Contactless payments are a convenient and fast way to pay by simply waving a banking app on a mobile device or a near-field communications (NFC)-enabled card near the merchant’s device at checkout. In the past, merchants needed a dedicated terminal to accept these types of payments securely, which limited the technology from taking off more broadly.
Now, merchants can use commercial tablets or smartphones to accept these payments. To do so securely, the PCI Security Standards Council (PCI SSC) introduced standards in December 2019 for contactless payments on commercial off the shelf (COTS) devices (otherwise known as PCI CPoC). While these standards can seem daunting for mobile app developers, Guardsquare solutions support and improve the compliance of CPoC applications, the contactless kernel, and the CPoC API. We’ll explore that more in this post.
Our software – including DexGuard (Android), iXGuard (iOS), and ThreatCast – provides code hardening, tampering protection, and real-time threat monitoring to comply with specific aspects of the PCI CPoC. For example:
Guardsquare solutions meet a series of PCI CPoC technical guidelines for contactless payment apps, merchant-facing COTS devices (the contactless kernel) and the CPoC API, within sections two and five. Guardsquare also invests in keeping its solutions updated against the latest attack scenarios and vectors. Specific areas of compliance are explained below:
This requirement involves setting up the proper protections against tampering and reverse-engineering for the contactless mobile application, contactless kernel, and associated APIs. This protection prevents bad actors from interfering with transactions.
Guardsquare solutions help organizations meet this requirement in a variety of ways. Mobile application hardening applies multiple types of obfuscation and encryption techniques, as well as protects against runtime attacks. Specifically, Guardsquare solutions provide:
This requirement applies to protecting cryptographic operations and sensitive data through software protections. Software-based cryptography methods are used to protect sensitive data so that it cannot be extracted from the device. All code obfuscation and anti-tampering measures that Guardsquare solutions provide can be applied to the software-based cryptography methods implementations.
For the CPoC application to be considered secure, it has to be designed, developed, and maintained to ensure the integrity of payment transactions, as well as the confidentiality of all sensitive data. Guardsquare solutions help improve compliance to this requirement through environment safety checking and protection against dynamic attacks, which provides additional hardening on top of the basic protection provided by the device operating system. Guardsquare solutions also provide a data protection capability, which decrypts secret data dynamically before use. Developer documentation exists to help meet this compliance requirement, as well.
The objective of this requirement is to make sure that the official application the developer has produced reaches the merchant. Guardsquare helps achieve compliance with Secure Provisioning through the following:
Guardsquare solutions offer extensive application integrity checking to make sure that the payment application has not been modified since it was signed by the development team. If the application has been tampered with, it will not run on the merchant’s device.
This requirement is focused on providing the proper audit logs in case of an audit or forensic investigation. Guardsquare solutions generate mapping files for the obfuscated source code. This enables the applications to produce logs that do not contain sensitive code data, but, at the same time, support reconstructing this data on the developer’s side.
For contactless payments to be conducted securely, the merchant’s device, or contactless kernel, must maintain its integrity, as well as the confidentiality of sensitive data transmitted through it. Guardsquare solutions provide software obfuscation and anti-tampering functionality to help meet this requirement.
As contactless payment applications play an increasingly central role in payments, app security and compliance become imperative for all stakeholders involved. Our security software helps ensure the overall effectiveness of your IT security architecture by safeguarding both the mobile endpoint and the merchant’s contactless kernel. Ensuring app and platform integrity, through preventing reverse engineering and tampering, is also key in meeting multiple security points listed in PCI CPoC.