Thales Blog

MPOS Security - Protect The Data Not The Device

September 25, 2013

Smartphone ownership in the UK has reached a record high, and is driving the payments industry towards a new ‘mobile era’ in payment acceptance. Mobile payment and mobile point of sale (mPOS) technology has now evolved to gain a foothold with larger retailers, though its impact is arguably most profound amongst its initial target market – small enterprises and micro businesses. For years, these smaller merchants have been excluded from the world of card payments, forced to rely on cash or cheque payment. mPOS technology has the potential to revolutionize this landscape, allowing much greater flexibility for merchants, who can use portable card readers in conjunction with smartphones or tablets to accept payments. But does this flexibility and reduced cost come at the expense of crucial cardholder data protection?

Consumer devices have been creeping into the business world for many years, with concern often expressed that the increasingly blurred lines between personal and business technology may introduce security weaknesses. However, this is far from the case with mPOS solutions, which often deliver stronger security benefits than the legacy POS infrastructure.

Unlike most conventional POS terminals deployed today, all leading mPOS solutions implement Point to Point Encryption (P2PE). Cardholder data is encrypted at the point of capture – the very first opportunity you have to protect it – and remains protected as it flows through the merchant’s IT systems to the payment processor. With no cleartext data passing through (or stored in) the merchant environment, the burden of PCI DSS compliance is significantly reduced, taking the smartphone or tablet out scope for further certifications. By contrast, a retrospective upgrade of existing terminals to support P2PE is often not easy or cost effective to achieve due to the complex infrastructure involved.

Another key advantage of mPOS technology from a security perspective is that it employs the latest advances in remote key injection. Often with traditional POS terminals the cryptographic keys are manually loaded on the merchant premises by a third party service organisation. This is a complex procedure for payment service providers (PSPs) to oversee and introduces a ‘chain of trust’. This brings potential for human error or even deliberate injection of malware by rogue staff. Conversely, mPOS solutions use hardware security modules (HSMs) to deliver remote key injection into the card readers – online configuration over the internet using PKI techniques – ensuring that the critical keys used to secure data and PINs are protected using proven payment industry hardware-based security methods. This reduces the expense, hassle and downtime of shipping terminals to secure facilities and activating in store and eliminates any reliance on weak software methods to inject keys into mPOS card readers.

Likewise the HSM delivers the critical security at the payment gateway, ensuring that all keys and sensitive data (such as PINs) are never available in cleartext form to the gateway server. In addition to its fundamental role in securing the remote key injection process for the card readers, the HSM is used to perform secure decryption of the encrypted payment transaction data received from the merchant. The decrypted data which is sent securely to the acquirer network is not accessible by the merchant, thereby keeping the merchant out of scope for PCI DSS certification associated with mPOS transactions.

mPOS technology opens the door for the smallest merchants to enjoy increased flexibility and mobility, as well as allowing them to benefit from the security benefits that come with accepting cards, both magnetic stripe and EMV chip, at an attractive price.