In this article, we explore changes in the “card present” payment methods that are used to process payments at the point of sale and the ways in which the Payment Card Industry Security Standards Council (PCI SSC) has embraced mobile technologies, in particular, SoftPOS technology.
PCI SSC is responsible for regulating the security standards for the Payment Card Industry to create a safe environment for digital transactions, improve data security, and secure emerging payment channels. PCI Compliance ensures all merchants who conduct, process, and accept transactions, keep the transactional environment safe, and appropriate for the customer’s sensitive data.
From swipe & sign to chip & PIN
In-person debit and credit card payments were once processed at the point of sale using mag-stripe technology. Magstripe cards were the progenitors of the current EMV cards. The idea behind the magnetic stripe involves embedding the card information into the stripe with codes that would identify the user. The transaction, then, would take place when the card interacts with the payment terminal. This involves customers swiping their cards in the POS terminal and signing to authenticate themselves as the card owner.
Magstripe methods are inherently vulnerable to fraud as the data on mag-stripe debit and credit cards is easily stolen and re-produced for fraud through a method known as skimming, today we are moving towards NFC payments for secure chip-based transactions on consumer-grade smart devices. Skimming is a fraudulent activity in which a small device is placed on top of a genuine card reader that is near impossible to spot with a naked eye. When a magnetic card is used, the fake reader scans collects, and stores the information from the card, including the cardholder’s name, card number, and expiration date. Today we are moving towards NFC payments on smart devices, which not only make the transactions safer by making it more difficult to copy the information from the card while adhering to the identical regulations and safety protocols as the current EMV chip cards.
To assure the security of point of sale payments, today’s payments use EMV chip and PIN security, the leading global fraud prevention technology, which is defined and managed by EMVCo LLC, a consortium that comprises MasterCard, Visa, Europay, China UnionPay, American Express, Discover and others.
EMV chip cards can process transactions, store sensitive information securely, and can encrypt the incoming data. They are either inserted into or tapped onto the payment terminal to process a transaction. Customers enter their personal identification number (PIN) to authenticate themselves. Countries that have implemented EMV chip and PIN have all but eliminated fraud at the point of sale.
Major benefits include:
- Improved security. EMV cards are equipped with unique security chips and use advanced data encryption schemes to secure payments. Cards are extremely difficult to hack or clone.
- PIN-authentication. Physically stolen cards cannot be used for high-value fraud as larger payments typically require customer PIN, which is only known to the customer themselves.
- Enables fast tap and go (contactless) payments via the latest dual interface EMV cards.
- Reduces merchant fraud liability exposure, as the chargeback liability is held by the card issuer.
Embracing the SoftPOS
A promising development in a rapidly growing mobile point of sale technology market, in recent years, the Payment Card Industry Security Standards Council has implemented various new standards to open the door to chip and PIN transactions on consumer-grade mobiles. The current NFC technology allows for both sending and receiving of data, which in turn, creates optimal conditions for payment acceptance on user smartphones. New standards support the emerging SoftPOS applications, which are a software-only solution for enabling contactless payment acceptance on mobiles, without external dongles.
Contactless Payments on COTS
One of the new standards released is the PCI Contactless Payments on COTS (CPoC™) Standard. Applications complying with this new standard allow merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device (e.g., smartphone or tablet) with near-field communication (NFC). In simple terms, it means businesses can now accept NFC-based customer payment on their phone by downloading an app and tapping cards against their phone. This offers merchants all the convenience of tap-and-go payments, directly on their mobile.
Software-based PIN entry on COTS
The so-called “SPOC” standard enables software-based PIN acceptance on consumer-grade mobiles and tablets – known in the industry as PIN on mobile. PIN on mobile leverages a chip card reader to initiate the transaction, a customer then enters the PIN through the merchant’s mobile application. The SPOC standard is designed to work in conjunction with an external card reader. The introduction of software-based PIN acceptance shows a willingness for the industry to open the door for PIN-based cardholder verification methods on consumer-grade devices.
Is mPOC the future of mobile payments security?
It is expected that next year PCI SSC is set to Phase out the sPOC and cPOS standards and provide a new standard called mPoC for mobile Payments on COTS, this will evaluate SoftPOS solutions with PIN entry. Apparently, the standard will also enable key SoftPOS components to be certified separately first and as a suite of components. This will change the outlook for mobile security standards with a more standardized approach to SoftPOS security.
Felix is the answer to EMV on mobile
By transforming smartphones into contactless terminals, Felix simplifies card payments for businesses looking to take payments on mobile. Felix delivers a software-based solution that completely integrates card-present payment authentication on mobile.