This and other technologies are increasing market access by providing convenience and ease-of-use. Using smartphones as payment terminals has quickly become a sizable business opportunity for both solution developers and merchants.
Smartphones as payment terminals
There are three main solution types, including Software-based PIN entry on COTS, Tap-On-Phone, and Tap-on-Phone with PIN entry. Each solution supports a different use cases and has a different risk profile and subsequent security needs.
The popularity for smartphone based payment terminals is largely driven by the expected cost reduction for payment terminals, convenience for the small and medium size merchant to accept card based transactions on their own smartphones and the potential for integration with other value-added services (e.g. loyalty programs).
With new technologies and innovations, new risks arise as well. When it comes to securing such smartphone based solutions, it is important to understand what attackers are capable of, which risks need to be considered and how you can protect your solution against all this. Some of the most common risks would be skimming, unauthorized transactions and relay attacks. Currently, there are several standards developed, by both the card networks and the Payment Card Industry Security Standards Council (PCI SSC), that address concern from across industries regarding software-based PIN entry (SPOC) and contactless solutions (Tap-to-Phone and CPOC). The Tap-on-Phone solution faces a lot of security risks like fake payments, refund attacks, collection of card data, block of merchant’s account.