The card payments market is a strange thing.  In some ways, innovation happens terribly slowly. For example, the move from magnetic stripe to chip cards has been going on since the mid 1990’s. And that’s still the case despite the high fraud levels associated with magnetic stripe cards. Contactless payments, still perceived as new technology, has itself been around for almost 15 years, and it’s taken a global pandemic to get many smaller merchants enthusiastic about using it.

The evolution of mPOS

The mPOS market has evolved much more rapidly. It all started just over a decade ago in 2009 when Jack Dorsey from Twitter fame launched Square. Square initially just targeted at the US magnetic stripe card payment acceptance market. Since then, the mPos market has been through several major step changes. The first change, just a year after Square launched, was the inevitable move to support chip card acceptance. The move to EMV mPOS support was driven initially by the Swedish company iZettle, then followed up by a raft of other copy cats. But more recently, over the past couple of years we have seen a number of new initiatives, all attempting to bring us faster adoption of mPos by reducing the need to have expensive external hardware devices.

Let’s reduce the hardware!

The first of these new initiatives is the rather unimaginatively named SPoC or Software Based Pin Entry on COTS (where a COTS is a Commercial Off the Shelf device, or a standard mobile phone to you and me!)  In SPoC, you take a traditional mPos device and essentially remove the screen and PIN pad, thus significantly reducing the cost. This ends up creating what is basically encrypting card reader called a SCRP (Secure Card Reader for PIN). In SPoC based solutions, the card is tapped or inserted into the SCRP, which connects to the phone most often using Bluetooth, and the PIN is entered through the phone touchscreen. Most people in the industry agreed the SPoC initiative was a definite step in the right direction, but it still needs a separate piece of hardware to read the cards. And it’s this hardware that causes the issues. It needs building, certifying and distributing, customers need to have it with them, and it needs to be charged. There is a real desire to lose the external hardware altogether.

So, hot on the tails of SPoC was the first real SoftPos spec, CPoC (Contactless Payments on COTS). SoftPos solutions, short for software point of sale, let merchants take contactless payments through their own mobile devices or tablets. The CPoC specification removes the need for external hardware altogether. CPoC uses the NFC (or contactless) interface built into the mobile phone as the card reader. On CPoC everything happens in the merchant’s smartphone, so the phone UI is used to enter the amount and the built in NFC to read the card. The CPoC specs however prohibit the use of PIN entry, so its limited to transactions below the floor limit only (€50 in most EU countries, CHF80 in Switzerland and £45 in the UK). That is unless the card details are coming from a mobile wallet like Apple Pay where the transaction can be for any amount as authentication is performed on the customers device.

The holy grail of SoftPos?

But even before CPoC or SPoC have gained any serious market traction, we see the next initiatives appearing, and these are the really interesting, albeit technically challenging ones.

These new SoftPos solutions turn the phone into a complete payment terminal, with card reading and PIN entry into a standard phone. They haven’t got any snappy names yet, and the specs are not going to be released by PCI, the body that standardises these things, until late 2021.

To test the market and enable early deployment, the card schemes themselves (Visa and Mastercard) have provided pilot specifications that companies such as Abrantix can develop against. The specs are essentially a merge of CPoC and the PIN entry parts of SPoC.

Is it secure enough?

Now here comes the challenge; because of the lack of secure hardware, it means one relatively insecure device, an Android phone, is reading both the card and the PIN. And the rules to date have insisted that cards and PINs are always well protected and encrypted with separate keys that are always kept apart. That’s tricky to achieve in an insecure smartphone, not impossible, but certainly a challenge.

If you are lucky enough to be able to deploy onto devices with an open TEE[1], then you could develop your apps to benefit from it, providing hardware-backed security and proper key separation. And in an ideal world this is what we would all use to protect our apps. But sadly, the reality isn’t quite so simple. TEE accessibility is patchy at best. If you want apps to achieve the ability for large scale deployment, you need to look at alternative protection mechanisms.

Protected with software

So, if there’s no access to secure hardware, what can you do. There are a number of software protection mechanisms that can be used to secure applications. Whilst these are never as secure as hardware, they do have the benefit that they work on every device and are easy to update should a vulnerability be found. Hardware based security solutions, if found to be vulnerable, as was seen by hacks such as Spectre and Platypus are harder to patch, so in some ways, software-based protection is the best solution.

Software protection takes a layered approach, using multiple different mechanisms, such as obfuscation and white-box cryptography, each applied to the application to provide a good enough level of protection.

There’s plenty of blogs out there from the application shielding vendors explaining the multiple mechanisms used together in software based-protection, so I won’t go into detail here.

But I believe the next SoftPos PCI specification is going to be what the market needs and wants. And, for the next few years at least, software backed protection is likely to be the only viable security solution to protect it.

If you are interested in talking to us about developing your next SoftPos solution, please don’t hesitate to get in touch.

[1] A TEE is a mechanism, delivered by the ARM based microprocessors present in most smartphones, that enables the ability to run a hardware separated second secure operating system alongside your normal operating system, e.g. Android.