14 Feb 2023

MPoC standard enables secure payments using smart phones and tablets

Imagine making a purchase and instead of offering you a payment terminal, the merchant unlocks their cellphone and asks you to tap your card directly on the screen. In an exciting development for the payment technology space, the Payment Card Industry (PCI) Security Standards Council released the Mobile Payments on COTS (MPoC) standard. This flexible security standard will allow for a streamlined payment process for small businesses without the complexity of additional devices.

The new MPoC standard will allow customers to make secure contactless payments directly on a vendor's cellphone or other commercial off-the-shelf (COTS) device. As uncontrolled COTS devices are inherently untrusted, the MPoC standard introduces multiple security mechanisms to compensate. Two mechanisms that are employed by the MPoC standard's layered security approach are attestation & monitoring and software protections.

Attestation and Monitoring

How can one be confident in the security of a transaction if the device itself is not trustworthy? This problem is solved by the attestation and monitoring component. The attestation and monitoring component forms the largest protection mechanism in an MPoC implementation. This approach allows a known trusted outside source to validate no malicious changes have occurred on the COTS device.

MPoC solutions rely on two specific types of attestation. The first assesses the integrity of the application and software development kit (SDK) installed on the device. By performing a routine check on the installed solution, it can be reasonably assured that the security mechanisms built by the application have not been circumvented. The second type of attestation assesses the integrity of the COTS device itself. By monitoring the device, this verifies that no manipulation has occurred to the device that could reduce the security of the application or SDK.

The process of attestation can then be used to respond to anomalous results.

Software Protections

The MPoC application itself must be sufficiently protected against tampering to a minimum threshold. Tampering includes both reverse engineering attempts, modification and attempts to rollback to a previously insecure version. First, a means needs to be implemented to hinder efforts of reverse engineering the application. PCI's guidance offers obfuscation as a possible means of fulfilling this objective. Next, the application must resist unauthorized modification. The application requires compensating controls to prevent modification of the application, its configuration files and the binary code. Finally, the application must implement mitigations on any attempt to rollback the version. If a security update is issued to the device, the application must introduce measures to prevent the pre-updated version from being installed.

Conclusion

Properly implementing these security mechanisms, combined with compliance to the robust security requirements for the backend transaction processing, will enable MPoC solution vendors to release PCI-certified solutions and enable secure mobile payment transactions using commercial off-the-shelf equipment.

 

Isaac Collinson Intertek headshot

Nick Thomas,
IT Security Specialist, Intertek EWA-Canada

Nick Thomas is an IT Security Specialist for Intertek EWA-Canada in Ottawa, Canada. During his time with EWA-Canada, Nick has developed IT security skills in both the payment assurance and high assurance fields. Familiar with both the PCI Security Standards Council and Australian Payment Network accreditation bodies, Nick currently performs payment product assessments.