Securing Your SoftPOS Solution:
The Path to PCI MPoC Certification.
Reliable security can help to enable and maintain SoftPOS growth.
The SoftPOS market is well established and is growing fast. Two trends in particular are helping to give it a push:
Apple opening up NFC to the EU market:
The tech giant has agreed to allow its NFC technology to be used outside of Apple Pay or Apple Wallet. This will boost the SoftPOS industry as third-party apps will be able to use the iOS NFC chip directly, easily transforming iOS devices into payment terminals.
PIN-On-Glass technology:
PIN-On Glass can introduce SoftPOS to vendors selling higher-priced goods and services, or accepting payments where the issuer has to use a PIN to confirm every transaction. This widens the potential use of SoftPOS solutions and helps with scalability.
Mobile phones are not designed to process payments securely like card readers are. They cannot be trusted without enhanced protection.
This fact emphasizes the need for balance between innovation, functionality, and security in the SoftPOS market.
In the following paragraphs we’ll explore how the PCI MPoC certification helps to find this balance. We’ll also explain how Licel mobile payment security solutions are tailor-made for your MPoC certification needs.
Introducing PCI MPoC.
PCI MPoC represents an evolution of previous PCI regulations such as SPoC and CPoC. The Mobile Payments on COTS (commercial off-the-shelf) regulation is focused specifically on devices such as smartphones and tablets. It exists to help make sure that payment solutions on these devices are safe and reliable.
An objective-based way to design and implement different MPoC products, PCI MPoC encourages developers to create a cost-prohibitive environment for attackers. So, the harder (and more expensive) you make it for bad actors to successfully attack and scale their attacks, the more points you attain toward achieving MPoC compliance.
PCI MPoC categorizations.
A big part of the regulation is how MPoC products are categorized:
- MPoC Software Product
- MPoC Attestation and Monitoring Service
- MPoC Solution
This approach allows for a flexibility that can lead to a natural diversity in the type of MPoC solutions created depending on the specific market need. SoftPOS solutions could potentially fit into all three categories, depending on the scope.
By covering all three categories, you can prove you have created a secure, compliant, and comprehensive payment solution. After all, the three categories cover the full spectrum of requirements, from software functionality to ongoing security monitoring and overall solution integrity.
The importance of integrity control and threat monitoring.
Let’s focus in on one of these three PCI MPoC categories;
Attestation and Monitoring Service is all about checking for tampering, monitoring for security threats, and making sure software updates maintain compliance.
In other words, integrity control and threat monitoring are key facets of this category of the PCI MPoC regulation. At Licel we see both as being fundamental to overall mobile channel security.
We believe that without integrity control, there can be no such thing as security whatsoever. That’s why DexProtector carries out integrity checks before each application launch to make sure nothing has been modified illegally.
And monitoring is covered by our Alice Threat Intelligence platform. It constantly scans the changing threat landscape around your SoftPOS solution and provides actionable, real-time insights to improve your security posture.
Licel’s security solutions can fast-track your path to PCI MPoC certification.
Licel’s suite of mobile channel protection solutions are ideally-placed to speed up your time-to-market journey and save you money along the way.
Read on and we’ll highlight some of the key requirements in PCI MPoC and explain how each of our mobile channel security solutions solve the challenge.
1B-1.3 Platform based security mechanisms relied upon by the MPoC SDK to protect the assets must be evaluated.
Examples of certifications that may be acceptable, include, but are not limited to:
- Common Criteria (at EAL4 with AVA_VAN 5)
- Common Criteria with Global Platform TEE PP
- EMVCo Chip and Global Platform
- EMVCo SBMP for TEE
- PCI-PTS POI, PCI HSM
- FIPS 140-2/FIPS 140-3 (Level 3+)
The Licel vTEE holds an EMVCo SBMP for TEE Evaluation Certificate.
Our revolutionary virtual TEE provides logical and reliable security features to isolate your SoftPOS application’s execution environment, guaranteeing safe transactions.
A unique security mechanism in the market, our EMVCo-evaluated and approved vTEE can go a long way toward making sure your SoftPOS solution achieves PCI MPoC certification.
In addition, our mobile application protection solution, DexProtector, has held the EMVCo SBMP for SPT Evaluation Certificate for Android and iOS for four consecutive years.
1B-1.5 The MPoC SDK must be resistant to reverse engineering and cover all security-sensitive areas and sensitive assets.
Requirement
Where obfuscation is used as a security feature, the tester must confirm through examination and observation that the transformations applied by the obfuscator include the ability to:
- Hide data, such as (but not necessarily limited to), function/method names, strings and other data, and asset.
- Modify the code flow of the MPoC SDK.
If the MPoC SDK is provided as a number of files (libraries), the calls and interfaces between the libraries are required to be obfuscated as well.
Solution
DexProtector is designed to stop reverse engineering and tampering. It uses code hardening technical solutions such as obfuscation, encryption, virtualization, and isolation to make it almost impossible for an attacker to identify sensitive code.
Obfuscation and encryption covers strings, classes, resources, method calls, and sensitive assets. This applies to applications, SDKs, and libraries for both Android and iOS.
1B-1.7 The MPoC SDK must implement methods to detect compromised platforms, and maintain the security of assets if such platforms are detected.
Requirement
Some MPoC platforms provide attestation functions that can be used by applications to assess the platform integrity.
If the MPoC SDK is provided as a number of files (libraries), the calls and interfaces between the libraries are required to be obfuscated as well.
Solution
DexProtector’s embedded Runtime Engine and security modules protect apps and SDKs dynamically as they run on users’ devices. RASP mechanisms detect dangers such as dynamic instrumentation tools, emulators, and rooted and jailbroken devices. If these threats do exist in the app or SDK’s environment, DexProtector initiates controls to disable them.
1B-1.8 After initial download and execution, the MPoC SDK installation must be securely bound to the COTS device on which it is installed.
Requirement
After the MPoC SDK is installed, it goes through a process upon first execution to uniquely bind that MPoC SDK to the specific COTS device on which it is stored.
The MPoC SDK is required to implement controls to prevent the extraction of data from the MPoC SDK such that it is not possible to create a “clone” of the MPoC SDK that is indistinguishable from the original.
Solution
The Licel vTEE carries out device binding to a specific device using unique keys. This means that it’s then impossible for an attacker to tamper with your SoftPOS app or SDK or carry out fraudulent activity. This initial device binding is then reinforced by DexProtector’s security measures and anti-fraud mechanisms performed by Alice (our threat intelligence solution).
1B-1.11 When any part of the MPoC SDK functionality is implemented outside the REE, that code must also be protected against tampering and must handle input data securely.
Requirement
Compliance to this requirement may be achieved through demonstration of previous evaluations, such as through EMVCo SBMP, GP, or similar schemes. Documentation needs to clearly include authenticatable evidence of such evaluation (i.e., a vendor assertion of evaluation or compliance is insufficient).
Solution
DexProtector has been evaluated and approved as a software protection solution through EMVCo SBMP for four years in a row. A mobile payment security pioneer, DexProtector was the first solution to achieve this evaluation by EMVCo for both platforms, Android and iOS.
1B-2 Software-protected cryptography
Requirement
Another way to protect cryptographic operations and sensitive assets is through software protections, such as software-protected cryptography, where the cryptographic functions and storage methods used to protect the cryptographic keys are obfuscated such that extraction of the sensitive assets or tracing of the execution flow of the cryptographic process is rendered computationally expensive.
This includes systems such as white-box cryptography, and implementations where cryptographic operations are executed in a software-protected execution environment, such as a vTEE.
Solution
With Licel’s vTEE and CryptoModule, white-box cryptography and a virtual trusted execution environment are automatically implemented to protect key material, keys, and the execution of sensitive cryptographic algorithms.
As a software-based alternative to hardware-backed keystores, TEEs, and HSM’s, the Licel vTEE also provides the opportunity for instant updates and upgrades. It is currently the only virtual TEE on EMVCo's SBMP for TEE evaluated and approved list.
Get complete mobile channel protection for your SoftPOS solution.
DexProtector: the complete package for app and SDK security.
DexProtector is a no-code security solution for Android and iOS applications, SDKs, and libraries. Its core mechanisms include integrity control, obfuscation, encryption, anti-tampering / debugging, root detection, anti-instrumentation, anti-emulation, and SSL Pinning.
Its anti-malware, UI protection, API protection, and Device ID capabilities represent the cutting-edge of mobile application protection.
DexProtector provides the core security foundations to help you achieve PCI MPoC certification.
Alice Threat Intelligence: real-time reporting about the threat landscape.
Alice is a threat intelligence and monitoring solution that receives and analyzes incident insights from DexProtected applications.
Its data about the threats facing your app and the wider industry helps you to bridge the gap between vigilance and action. Alice empowers you to strengthen your security posture both now and in the near future.
Alice represents a key facet of PCI MPoC’s Attestation and Monitoring Service requirement.
The Licel vTEE: designed to facilitate secure mobile transactions.
The Licel vTEE provides a secure execution environment where trusted applications can perform sensitive transactions and operations.
Designed to satisfy both PCI and EMVCo requirements, the Licel vTEE is faster and more flexible than hardware TEEs. This flexibility can help to fast-track your certification bid.
Speaking of certification, the Licel vTEE has been evaluated and approved under EMVCo’s SBMP for TEE category.
Holistic security solutions to protect the whole mobile channel.
Licel’s security solutions safeguard against some of the most sophisticated threats mobile wallet apps, mobile banking apps, and SoftPOS solutions are likely to face.
Below, we’ll cover some of the most common concerns that we hear from our clients who are aiming to get PCI MPoC certification for their SoftPOS solution. Please do get in touch with us if you have other queries that aren’t covered here.
“We need a security solution that will work on both platforms — Android and iOS.”
Licel’s security solutions are device and platform independent; they work just as well on both platforms. DexProtector, for example, is set up to run seamlessly on iOS, with no need for bitcode or awkward SDKs. It was also the first software protection tool to be evaluated by EMVCo for both Android and iOS and was recently re-approved for the 4th year in a row.
“We need to stop the damaging impact of mobile fraud.”
Licel’s mobile-channel protection solutions provide robust defense against the growing threat of fraud.
Alice informs you about current and emerging threats to your SoftPOS solution, be that dangerous malware variants or new types of attacks that target mobile transaction systems. And DexProtector’s root and branch security mechanisms make fraud infinitely more difficult for bad actors to achieve.
“We need to mitigate the mobile malware threat.”
Licel’s anti-malware approach involves both Alice and DexProtector.
Among other attack data, Alice Threat Intelligence reports on the latest trojans that pose a risk to your SoftPOS solution so that you’re one step ahead and can configure your security posture effectively. The latest Alice anti-malware updates even enable you to configure your application protection behavior based on the category of malware it has detected.
DexProtector mitigates the malware threat in two main ways:
Firstly, its runtime engine scans devices for malware and potentially harmful apps; if it finds something, then depending on the configuration it either closes the app or it reports the incident containing the data of its findings to the host app. Secondly, DexProtector uses UI protection to prevent malware from carrying out its go-to method of capturing screens or logging the keys (for example the PIN used by end users).
“We want to protect our IP.”
We understand that your competitive advantage lies in your intellectual property — and that needs to remain hidden from bad actors.
DexProtector’s code hardening and runtime protection mechanisms stop attackers from reverse engineering, tampering with, and stealing IP.
“We’re concerned about man-in-the middle attacks and other network threats.”
DexProtector’s communication hardening measures (Certificate Transparency and Public Key Pinning) stop bad actors from intercepting sensitive materials and data travelling from the application to the backend.
“We need to speed up our PCI MPoC certification bid and get to market sooner.”
At Licel we have a strong track record of helping SoftPOS solutions attain PCI MPoC certification speedily, saving our clients both time and money.
The fact that our solutions hold respected industry approval themselves (including EMVCo’s SBMP and SBMP for TEE Evaluation Certificates) means that certification labs already know that our solutions meet the most stringent PCI MPoC requirements. This acts as a significant time saver in the certification process and can also save you money as you won’t need to apply more than once.
Our protection products are easy to test and integrate. DexProtector can be run locally and offline, or you can automatically integrate it with Android Studio, Xcode, or simply include it as part of your CI/CD builds. It’s also a no-code solution that applies protection automatically to APKs, AABs, AARs, IPAs, Frameworks, and XCFrameworks.