This is the second blog in our series focusing on payments in 2021 and beyond, penned by MYPINPAD’s Founder and Chairman Justin Pike. In this post Justin delves deeper into the security of mobile devices and software-based payment solutions. With players entering the market and a lack of clarity as to how their offerings are different, this is post is a must-read for any business looking to deploy a software payment solution.
As a quick recap, in my last post I talked about the brilliance of using software to turn mobile devices like smartphones and tablets into payment terminals. There’s a myriad of benefits that positively impact everyone in the payments ecosystem, from card schemes to banks, PSPs, merchants and the consumer.
One of the most critical benefits of software-based payment solutions in the COVID landscape is safety. An obvious advantage of shifting payments to a mobile device is the removal of queues – with a mobile payment terminal you can accept a payment anywhere, thereby enabling greater social distancing. It’s also far easier to sanitise a glass screen than it is to wipe down a hardware-based pinpad (and a glass screen won’t degrade anywhere near as fast as a terminal because they are designed to be cleaned). But these benefits are merely the tip of the iceberg when it comes to software-based payments – they open up a world of possibilities for data collection and personalisation, innovation in the end-to-end customer experience and greater prevention of fraud if they are built upon a foundation of security. But that’s a very big ‘if’.
There are varying degrees of security within smart devices
The biggest challenge for a software-based payments solution developer is how to take a mobile device that is inherently insecure and perform an action on it (like taking a payment) that needs to be absolutely secure. To understand the ins and outs of this, I’ll take a quick step back.
Like most things, not all mobile devices are created equally. In terms of security, some are more secure than others. It’s this fragmentation in security across all the different phone brands that creates a problem for developers of apps that need to be secure, because many rely on the security built within the device itself. And that’s because creating secure software is very difficult – having just spent several years leading a business that develops secure software, I can attest first-hand to what’s involved.
Components of mobile devices are secure, such as the Trusted Execution Environment (TEE), which is an environment within the device that provides a higher level of security for trusted applications running on the device and has a greater level of functionality than a Secure Element (SE). Many software-based payment applications utilise the TEE within the mobile device for security, which places a degree of control into the hands of the phone manufacturer. Because of this, most of the software-based payments solutions out there are not ubiquitous, and this is an issue because when it comes to payments, ubiquity is needed to reach critical mass.
Software can be more secure than hardware
The hardware-based payment terminals we are all familiar with are like Fort Knox. PCI standards have done an incredible job of ensuring the ongoing security of these boxes. But, being hardware, there is no way to ascertain in real time if there has been a breach or attack because it only reports back in a limited way. Software on the other hand is different. It can monitor the device it is sitting on in almost real time to ensure it is safe to process a transaction and can let us know straight away if anything is amiss. Working in tandem with sophisticated AI back end patterns, fraud attacks can be spotted from anywhere globally and stopped in their tracks, again in almost real time.
But if we want to take security to the next level, then the best possible solution for software-based payments is to have software that is secure and does not rely on any specific hardware component of the mobile device. Currently, MYPINPAD is the only software-based payments solution developer in the world to have achieved a full suite of PCI certified ‘software only’ solutions.
It’s not just about front-end security
There’s a lot of focus about front end security, such as inputting a PIN securely into a mobile device. But the back end is just as important. And the same principles apply. Traditional back end systems have been ‘fixed’ hardware-based resources and incredibly secure. But, like traditional payment terminals, their size and inflexibility makes them cumbersome and there are fixed running costs regardless of how much transaction volumes fluctuate. Banks literally had server rooms with expensive hardware sitting there ready to process transactions, with costs that were the same whether there was one transaction or one billion. Add when it comes to hardware redundancy (in another city or even country) along with lots of very expensive security people, it’s easy to understand how corners could be cut and mistakes made.
Cloud architecture however now gives us more flexibility and options for payment processing. Like the software residing on the mobile device to take the payment, back end software is as secure as its fixed counterparts but infinitely more flexible, scaling up and down to meet fluctuations in demand, literally doubling in size every 30 seconds if necessary and therefore costs can be commensurate with demand.
Software that is built on a foundation of security will combat fraud
What all this circles back to is that fraud is a very real and enduring threat. It has always been there but is certainly amplified by COVID. As we transition to a more digital, more connected world where customer experience is key and software is the answer to many modern challenges, we must have a firm focus on security as we develop.
Developing secure, standalone software that meets PCI standards and is safe enough to process a payment transaction takes time. It requires a company-wide commitment to security and is not something that can happen quickly. Keep this in mind when seeking a software-based payments solution provider.
Convenient, seamless and connected customer experiences are all useless if they can be hacked or breached. With payments making up a significant chunk of both physical and digital end-to-end customer experiences, it’s critical that the software deployed to complete the process is secure. For any business seeking a software-based payments solution, look for solutions that are built upon a foundation of security. Check for PCI certification. Ask direct questions about how the software is actually secured – it is relying on components of the phone for security or is it software that is so secure that you can make a payment on it? I know what I would choose.
This article was first published on Information Age.