Many would wonder how the mobile phone has the right security to manage and accept card payments.

There are various levels of certification that are required before a provider can offer their SoftPOS product in the market. These include:

–    L2 certification for both Visa & MasterCard. This includes both functional and security testing of the kernels.

 

–    For PIN entry, pilot certification is required

The Payment Card Industry (PCI) released a standard called Software-Based PIN Entry on COTS (SPoC) – COTS an acronym standing for commercial off the shelf. These solutions enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure application in combination with a Secure Card Reader for PIN (SCRP). Therefore, the likes of iZettle, Square, and SumUp machines that we often see at our local merchants, would need to be SPoC certified.

The next evolution, using the mobile phone as a POS, meant new rules needed to be set in place. PCI brought out the CPOC Standard (Contactless Payments on COTS) to regulate the safety of using the mobile phone as an acceptance terminal. This standard enables a  mobile phone to utilise the NFC reader to scan and capture customers card details with the processing of transactions now taking place on the mobile phone, instead of within a hardware device. In order to obtain CPOC, providers need to go through stringent testing performed by certified labs before getting PCI Approval.

The CPOC standard however does not include PIN entry. This is a limitation because any payment over the contactless limit, will require a customer to enter their PIN. It also might put risks on markets where fraud is high.

PCI currently does not have a CPOC + PIN standard and therefore the card schemes (Visa/MasterCard) have developed pilot specifications for such solutions. Pilot certification still requires  vigorous lab testing before the schemes independently test the solution themselves and prior to giving the green light. It is believed that this new PCI standard will be released during the course of 2022.

There are typically two ways in which the PIN entry is made possible. Either, the TEE (Trusted Executed Environment) is used by developers, which is a piece of hardware within the mobile device itself, which allows a second secure operating system to be run on the Android completely separate and alongside the current Android System. The second way is through white-box encryption. This uses encryption, obfuscation, and advanced methods to protect keys and critical data inside applications running in untrusted environments. 

WIZZIT have designed and built our PIN entry capability using white-box encryption. The key advantage to this is that we are not tied to having to use the TEE which means any Android that has NFC capabilities can be used with WIZZIT technology. A merchant will not be required to upgrade their mobile.

WIZZIT decided PIN entry was critical for many global markets and have now been granted pilot certification by both Visa and MasterCard, and have gone live with our first clients.

With all the testing and certifications required, customers can be sure that their PIN entry onto a merchant’s mobile phone is fully secure and safe.

If you are looking for a SoftPOS with PIN, please get in touch with WIZZIT today.

Contact us on LinkedIn https://www.linkedin.com/company/wizzitdigital or email us at info@wizzit-int.com