PCI MPoC: How Licel solutions empower secure mobile payments on COTS devices
What is PCI MPoC?
PCI’s Mobile Payment Acceptance on COTS (Commercial Off-The-Shelf) standard represents a critical evolution in securing mobile payment environments. As mobile devices become central to retail and financial ecosystems, making sure applications can protect themselves against sophisticated threats is vital.
Licel’s solutions - DexProtector, the Licel vTEE, and Alice Threat and Device Intelligence - are at the forefront of this initiative. They facilitate PCI MPoC compliance and offer enhanced security across all five domains of its requirements.
The evolution of PCI Standards
PCI MPoC can be seen as a natural evolution from previous standards such as PCI SPoC (Software-Based PIN Entry on COTS) and CPoC (Contactless Payments on COTS). They, too, sought to ensure the security of payment transactions, with a particular focus on PIN entry and contactless payments respectively. The key difference is the broader scope and enhanced flexibility of MPoC, which takes into account a wider range of mobile payment mechanisms and tech utilization and which, as a result, comes with more security and compliance requirements.
The unique challenge of securing mobile payments on COTS devices
Traditional payment devices were designed primarily with security in mind. They were made for that one specific function. Mobile devices, on the other hand, are designed to fulfil a thousand functions. This is why PCI MPoC is so important as a guide for how end users can carry out digital transactions safely.
PCI MPoC compliance for SoftPOS solutions
PCI MPoC is particularly vital for SoftPOS (Software-based Point of Sale) solutions because it addresses the unique challenges and security concerns associated with safely turning smartphones into payment acceptance terminals.
MPoC covers a wide range of potential security threats, from reverse engineering to malware. It aims to make sure there is integrity across the payment process, which is vital for maintaining trust in innovative payment systems that use consumer-grade devices.
Complicit within PCI MPoC is a recognition that the threat landscape is constantly evolving. That’s why attestation and monitoring is so prominent within it.
At Licel, our solutions turn the mobile phone – an inherently insecure and untrusted device – into something that can be trusted to safely accept payment data.
Licel solutions transform everyday devices into secure payment terminals
DexProtector: the complete package for app and SDK security.
DexProtector is a no-code security solution for Android and iOS applications, SDKs, and libraries. Its core mechanisms include integrity control, obfuscation, encryption, anti-tampering / debugging, root detection, anti-instrumentation, anti-emulation, and SSL Pinning.
Its anti-malware, UI protection, API protection, and Device Intelligence capabilities represent the cutting-edge of mobile application protection.
DexProtector, evaluated and approved by EMVCo for 5 consecutive years, provides the core security foundations to help you achieve PCI MPoC certification.
The Licel vTEE: designed to facilitate secure mobile transactions.
The Licel vTEE (Virtual Trusted Execution Environment) provides a secure execution environment where trusted applications can perform sensitive transactions and operations.
Designed to satisfy both PCI and EMVCo requirements, the Licel vTEE is faster and more flexible than hardware TEEs. This flexibility can help to fast-track your certification bid.
Speaking of certification, the Licel vTEE has been evaluated and approved under EMVCo’s SBMP for TEE category for both Android and iOS.
Alice Threat and Device Intelligence: real-time reporting about the threat landscape.
Alice is a threat intelligence and monitoring solution that receives and analyzes incident insights from DexProtected applications.
Its data about the threats facing your app and the wider industry helps you to bridge the gap between vigilance and action. Alice empowers you to strengthen your security posture both now and in the near future.
Alice represents a key facet of PCI MPoC’s Attestation and Monitoring Service requirement.
Licel is working with the PCI Security Standards Council to help make global payment data secure
We’re using our expertise in securing mobile payments to help drive the ongoing development and adoption of PCI Security Standards, including PCI MPoC.
The PCI MPoC Security Model
PCI MPoC’s Security Model outlines the comprehensive and multi-layered approach required to secure mobile payments on commercially available devices (COTS). This includes the following:
- Attestation and monitoring
- Detection of threats and response
- Secure storage and processing of data
- Software protection mechanisms to maintain integrity
- Secure communication
- Secure user interface
In the paragraphs below, we’ll explain how Licel solutions are ideally placed to fulfil the requirements of this comprehensive security model, ensuring that mobile payment solutions not only meet, but exceed the PCI MPoC standards.
PCI MPoC requirements and Licel solutions
Section 1B-1 of PCI MPoC covers the Software Security Mechanisms that need to be equipped in your application or SDK. These are the individual requirements that Licel solutions can help you to comply with. Let’s look at each of them in detail:
1B-1.3 Platform based security mechanisms relied upon by the COTS-based MPoC Software to protect the assets have been evaluated.
Requirement
Examples of certifications that may be acceptable, include, but are not limited to:
- Common Criteria (at EAL4 with AVA_VAN 5)
- Common Criteria with Global Platform TEE PP
- EMVCo Chip and Global Platform
- EMVCo SBMP for TEE
- PCI-PTS POI, PCI HSM
- FIPS 140-2/FIPS 140-3 (Level 3+)
Solution
Both DexProtector and the Licel vTEE have been evaluated by independent laboratories and have been approved by EMVCo under SBMP and SBMP for TEE, respectively.
DexProtector has achieved this respected industry approval for five consecutive years now, while the Licel vTEE is currently the only TEE (whether HW-based, TPM, eSE, or vTEE) to be listed with this approval on the EMVCo website.
1B-1.5 The COTS-based MPoC Software, including all sensitive assets, is resistant to reverse engineering and covers all security-sensitive areas and sensitive assets.
Requirement
Where obfuscation is used as a security feature, the tester must confirm through examination and observation that the transformations applied by the obfuscator include the ability to:
• Hide data, such as (but not necessarily limited to), function/method names, strings and other data, and asset.
• Modify the code flow of the COTS-based MPoC Software.
Obfuscation reduces the efficacy of common code decompilation tools. Obfuscation methods may include, but are not limited to, control-flow and data obfuscation, execution of code sections in remote/cloud environments, and symbol renaming, or protections provided by virtualized execution environments that are specifically designed to provide software-based protections to code execution flows (such as a vTEE).
If the COTS-based MPoC Software is provided as a number of files (libraries), the calls and interfaces between the libraries are required to be obfuscated as well.
Obfuscation is intended to complicate the reverse engineering of the software and execution process of the COTS-based MPoC Software.
Solution
Part of DexProtector’s core functionality is preventing static attacks aimed at reverse engineering and tampering application data. It achieves this aim via app hardening techniques including obfuscation, encryption, virtualization, and isolation.
Obfuscation and encryption covers strings, classes, resources, method calls, and sensitive assets. This applies equally to applications, SDKs, and libraries for both Android and iOS.
The Licel vTEE adds an additional layer of protection for trusted applications, making sure that bad actors can’t tamper with or manipulate them.
1B-1.7 The COTS-based MPoC Software prevents the use of compromised platforms which may impact the security of sensitive assets.
Requirement
In the context of this requirement, detection of compromised platforms may include detection of rooting or jailbreaking, as well as other methods that may be used to compromise the integrity and security of the execution environment (such as the use of emulator systems), where this could impact the security of sensitive assets.
Emulators facilitate the dynamic analysis of applications. The COTS-based MPoC Software is required to implement protections to help prevent its execution on these platforms to prevent such analysis. The focus of testing for this aspect of the requirement is not to consider all possible virtualization or hardware abstraction layers as non-compliant, but how the execution of the MPoC Software on any such system may facilitate dynamic analysis, and what protections the software implements to mitigate such attacks.
Solution
DexProtector’s embedded Runtime Engine and security modules protect apps and SDKs dynamically as they run on users’ devices. RASP mechanisms detect dangers such as dynamic instrumentation tools, emulators, and rooted and jailbroken devices. If these threats do exist in the app or SDK’s environment, DexProtector initiates controls to disable them.
This protection is fundamental to ensuring the integrity of your payment application or SDK and enabling long-term confidence and trust among end users of your solution.
1B-1.8 After initial download and execution, the COTS-based MPoC Software installation is securely bound to the COTS device on which it is installed.
Requirement
After the COTS-based MPoC Software is installed, it goes through a process upon first execution to uniquely bind that COTS-based MPoC Software to the specific COTS device on which it is stored.
The COTS-based MPoC Software is required to implement controls to prevent the extraction of data from the COTS-based MPoC Software such that it is not possible to create a “clone” of the COTS-based MPoC Software that is indistinguishable from the original.
Solution
The Licel vTEE carries out device binding to a specific user device using unique keys. This prevents attackers from tampering with your application or SDK, and stops them initiating fraudulent activity. Device binding is reinforced by DexProtector’s enhanced security measures, while Alice Threat and Device Intelligence performs anti-fraud mechanisms, providing an additional layer of protection.
1B-1.11 When any part of the COTS - based MPoC Software functionality is implemented outside the REE, that code is also protected against tampering and handles input data securely.
Requirement
Compliance to this requirement may be achieved through demonstration of previous evaluations, such as through EMVCo SBMP, GP, or similar schemes. Documentation needs to clearly include authenticatable evidence of such evaluation ⎯ i.e., a vendor assertion of evaluation or compliance is insufficient.
Solution
DexProtector has been evaluated and approved as a software protection solution through EMVCo SBMP for five years in a row. A mobile payment security pioneer, DexProtector was the first solution to achieve this evaluation by EMVCo for both platforms, Android and iOS.
The Licel vTEE has also been evaluated and approved by EMVCo for both Android and iOS, under EMVCo SBMP TEE. It is currently the only TEE of any kind with this approval.
1B-2 Software-Protected Cryptography
Requirement
Another way to protect cryptographic operations and sensitive assets is through software protections, such as software-protected cryptography, where the cryptographic functions and storage methods used to protect the cryptographic keys are obfuscated such that extraction of the sensitive assets or tracing of the execution flow of the cryptographic process is rendered computationally expensive.
This includes systems such as white-box cryptography, and implementations where cryptographic operations are executed in a software-protected execution environment, such as a vTEE.
Solution
The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented. Cryptographic operations, key material, keys, and the execution of sensitive cryptographic algorithms are isolated and secured against external threats.
As a software-based alternative to hardware-backed keystores, TEEs, and HSM’s, the Licel vTEE also provides the opportunity for instant updates and upgrades.
Module 1C: Attestation and Monitoring Software
Requirement
Attestation provides necessary assurance to the verifier that established and expected security controls at the prover are in an acceptable state and have not been tampered with.
There are two types of attestations in MPoC Solutions, where the goal is to assess the integrity of the COTS-based MPoC Software, and where the goal is to assess the integrity of the COTS platform.
Solution
Alice Threat and Device Intelligence enables you to increase observability over usage of your mobile apps, to identify malware, compromised devices, and suspicious activity, and to assess risk factors for each user session in real-time and retrospectively.
You can use the Alice API to retrieve Device Intelligence data for the current session and evaluate the risk profile. This profile encompasses a multitude of factors, enabling the system to assess the device's risk level comprehensively.
Complete protection for both apps and SDKs
Domain 2 of PCI MPoC focuses on SDK Integration. This section of the standard explores some of the differences between security requirements for monolithic solutions and MPoC software that integrates a listed MPoC SDK.
Licel solutions are equally effective at securing individual applications and integrated SDKs. They are designed to secure at a fundamental level, and their advanced protection mechanisms are highly effective regardless of the software architecture. That means they can be adapted to various MPoC compliance scenarios.
Facilitating PCI MPoC compliance: the big picture
Achieving and maintaining compliance with PCI MPoC standards can be a complex and resource-intensive process for software developers and vendors. At Licel, we understand the challenges you face in this dynamic environment. Our solutions are designed not only to ensure compliance but also to make the whole process easier and more cost-effective.
Simplifying compliance
Licel solutions have also undergone rigorous evaluations and have been approved by EMVCo, reflecting our own commitment to high security standards. By integrating our solutions, you leverage pre-validated security frameworks that closely align with PCI MPoC requirements. This can significantly reduce the number (and complexity) of security assessments your apps need to undergo, speeding up time to market and reducing development costs.
Ongoing compliance assistance
Compliance isn’t a one-time thing. It’s a continuous commitment. Licel products are designed to evolve in response to both emerging threats and changes in standards, which helps make sure your application remains compliant over time. We provide regular updates and insights into security trends, helping you stay ahead of potential vulnerabilities.
Cost-effective strategy
We know the cost of developing and maintaining a secure payment application can escalate quickly, especially when aiming to meet stringent standards like those set by PCI MPoC. Integrating Licel solutions can help you mitigate these costs. They reduce the need for extensive custom development and repeated security validations, which can be both time-consuming and expensive.
Get a competitive edge
Compliance with PCI MPoC not only enhances the security profile of your products but also boosts customer confidence and trust in your solutions. It positions your business as a leader in secure mobile payment solutions.
Let us help you navigate the complexities of PCI MPoC compliance.
Discover how our solutions can simplify your compliance journey.