Home Publications Business Security implications of accepting transactions on smartphones

Security implications of accepting transactions on smartphones

Author: Riscure Team

One of the most exciting innovations in the payment chain for retailers today is the potential of utilizing commercial-of-the-shelf (COTS) smartphones for Point-of-Sale terminals, also known as mobile PoS (mPoS). This is often referred to as Tap-to-Phone or Contactless Payment on COTS (CPOC). In this whitepaper, Riscure experts discuss this huge opportunity that started with the chip card migration in the United States , and the security concerns that it creates.

This and other technologies are increasing market access by providing convenience and ease-of-use. Using smartphones as payment terminals has quickly become a sizable business opportunity for both solution developers and merchants.

Smartphones as payment terminals

There are three main solution types, including Software-based PIN entry on COTS, Tap-On-Phone, and Tap-on-Phone with PIN entry. Each solution supports a different use cases and has a different risk profile and subsequent security needs.

The popularity for smartphone based payment terminals is largely driven by the expected cost reduction for payment terminals, convenience for the small and medium size merchant to accept card based transactions on their own smartphones and the potential for integration with other value-added services (e.g. loyalty programs).

Tap-to-Phone and CPOC

With new technologies and innovations, new risks arise as well. When it comes to securing such smartphone based solutions, it is important to understand what attackers are capable of, which risks need to be considered and how you can protect your solution against all this.  Some of the most common risks would be skimming, unauthorized transactions and relay attacks. Currently, there are several standards developed, by both the card networks and the Payment Card Industry Security Standards Council (PCI SSC), that address concern from across industries regarding software-based PIN entry (SPOC) and contactless solutions (Tap-to-Phone and CPOC). The Tap-on-Phone solution faces a lot of security risks like fake payments, refund attacks, collection of card data, block of merchant’s account.

Recent publications

Share This