We at Abrantix have recently decided to become a Participating Organisation of the PCI Security Standards Council (to read the press release, click here). What it means is, we will be joining the team of industry experts who help shape the payment security standards of the future. Personally, I have particular interest in the standards around SoftPos, tap-to-phone, tap-on-phone, CPoC, mobile-acceptance, it’s got so many names; so, it’s the Mobile Task Force that I have a specific interest in.

I’ve written about SoftPos and security in the past, I actually led the R&D team that developed the first SoftPos POC for Mastercard, back in 2015. Back then, we all believed that a future with an open hardware backed security standard on mobile devices was imminent, we actually used a Trusted Execution Environment (TEE) to secure the Mastercard POC SoftPos application. The availability of an open, common, secure hardware-backed protection solution across mobile devices has sadly not yet materialised, and to be honest, I believe its future looks bleak. I strongly believe that for the next few years at least, until Google & Apple choose to provide developers with access to a flexible programmable hardware backed security solution, we have to standardise on software protection mechanisms for Softpos; and with that comes the challenges. This is part of the reason for the interest in joining the Mobile Task Force. The SoftPos standards today are vague around this area, everyone has a different opinion on what should be done to secure SoftPos apps. I’ve even seen suggestions by security labs that hardware-backed security should always be used to protect these apps, but I wish one of them would tell me how!

SoftPos only makes financial sense when you have the ability to deploy at scale, if you have to restrict your solution to a limited number of devices to make use of a specific hardware feature, I highly doubt you will recoup the costs of development. Those costs are significant, it’s not just the development of the apps and risk management servers, but also the licensing of a security solution to protect the apps, and lab costs for security evaluations and the multiple levels of certification.

I’ve spent the past year helping Abrantix deliver SoftPos solutions, and the four years prior promoting application security solutions to SoftPos vendors and other financial services organisations. I think I understand a lot of the challenges that organisations face when attempting to deliver secure Softpos solutions. I’m not sure I have all the answers, but I do understand a lot of what’s possible, and what causes some of the biggest challenges with today’s technology. From what I understand, the Mobile Task Force wants to provide a more flexible and less prescriptive specification, enabling interoperability between components, and I believe Abrantix can help make it happen. We at Abrantix are looking forward to the challenge, and hope to make the future of payment acceptance on mobile phones a little bit more achievable but also more secure.