hardening and RASP. These solutions obfuscate sensitive app data and code, making it harder for attackers to reverse engineer the SoftPOS, extract sensitive payment data, or modify the app to commit fraud.
Guardsquare also offers AppSweep, a free mobile app security testing product that helps SoftPOS app developers meet MPoC’s requirement of securing the SDLC. AppSweep accomplishes this by routinely scanning apps during the development process, identifying potential security issues early, and providing recommendations for correcting them.
Accomplishing continuous monitoring for your SoftPOS app is possible with ThreatCast. Once your app has been published, ThreatCast, collects information that can be fed into the attestation and monitoring software required by MPoC to detect and avoid fraudulent transactions.
Set your SoftPOS app up for success this holiday season (and beyond). Connect today with a Guardsquare expert.
Executive Summary (TL;DR)