Smartphone ownership in the UK has reached a record high, and is driving the payments industry towards a new â€˜mobile era' in payment acceptance. Mobile point of sale (mPOS) technology has now evolved to gain a foothold with larger retailers, though its impact is arguably most profound amongst its initial target market – small enterprises and micro businesses. For years, these smaller merchants have been excluded from the world of card payments, forced to rely on cash or cheque payment. mPOS technology has the potential to revolutionise this landscape, allowing much greater flexibility for merchants, who can use portable card readers in conjunction with smartphones or tablets to accept payments. But does this flexibility and reduced cost come at the expense of crucial cardholder data protection?
Consumer devices have been creeping into the business world for many years, with concern often expressed that the increasingly blurred lines between personal and business technology may introduce security weaknesses. However, this is far from the case with mPOS solutions, which often deliver stronger security benefits than the legacy POS infrastructure.
Unlike most conventional POS terminals deployed today, all leading mPOS solutions implement Point to Point Encryption (P2PE). Cardholder data is encrypted at point of capture – the very first opportunity you have to protect it – and remains protected as it flows through the merchant's IT systems to the payment processor. With no cleartext data passing through (or stored in) the merchant environment, the burden of PCI DSS compliance is significantly reduced, taking the smartphone or tablet out scope for further certifications. By contrast, a retrospective upgrade of existing terminals to support P2PE is often not easy or cost effective to achieve due to the complex infrastructure involved.
Another key advantage of mPOS technology from a security perspective is that it employs the latest advances in remote key injection. Often with traditional POS terminals the cryptographic keys are manually loaded on the merchant premises by a third party service organisation. This is a complex procedure for payment service providers (PSPs) to oversee and introduces a â€˜chain of trust'. This brings potential for human error or even deliberate injection of malware by rogue staff. Conversely, mPOS technology relies on remote key injection – online configuration over the internet using PKI techniques – making use of proven security methods to reduce the expense, hassle and downtime of shipping terminals to secure facilities and activating in store
The use of a hardware security module (HSM) provides an additional layer of security at the payment gateway. An HSM protects keys and sensitive data within a small, tightly secured area within the device. The interactions with the merchant and the acquirer systems can be separated, insulating sensitive keys from any attack on the merchant network.
mPOS technology opens the door for the smallest merchants to enjoy increased flexibility and mobility, as well as allowing them to benefit from the security benefits that come with accepting cards, both magnetic stripe and EMV chip, at an attractive price.
This Guest post came courtesy of mobile payments security specialist Ian Hermon from Thales e-Security