mPOS Card Payments: Today’s Challenge
Many transactions involving small (or micro) merchants, often outside a physical retail store, still take place using cash rather than credit or debit cards. For traditional bank acquirers and payment service providers (PSPs) this is a very large market to address with card-based acceptance solutions. However it is not an easy task since there are two potentially competing elements involved: low cost required by the merchants and high security required by the payment systems. For many years traditional point-of-sale (POS) terminals have been rejected by micro merchants on the basis of their high cost, long term contractual commitments, restrictive user interfaces and PCI DSS compliance requirements. Today there is a clear move in the payments industry to adopt mobile point-of-sale (mPOS) technology to either replace or complement traditional POS terminals.
Risks associated with mPOS
– Deployment of software-based encryption and key management techniques at the PSP payment gateway increases the risk of key compromise, risking loss of reputation and large fines
– Reliance on manual loading of keys at merchant sites increases the risk of key and terminal compromise, negating the benefits of using P2PE with secure encryption technology
– Failure to protect decrypted data at the payment gateway can lead to attacks on the PSP database, potentially resulting in large payment data compromise and heavy fines for the PSP
mPOS Security: Thales e-Security Solutions
Thales hardware security modules (HSMs), both payShield 9000 and nShield, are already helping PSPs to deliver secure mobile point-of-sale (mPOS) solutions to large numbers of merchants, some accepting card payments for the first time. The HSM performs three critical functions for PSPs – managing keys for the card readers, decrypting the encrypted transaction data received from the merchants and translating the PIN blocks for online PIN-based transactions. payShield 9000 meets all the relevant payment security certification standards (FIPS 140-2 Level 3 and PCI HSM) in addition to supporting various algorithms and key management methods used in mPOS transactions – with the ability to add custom functions to meet individual PSP requirements if necessary. Working in conjunction with numerous partners in the mPOS ecosystem, Thales enables all PSPs to choose from a wide range of card readers, providing a fast, efficient and proven security solution with minimum integration risk.
– Use the HSM to manage the mPOS card reader keys to suit the particular payment gateway requirements – secure generation and loading at the factory or via remote key injection after shipment to the merchant
Take advantage of the pre-integration with a wide range of leading mPOS card readers, enabling more choices for merchants
– Comply with PCI HSM and PCI P2PE requirements out-of-the box with a hardware/software combination specifically designed for mPOS which simplifies PCI DSS compliance for both merchants and PSPs
– Reduce time to integrate the HSM with the mPOS payment gateway by using Thales sample code and online test environment – ideal for PSPs new to HSMs and/or point-to-point encryption
– Implement highly resilient hardware with full remote management flexibility – keeping all keys secure and providing ability to upgrade performance in line with mPOS transaction volume growth