By Ron Carter, Executive Vice President of EMV® at Cryptomathic
The rise of contactless mobile payments is well documented, and experts expect this trend to continue its current trajectory. According to Juniper, the total number of unique contactless mobile payment users will reach one billion for the first time in 2024.
Each mobile payment requires some form of point-of-sale (POS) device to complete a transaction. Yet the POS device is not only there to enable seamless transactions, it also hosts security measures that ensure a safe environment for customers to make purchases. These measures are essential for preventing unauthorized access, mitigating payment fraud, and reducing the risk of payment card information theft or fraud.
The rise of SoftPOS technology has ushered a transition away from traditional, purpose-built hardware POS devices. SoftPOS leverages both software and hardware to enable smartphones to act as POS devices. Yet concerns persist about smartphones being a much more attractive, and easier, target for cybercriminals.
This requires us to evolve our POS security practices. The development of complete standards for mobile acceptance has taken some time, but now the Payment Card Industry’s (PCI) new standard and compliance program for Mobile Payments on Commercial off-the-shelf devices (MPoC) offers a supportive compliance framework for SoftPOS developers.
The evolution of POS devices
Originally, point-of-sale (POS) devices were standalone and designed for the purpose: secure payment transactions. The devices were sealed, only ran dedicated software from the manufacturer, and integrated all necessary security features.
These POS devices, while secure, were expensive and only served a singular purpose. Merchants wanted more flexibility in acceptance, such as offering loyalty schemes or alternative forms of payment.
As a result, some vendors built hardware platforms that ran a variant of Android as the operating system, enabling an application-based approach. This made the availability of integrations and functionality in the form of apps easier, meeting merchants’ desire for flexibility in acceptance and integration into their systems.
From a security perspective, this approach ensured all the necessary security hardware but simultaneously brought software security to the fore, especially when related to the cohabitation of apps.
The development of Android tablets provided interesting possibilities and led to the creation of dongle-type devices (separate to the tablet) that accepted payment cards and enabled the entry of a cardholder PIN.
Yet, with the rise of contactless payments and increased support for NFC on mobile devices, the demand for physical card acceptance reduced, in favor of a contactless experience. It was this development that provided the opportunity for mobile POS to become a reality. Initially, PIN entry was not possible on a mobile device. This was inconvenient for merchants, who had to find other ways to accept PIN entry. As technology evolved, it became possible to enter a PIN via the mobile device, but security concerns persisted about entering a PIN into a mobile phone, especially if the card details were available. There was also no standard for PIN entry on mobile devices, creating potential security risks.
However, the PCI Security Standards Council (PCI SSC) has now released the PCI MPoC, a complete mobile payment standard. This standard is an amalgamation of pre-existing standards and supports all contactless card acceptance when using a commercial off-the-shelf (COTS) device, including the ability to perform PIN entry.
This marks a huge development in creating safe, secure, and open standards for mobile point of sale compliance, but how did we get here?
A timeline of POS Standards
April 2018 – PCI SPoC (Software-Based on PIN Entry on COTS)
This security standard, initially released in April 2018, allows merchants to accept PIN-based payments using COTS mobile devices, such as smartphones and tablets. The SPoC standard provides a secure environment for entering PINs and encryption of sensitive payment data, ensuring the protection of cardholder information during transactions.
The PIN is entered on the device, but a dongle (SCRP, Secure Card Reader – PIN) performs the card acceptance and performs the PIN encryption.
December 2019 – PCI CPoC (Contactless Payments on COTS)
Specifically for transactions below the contactless limit that do not require PIN, this standard removes the need for an SCRP for contactless transactions. PCI CPoC is a security standard that allows merchants to accept contactless payments through cards, phones and wearable devices, using commercial off-the-shelf devices such as smartphones and tablets.
2020 – PIN on Glass Certification (by Mastercard and Visa)
While PCI CPoC removed the need for a SCRP for lower-valued contactless transactions, the arrival of the PIN on Glass Certification removed the need for a SCRP for higher-valued contactless payments. Specifically, Mastercard and Visa created a standard that enabled entering a cardholder PIN on the touchscreen display of a merchant’s phone or tablet.
November 2022 – PCI MPoC (Mobile Payments on COTS)
Finally, the PCI MPoC standard brings together all of the preexisting standards and delivers a complete Mobile Payment Standard that defines a number of architectures and security requirements. Contactless card acceptance, including the ability to perform PIN entry, is enabled using just a COTS device, while acceptance of chip and magstripe cards can be done using an SCRP.
While the history of POS standards is not very long, the developments achieved in a relatively short period of time indicate a great ability to adapt to customer, merchant and vendor needs. As we increasingly shift towards a cashless society, it is therefore essential that mobile payments, mobile apps and mobile point of sale devices are secure.