mPOS Card Payments: Today’s Challenge
Mobile point-of-sale (mPOS) is a flexible, low cost method of expanding card acceptance in face-to-face environments by using hardware encryption technology to facilitate the use of untrusted devices across untrusted networks. A summary of the role of Thales HSMs in the mPOS ecosystem can be found below.
Click image to see full ecosystem
Many transactions involving small (or micro) merchants, often outside a physical retail store, still take place using cash rather than credit or debit cards. For traditional bank acquirers and payment service providers (PSPs) this is a very large market to address with card-based acceptance solutions.
However it is not an easy task since there are two potentially competing elements involved: low cost required by the merchants and high security required by the payment systems.
For many years traditional point-of-sale (POS) terminals have been rejected by micro merchants on the basis of their high cost, long term contractual commitments, restrictive user interfaces and PCI DSS compliance requirements. Today there is a clear move in the payments industry to adopt mobile point-of-sale (mPOS) technology to either replace or complement traditional POS terminals.
More about mPOS
mPOS solutions deploy alternatives to traditional POS terminals involving secure card readers in association with untrusted devices (smart phones and tablets) and untrusted networks (internet or mobile networks). As a result mPOS must address some fundamental issues, including:
- Ensuring that the smart phone or tablet cannot access sensitive payment data to eliminate the need for the device to undergo stringent security certifications
- Protecting the card data from the point of capture through to the payment gateway to ensure the merchants stay out of scope for PCI DSS compliance
- Enabling card acceptance to take place securely in locations outside a retail store where there is no fixed network connectivity, providing merchants maximum flexibility
- Lowering the cost of supply and configuration of the card acceptance equipment, without compromising the expected physical security, to make it an attractive proposition for merchants with low transaction volumes
Risks Associated with mPOS
- Deployment of software-based encryption and key management techniques at the PSP payment gateway increases the risk of key compromise, risking loss of reputation and large fines
- Reliance on manual loading of keys at merchant sites increases the risk of key and terminal compromise, negating the benefits of using P2PE with secure encryption technology
- Failure to protect decrypted data at the payment gateway can lead to attacks on the PSP database, potentially resulting in large payment data compromise and heavy fines for the PSP
mPOS Security: Thales e-Security Solutions
Thales hardware security modules (HSMs), both payShield 9000 and nShield, are already helping PSPs to deliver secure mobile point-of-sale (mPOS) solutions to large numbers of merchants, some accepting card payments for the first time. The HSM performs three critical functions for PSPs – managing keys for the card readers, decrypting the encrypted transaction data received from the merchants and translating the PIN blocks for online PIN-based transactions. payShield 9000 meets all the relevant payment security certification standards (FIPS 140-2 Level 3 and PCI HSM) in addition to supporting various algorithms and key management methods used in mPOS transactions – with the ability to add custom functions to meet individual PSP requirements if necessary. Working in conjunction with numerous partners in the mPOS ecosystem, Thales enables all PSPs to choose from a wide range of card readers, providing a fast, efficient and proven security solution with minimum integration risk.
- Use the HSM to manage the mPOS card reader keys to suit the particular payment gateway requirements – secure generation and loading at the factory or via remote key injection after shipment to the merchant
- Take advantage of the pre-integration with a wide range of leading mPOS card readers, enabling more choices for merchants
- Comply with PCI HSM and PCI P2PE requirements out-of-the box with a hardware/software combination specifically designed for mPOS which simplifies PCI DSS compliance for both merchants and PSPs
- Reduce time to integrate the HSM with the mPOS payment gateway by using Thales sample code and online test environment – ideal for PSPs new to HSMs and/or point-to-point encryption
- Implement highly resilient hardware with full remote management flexibility – keeping all keys secure and providing ability to upgrade performance in line with mPOS transaction volume growth