To use our site, you agree to the use of cookies and data processing according to our privacy statement.
Close
Search

Security implications of accepting transactions on smartphones

One of the most exciting innovations in the payment chain for retailers today is the potential of utilizing commercial-of-the-shelf (COTS) smartphones for Point-of-Sale terminals, also known as mobile PoS (mPoS). This is often referred to as Tap-to-Phone or Contactless Payment on COTS (CPOC). In this whitepaper, Riscure experts discuss this huge opportunity that started with the chip card migration in the United States , and the security concerns that it creates.

Register to download this whitepaper

This and other technologies are increasing market access by providing convenience and ease-of-use. Using smartphones as payment terminals has quickly become a sizable business opportunity for both solution developers and merchants.

Smartphones as payment terminals

There are three main solution types, including Software-based PIN entry on COTS, Tap-On-Phone, and Tap-on-Phone with PIN entry. Each solution supports a different use cases and has a different risk profile and subsequent security needs.

The popularity for smartphone based payment terminals is largely driven by the expected cost reduction for payment terminals, convenience for the small and medium size merchant to accept card based transactions on their own smartphones and the potential for integration with other value-added services (e.g. loyalty programs).

Security concerns

With new technologies and innovations, new risks arise as well. When it comes to securing such smartphone based solutions, it is important to understand what attackers are capable of, which risks need to be considered and how you can protect your solution against all this.  Some of the most common risks would be skimming, unauthorized transactions and relay attacks. Currently, there are several standards developed, by both the card networks and the Payment Card Industry Security Standards Council (PCI SSC), that address concern from across industries regarding software-based PIN entry (SPOC) and contactless solutions (Tap-to-Phone and CPOC). The Tap-on-Phone solution faces a lot of security risks like fake payments, refund attacks, collection of card data, block of merchant’s account.