All news

Attestation & Monitoring - the secret sauce of SoftPOS

Tue Apr 12 2022#Blog
Share
dashboard

Software-based point-of-sale (SoftPOS) payment solutions are gaining traction as consumers move from contact to contactless payments. Unlike traditional POS terminals, merchants can accept contactless payments without investing in additional hardware with Commercial-Off-The-Shelf (COTS) mobile devices.

However, the payment industry must address concerns about payment security. Individuals want to know that their data is secure, and merchants are worried about fraudulent transactions. As with apps, SoftPOS payment solutions running on COTS mobile devices are vulnerable to cyberattacks. Insufficient security can lead to the theft of sensitive cardholder information.

PCI, Visa, and Mastercard set stringent security requirements that all SoftPOS solutions must comply with to obtain certification. Code hardening, runtime application self-protection, and threat monitoring functions are required to protect the payment application. These features are all available in a pre-certified SDK. Additionally, the Attestation and Monitoring (A&M) back-end is the most critical security component of a SoftPOS solution. The A&M Server-as-a-Service system constantly works to safeguard the overall infrastructure of the SoftPOS solution.

Even with the above, payment solutions’ in-app security is not enough to protect users from cyberthreats and fraud. Zimperium reports that 14% of mobile apps are misconfigured, potentially exposing users' personal information. Meanwhile, users put themselves at risk by using insecure passwords and failing to update their apps and mobile devices to the latest security patches.

To maximise merchant payment acceptance rates, payment solutions must integrate the latest technology to enable fraud prevention and risk-based decisions for transaction approval. The A&M server, hosted by the SoftPOS SDK solution provider, is continuously validated and updated based on the latest security findings and checks both the COTS and the application for vulnerabilities.

Payment service providers must also demonstrate competitive advantages which can be done with the A&M business logic. To configure the A&M’s algorithms and risk-based decision making process that balance security and user-friendliness is the secret sauce of A&M Server-as-a-Service providers.

This diagram introduces a general architecture of a typical SoftPOS solution that includes a payment application, payment backend, and the attestation and Monitoring (A&M) backend.

  1. Software protection to monitor the health and integrity of the SoftPOS app and COTS devices. Real-time data from the payment device and SoftPOS application is collected, shared, and analysed through the in-SDK attestation engine. The payment backend checks the A&M server for app integrity before accepting a transaction request from the SoftPOS application.
  2. Secure communication protocol such as transport layer security (TLS) to protect information exchanges between the SoftPOS app and the backend system. MineSec SoftPOS SDK employs a TLS-enabled communication protocol to establish a secure link between the application and the backend to protect account data.
  3. Crypto key management encrypts sensitive data such as crypto keys, account data, and configurations. The SoftPOS SDK employs crypto key management in a white box or on a hardware keystore to prevent hacking and fraudulent backend transactions. The A&M server provides vital security checks to monitor or verify if transactions are from an actual application.
  4. The A&M server supports baseline COTS configuration and a smart design of the A&M SaaS system enables greater flexibility for ensuring strong security protection while adapting to in-country specific requirements.

Data-driven approach to secure contactless payments

The A&M server dashboard provides payment service providers with a holistic view of their SoftPOS application’s adoption rate and usage in real-time. They can easily view device information such as operating system, SDK, and application versions from the charts displayed.

From a security perspective, the payment service provider’s administrator can also use the portal to refine configuration rules, such as preventing payment devices with outdated software versions from performing transactions.

Talk to us to discover how MineSec’s SoftPOS solution enables you to deploy a certified secure and compliant SoftPOS solution.