Security Is King for Mobile Point of Sale (mpos)

Jeremy Gumbley, CTO CreditCall

Jeremy Gumbley

Mobile devices are having an extraordinary impact at point of sale, transforming the user interface and payment experience for customers of small merchants and larger retailers alike. For small businesses, this technology opens up a window to convenience and security benefits previously only enjoyed by larger players, allowing a move away from reliance on cash or cheques. Although mPOS technology was initially developed for and aimed at this group, it is now turning heads amongst larger retailers, who have seen the potential of mobile payment acceptance to streamline their in-store transactions and enhance customer relationships.

Security is clearly of utmost importance when dealing with sensitive cardholder data, though this is particularly true with the introduction of a mobile device into the payment process. Mobile devices are primarily designed for consumer usage, and are inherently insecure. Any credit card information stored in a smartphone or tablet would be much more vulnerable to malware, Trojans, backdoors and other advanced malicious threats than a traditional POS terminal.

Ensuring watertight data security was the primary challenge for CreditCall in developing our CardEase Mobile solution. To ensure the highest levels of data protection, CardEase Mobile makes use of hardware- based encryption. This takes the mobile device and associated PIN pad out of the equation, creating a Point-to-Point Encryption (P2PE) zone between the card acceptance point and the payment gateway. Cardholder information is uniquely encrypted from the moment the card is swiped and transmitted, and remains protected as it flows through the rest of the payment processing chain. The information is not decrypted until it reaches the small and highly secured area within a Thales hardware security module (HSM), which means that sensitive data is never visible in its cleartext, non-encrypted form outside of the security boundaries of our payment gateway. This separation between merchant and acquirer has an additional benefit for the retailer, reducing the scope, complexity and cost of their PCI DSS certifications.

Widespread adoption of any new technology that affects the interaction between a consumer and a third party, particularly where there is a financial transaction at stake, must first overcome the ‘chicken and egg’ scenario – it must be made an option before consumers know they want it, yet merchants are reluctant to invest until they are sure the market demand will be there. It could be argued that mPOS technology breaks the mould in this respect. The familiar user interface – insert card into a physical reader and provide PIN – requires less ‘buy-in’ from the consumer, who is presented with a very similar interface to the traditional POS terminal, and therefore more likely to trust its credentials from a security perspective.

At the back end, there can be no doubt that mPOS has increased the complexity of the POS environment. However, with the future of payment lying firmly in mobile, merchants have no choice but to navigate the new and complex risk environment. With little consumer resistance, the market is set for takeoff. With the latest advances in encryption technology, merchants have all the tools at their disposal to guarantee the highest level of security for sensitive cardholder data, whilst maximising the as yet untapped potential of mPOS to drive and grow their business.

Jeremy Gumbley, CTO CreditCall

Jeremy Gumbley

Mobile devices are having an extraordinary impact at point of sale, transforming the user interface and payment experience for customers of small merchants and larger retailers alike. For small businesses, this technology opens up a window to convenience and security benefits previously only enjoyed by larger players, allowing a move away from reliance on cash or cheques. Although mPOS technology was initially developed for and aimed at this group, it is now turning heads amongst larger retailers, who have seen the potential of mobile payment acceptance to streamline their in-store transactions and enhance customer relationships.

Security is clearly of utmost importance when dealing with sensitive cardholder data, though this is particularly true with the introduction of a mobile device into the payment process. Mobile devices are primarily designed for consumer usage, and are inherently insecure. Any credit card information stored in a smartphone or tablet would be much more vulnerable to malware, Trojans, backdoors and other advanced malicious threats than a traditional POS terminal.

Ensuring watertight data security was the primary challenge for CreditCall in developing our CardEase Mobile solution. To ensure the highest levels of data protection, CardEase Mobile makes use of hardware- based encryption. This takes the mobile device and associated PIN pad out of the equation, creating a Point-to-Point Encryption (P2PE) zone between the card acceptance point and the payment gateway. Cardholder information is uniquely encrypted from the moment the card is swiped and transmitted, and remains protected as it flows through the rest of the payment processing chain. The information is not decrypted until it reaches the small and highly secured area within a Thales hardware security module (HSM), which means that sensitive data is never visible in its cleartext, non-encrypted form outside of the security boundaries of our payment gateway. This separation between merchant and acquirer has an additional benefit for the retailer, reducing the scope, complexity and cost of their PCI DSS certifications.

Widespread adoption of any new technology that affects the interaction between a consumer and a third party, particularly where there is a financial transaction at stake, must first overcome the ‘chicken and egg’ scenario – it must be made an option before consumers know they want it, yet merchants are reluctant to invest until they are sure the market demand will be there. It could be argued that mPOS technology breaks the mould in this respect. The familiar user interface – insert card into a physical reader and provide PIN – requires less ‘buy-in’ from the consumer, who is presented with a very similar interface to the traditional POS terminal, and therefore more likely to trust its credentials from a security perspective.

At the back end, there can be no doubt that mPOS has increased the complexity of the POS environment. However, with the future of payment lying firmly in mobile, merchants have no choice but to navigate the new and complex risk environment. With little consumer resistance, the market is set for takeoff. With the latest advances in encryption technology, merchants have all the tools at their disposal to guarantee the highest level of security for sensitive cardholder data, whilst maximising the as yet untapped potential of mPOS to drive and grow their business.