Deep Dive: Tackling mPOS Solutions’ Security Challenges

Small and micro merchants that would otherwise have been priced out of the market by traditional, fixed POS systems have seen success with mPOS solutions. Their portability and low price points enable SMBs to participate in the commercial scene while presenting various payment options to consumers. 

Commonplace operations such as food trucks and nonprofits are using these products, as are furniture restoration merchants and even buskers. These small entities are seeking to win trust despite not being established brands, but customers will only feel safe if they’re confident that their payment information will remain secure. 

Trust issues have only become more pressing as the global mPOS market grows, reaching a value of $170 million, according to a Global Mobile POS Market 2019 report. This month’s Deep Dive explores its key security risks and the ongoing efforts to mitigate them. 

Security risks and defenses 

mPOS devices often rely on Bluetooth to communicate data from apps to payment providers’ servers, presenting opportunities for dishonest merchants to intercept communications and alter payments. Fraudsters utilizing this security loophole can ensure correct amounts are shown on customer-facing displays while secretly charging more for their purchases. Devices can also be manipulated to falsely suggest that payments did not go through, prompting customers to swipe their cards again and resulting in false account charges. 

Major mPOS brands iZettle, PayPal, Square and SumUp were all found to be vulnerable to these risks in 2018, but those aren’t the only attacks to which mPOS solutions are susceptible. They can also fall victim to card skimming scams, and hackers can initiate remote code execution attacks to take them over. 

There are several ways these attacks can be prevented, however, starting with EMV chip acceptance. EMV payments are more secure than those made by magstripe because cards’ stored information is uniquely encrypted whenever it is accessed. Requiring PINs adds an additional layer of protection, but mPOS solutions must handle PINs separately from customers’ card details. This extra measure means hackers who gain access to one piece of information do not have all the details necessary to actually make a payment. 

mPOS app developers must also fortify their coding frameworks, codes, encryption keys, processes and data if they want to keep customers’ information safe from bad actors. Pretested and predesigned code modules can be used to ward off hacking attempts, thereby preventing developers from having to code their own security countermeasures — something that could introduce risks if not done properly. 

EMV and contactless payments 

Robust security that makes taking advantage of systems time consuming or complicated will keep consumers’ information safe and help retain their trust. Care must be taken to ensure these efforts do not introduce frictions to the payments process, though, or solution providers and merchants may find they’re deterring customers in addition to bad actors. 

EMV payments are often slower than those made by magstripe, causing consumers to wait 15 seconds or more for transactions to be authorized. Some payment providers are rolling out new solutions to truncate this time frame, but others are instead looking to contactless offerings. 

Consumers simply tap contactless-enabled cards or smartphones against mPOS terminals to make secure, tokenized payments. The process is quick, and customers avoid having to provide their personal account numbers. A one-time code is instead sent to the mPOS device, giving hackers fewer opportunities to steal information. 

Keeping pace with payments security innovations is critical, especially as bad actors develop new attacks alongside providers’ newly released defenses. mPOS solutions with robust safety features enable firms to sell to consumers who are confident their information will remain protected.