What PCI SPoC Compliance Means for Mobile Apps

Guardsquare provides security solutions that safeguard mobile apps against reverse engineering and hacking. We develop software that complies with a number of regulatory and industry standards, such as the PSD2, the OWASP mobile security project the PCI guidelines.

In light of the recent compliance discussions and numerous regulatory updates (for instance, in Turkey and Singapore), we are presenting a short blog series discussing how PCI regulations apply to mobile applications. In Part I of this series, we discussed the PCI Mobile Payment Acceptance Security Guidelines. Today, we discuss how our solutions, DexGuard and iXGuard, meet the PCI Software-based PIN entry on Commercial off-the-shelf devices (SPoC) requirements for Android and iOS.

What is PCI SPoC?

PCI SPoC is a new security standard announced by the Payment Card Industry Security Standards Council (PCI SSC) to regulate the security of electronic mobile transactions on commercial off-the-shelf devices (COTS). The new guidelines secure the authentication of transactions using software-based PIN verification on smartphones and tablets.
Vendors are typically required to use PCI-approved, PCI PIN Transaction Security (PCI PTS) -compliant hardware for PIN authentication (PCI PTS POI). However, the introduction of PCI SPoC allows merchants to leverage the NFC capabilities of off-the-shelf smartphones and tablets in order to secure the authentication of transactions instead. This eliminates the need for vendors to use traditional (often more expensive) electronic PIN pads.

How Does PCI SPoC Work?

PCI SPoC defines a number of components and processes for authenticating transactions using a PIN on COTS. At a minimum, the system consists of an EMV card reader (referred by SPoC as the Secure Card Reader for PIN (SCRP) a back-end monitoring and payment processing system, and a PIN CVM (PIN Cardholder Verification Method) application that accepts the cardholder PIN.

With PCI SPoC, a consumer would enter their card into a secure card reader for PIN (SCRP) that reads the account information, then enter their PIN into the merchant’s smartphone or tablet to authenticate the transaction. PIN information on the mobile device is captured by a PCI compliant, PIN CVM mobile application that then securely exchanges this information with the SCRP. Subsequently, the SCRP securely communicates with both the mobile device and a back-end monitoring system to attest and process the transaction. Transactions in this setting are restricted to EMV contact and contactless.

The key advantage of PCI SPoC is that it allows the PIN information to be effectively isolated from other account data so that it is no longer possible to instigate correlation attacks, which can crack encrypted information. Thus SPoC ensures the integrity of the PIN entry application that captures this data. Additionally, SPoC requires an active monitoring service to enforce additional external security controls for:

• attestation (ensuring the security mechanisms are intact and operational),
• detection (notifying when anomalies are present), and
• response (triggering controls to alert and take action).

How Guardsquare Can Help Mobile Apps Meet SPoC Compliance

Any underlying hardware of COTS devices is assumed to be unknown or untrusted, and an attacker may therefore have full access to its software. PCI SPoC therefore enforces security requirements that developers must meet to ensure software-centric PIN protection. Furthermore, testing requirements are also defined for the validation and evaluation of the solution by payment security laboratories.

As defined by SPoC, “...it is considered important for the software to provide inherent protections that complicate reverse engineering and tampering of the code execution flow. This may include, but is not limited to, protections using “obfuscation” of the code, internal integrity checks for code and processing flows and encryption of code segments, etc.”

Guardsquare hardens the PIN CVM mobile app against reverse engineering and tampering attacks and provides integrity controls to ensure a trusted execution environment on COTS devices.

Our software, DexGuard and iXGuard, obfuscate mobile apps using multiple advanced techniques and secure COTS devices against rooting and other dynamic attacks designed to compromise the Android and iOS Runtimes. Guardsquare tampering detection checks and fingerprinting capabilities further harden these controls, and the overall payment system, by signalling modifications and anomalies of the CVM application to the backend monitoring system.

Stronger Security for Mobile App Transactions

Mobile applications, app security, and compliance are arguably becoming a central pillar of business models across many sectors. Guardsquare’s mobile protection suite, including DexGuard and iXGuard, ensures the overall effectiveness of your IT security architecture by hardening it against dynamic and static attacks.

As the mobile app security solution, Guardsquare helps ensure software-centric PIN protection for Android and iOS devices by providing solutions that directly comply with several PCI security requirements. We use industry-standard cryptography, code obfuscation, tampering prevention and runtime integrity verification to protect hundreds of customers. These technologies are crucial to preventing unintended modification or behavior of the PIN CVM mobile app and COTS devices.