Thursday, May 17, 2012

PCI and Mobile Payment Application Security

So far, the world of mobile payments has been a "Wild West", before the sheriff came to town. The vendors have been making their own rules, though at least a few have been smart, and have prepared for what they guessed would happen. The solution can be expressed in one word.

Encryption. As early in the payment process as possible, all the way to the bank (acquirer).

The PCI Council has issued a press release on mobile payment security, along with an "At a Glance" publication. These usually precede the release of new standards/best practices documents by a few months as fair warning. This post is my attempt to analyze where the Council sits on the matter, and a bit of reading between the lines to try to predict what's coming.

End to end encryption, or point-to-point encryption (P2PE), as the PCI Council calls it, is easily the best solution to securing the explosion of mobile payment applications now on the market. It is ideal because, in most cases, when implemented, it is invisible to the user, the merchant and the application. Apps don't have to be rewritten, the user experience doesn't suffer, and the merchant still has the same level of convenience. Most importantly, when done correctly, it is easily the most secure approach available.

There is a price though, and it is on the merchant. All solutions I've seen offered raise the transaction rate. Such is the price for the convenience of mobile payment acceptance in this case.

Blah blah encryption blah P2PE, what are we really talking about here, Adrian? 


We're talking about encrypting the cardholder data in the same hardware that reads your card. The Android/iOS/Psion/QNX/Whatever mobile operating system never handles unencrypted payment data. Furthermore, in a P2PE environment, the key to decrypt this data should not be present. In most cases, this encrypted data will be sent directly to a payment gateway, and will not be stored. At this point, risk and attack vectors are minimized, and you've added little to no disruption in the sales process.

It takes a lot of work and expense to switch POS solutions, however. For environments already planning to switch, or entering mobile payments for the first time though, it makes sense to get it right the first time, and the Council will soon be publishing P2PE-certified POS solutions,  making it easier to choose a secure, vetted product. Currently, a lot of vendors are offering half-baked solutions that only reduce some of the risk, and it is difficult to separate the pretenders from the real deal. Beware.

If this is such a perfect solution, why isn't everyone already doing it?

  1. Vendor lock-in. Many merchants' POS solution and processing come from the same vendor, and that vendor may not have a P2PE or tokenization solution ready yet.
  2. Cost of new hardware/POS solution.
  3. Increased per-transaction cost - You pay more for using payment gateways, and you'll pay more for a P2PE solution where the processor decrypts your transactions. How much more? Some level 1/level 2 merchants could potentially be going from paying $0.01 to $0.36 or more per transaction! Those kinds of increases really add up for merchants processing 1 million+ transactions annually.
  4. Too early. Most vendors are at 1st Gen or earlier with P2PE products. We're just getting started here, and most established POS vendors don't operate at startup speeds. This is an interesting market to watch however, because there are some very interesting startups popping up in this space!

I think you've been hitting the Council Kool-Aid pretty hard.


A valid perspective, but this isn't just idle speculation from the stands. I've had an opportunity to assess a startup employing a P2PE approach first hand. I got down into the weeds with them, dug into their solution, and issued their ROC. I've used all my security, hacking and pentesting experience to consider all the attack angles. Could have missed something? Absolutely, and there is always room for improvement. 

Throw your concerns, questions and doubts my way, and I'll be happy to address them all. Challenge me, and I'll meet it. We're still in the early stages here, remember. Our money will be going through these solutions, and they need to be challenged (read: hacked) to ensure they are as strong as they should be.