Mobile payments on COTS: How to comply with PCI MPoC

Key takeaways

• The Payment Card Industry (PCI) Mobile Payments on COTS (MPoC) Standard sets out MPoC security and compliance requirements for those that provide payment solutions using COTS devices. It was developed by the Payment Card Industry Security Standards Council (PCI SSC) and is widely used in the payment industry for securing MPoC applications.
• The Standard is divided up into domains and modules, with definitions of key terms, specific guidance for each section, and measurement scores where applicable.
• Promon products provide a high level of compliance fulfilment on the requirements of relevant modules, ranging from partial through high to full. These modules are outlined below, along with details of which parts of the Promon portfolio help cover the requirements and how.
• In practice, this means Promon products offer key functionalities to those developing MPoC software. The areas of relevance include but are not limited to Attestation and Monitoring (A&M), Measurement/Detection, Responding, Anti-Tampering and Software protected cryptography.
• In those requirements that call for a measurement score, Promon products enable MPoC software to be protected to an attack rating of at least 25 points using the attack-costing framework.
• As required by the Standard, Promon products work together and mutually reinforce each other to provide a layered approach that maximizes software protection.

Introduction to PCI MPoC Compliance Checklist

Before we begin to examine the details of MPoC Standard requirements and how to comply with them, we will answer some questions about the Standard’s purpose, structure, and measurement criteria.

Mobile Payment on COTS (MPOC)

PCI MPoC is the PCI Mobile Payments on COTS standard, here referred to as the MPoC Standard. It defines security and test requirements for entities involved in the development, deployment, and operation of mobile payment solutions that use COTS (commercial-off-the-shelf) devices.

The Standard covers mobile payment acceptance solutions designed for use on COTS devices like smartphones and tablets with or without a dedicated hardware security element (e.g., PIN entry on the touchscreen). MPoC supports both attended and unattended payment scenarios.

The ultimate goal of the requirements in the MPOC Standard is to provide a flexible and future-proof security framework that protects the confidentiality and integrity of the sensitive payment information process by MPoC solutions.

PCI MPoC and other standards

The PCI MPoC Standard contains a section on its relationship with other PCI standards (pp. 33-35).

• PCI DSS: Promon’s products help with addressing the following requirements from PCI DSS 4.0 both directly and indirectly for in app payments:
  • 5.2 Malicious software (malware) is prevented, or detected and addressed
  • 5.3 Anti-malware mechanisms and processes are active, maintained, and monitored
• The PCI Mobile Payment Acceptance Security Guidelines for Developers: The purpose of this document was to provide guidance for solution developers in their attempt to provide the trust needed for a payment application that executes within mobile devices. Promon has already created a PCI DSS compliance checklist for this security standard.
• PCI SPoC Standard (Software PIN on COTS) and PCI CPoC Standard (Contactless Payment of COTS: The MPoC Standard incorporates and builds on many of the requirements found in these mobile standards without superseding or replacing them. It is, however, more comprehensive and up-to-date than both of them, with the flexibility to cover emerging mobile payment technologies and solutions.

PCI MPoC document structure

The requirements in PCI MPoC have a modular, risk-based division for different deployment models. They are split up into five domains with each domain containing multiple modules and subsections.

Domain 1 is the largest domain and will be the main (although not exclusive) focus for this compliance checklist. It lays out security and test requirements that apply to MPoC software, lifecycle processes, sensitive information, and secure channels.

Glossary of terms

The online PCI SSC Glossary provides relevant list of abbreviations and acronyms. However, there is a further Glossary of Terms in the PCI MPoC document (Table 1). It contains important definitions for cybersecurity terms like Attestation, Encryption, Obfuscation, and Tamper detection that are vital in understanding the security and test requirements contained in the MPoC Standard.

Attack rating score

Appendix B of the PCI MPoC Standard contains an Attack Costing Framework. This framework outlines a method for testers to rate attack feasibility according to the prescribed Test Requirements contained in each section. These are the relevant factors for attack rating.

At five places in the PCI MPoC Standard, a minimum of 25 points is required to pass a particular requirement. Four of these are relevant to Promon’s offerings and will be highlighted below. It is the contention of Promon that our products enable MPoC software to meet these requirements and protect assets to an attack rating of at least 25 points using this framework.

How can Promon help?

Our approach at Promon is to communicate with honesty and present compliance material you can trust. We believe in the need for a transparent and targeted appraisal of what Promon products can offer, and where we can provide the most help.

Our method in this PCI MPoC Standard compliance checklist will break down the material into the modules and sections most relevant to our products and the attack rating score. Then, we will summarize the requirements for that module. Finally, we will outline how Promon products can help you to meet those requirements.

PCI MPoC Compliance Checklist

These are the modules that provide the focus for our compliance checklist:

• 1A-3 Acceptable Cryptography
• 1B-1 Software Security Mechanisms
• 1B-2 Software-Protected Cryptography
• 1C-1 Coverage
• 1C-2 Measurement/Detection
• 1C-3 Response
• 1C-4 Anti-Tampering
• 2B-1 Application Security

Acceptable Cryptography (1A-3)

Module 1A-3 covers cryptography. This is employed to ensure data confidentiality and process integrity in MPoC solutions. Only industry-recognized standard cryptographic algorithms and operations may be employed. Any cryptographic keys must be used for a single specific purpose.

How Promon products facilitate meeting cryptography requirements

Promon products provide a high level of compliance relevance to this section.

Promon Asset Protection™ offers security mechanisms such as:

• Robust encryption to protect sensitive data in the published app and/or the device
• Encryption and dynamic decryption to protect static app secrets (e.g., API keys, certificates, and session tokens)
• The employment of encryption only when needed to minimize risk of extraction
• Assurance that encryption keys are secured and never exposed
• Cryptography solutions that are easy to use and integrate, automatic, and designed for developers

Software Security Mechanisms (1B-1)

Module 1B-1 covers the topic of those software security mechanisms that protect the COTS-based MPoC software from cyberattacks like reverse engineering, modification, and monitoring. These mechanisms need to play both preventive and detection roles in protecting MPoC assets. Those who design them must consider issues such as coverage, integration between mechanisms, and protection strength.

Two important sections in 1B-1 are:

1. 1B-1.5: This provides guidance on whether code obfuscation is required on COTS-based MPoC software to protect it from reverse engineering and, if so, which obfuscation methods it might include.
2. 1B-1.14: This requires anti-tampering protections against a feasible attack on assets and code stored on the device. The requirement is passed only if the device is protected to an attack rating of 25 points using the attack-costing framework.

How Promon products facilitate meeting software security requirements

Promon products provide a high level of compliance relevance to this section.

Promon SHIELD® for Mobile, IP Protection Pro™ and Promon Asset Protection™ offer security mechanisms such as:

• Detection and blocking of foreign code injection, code obfuscation, and anti-debugging to make assets less prone to reverse engineering
• Secure Local Storage, which encrypts and stores assets locally on an end-user device, including PII and API keys
• Robust safeguarding of the app’s code against reverse engineering, tampering, and unauthorized modification by products specifically designed for this purpose (especially SHIELD)

Software-Protected Cryptography (1B-2)

Although protection for cryptographic operations can be provided by tamper-responsive hardware devices, software methods may also be used. These software methods could include the obfuscation of cryptographic functions and white-box cryptography. The MPoC standard doesn’t mandate any methods, as long as they are robust.

An important section of 1B-2 is 1B-2.7. This requires that the software-protected cryptography prevents the extraction of partial or complete cryptographic material to an attack rating of 25 points.

How Promon products facilitate meeting cryptography requirements

Promon products provide a partial level of compliance relevance to this section.

Promon Asset Protection™ offers security mechanisms such as:

• Secure encryption/decryption APIs which meets EMVCo certification standards, protected by Promon’s proprietary and field-proven white-box cryptograhy engine
• Cryptography keys protected by white-box cryptography solution to ensure data remains secure
• Detection and blocking of cheating and tampering attempts in real time

Coverage (1C-1)

Attestation and monitoring (A&M) must cover the COTS platform, and the COTS-based MPoC software. The goal here is to assess the integrity of the platform and software. The standard requires that this is assessment must cover the complete software lifecycle and may involve different levels of checks. But it must possess some level of A&M at runtime, so that compromises such as rooting, jailbreaking, and other vulnerable states are detected.

How Promon products facilitate meeting coverage requirements

Promon products provide a high level of compliance relevance to this section.

Promon SHIELD® for Mobile and Promon App Attestation™ offer security mechanisms such as:

• Protection of app functionality through execution flow control, process integrity, and secure local storage
• Use of advanced capabilities to detect and protect against jailbreaking and rooting, but also threats like debuggers hooking, repackaging detection, reverse engineering, code injecting, privilege escalating, and data leaking.
• Protection of the entire app lifecycle cross-platform and cross-device

• Implementation of several layers of level of threat detection (e.g. root detection) to handle a range from the well-known to heuristic type indicators
• Market-defining runtime application self-protection (RASP) and application hardening technology to defend against sophisticated threats at rest and at runtime

Measurement/Detection (1C-2)

Attestation is performed by measuring the ability of the COTS platform, and COTS-based MPoC Software to detect potential attacks. Measurements are collected by the A&M back-end, along with the analysis performed on measurements. All COTS devices must contribute to measurement data, enhancing its quality and that of any detection methods used.

Specific requirements include methods to ensure that all measurement data is fresh and authentic, and that data monitoring is continual. The standards recommend the employment of continual background checks that are not resource intensive or intrusive e.g., debugging (1C-2.4).

How Promon products facilitate meeting measurement and detection requirements

Promon products provide a high level of compliance relevance to this section.

Promon SHIELD® for Mobile and Promon App Attestation™ offer security mechanisms such as:

• In-app real-time monitoring and threat detection with immediate responses
• Detection and blocking of cloning and repackaging attempts
• Runtime monitoring and protection against bots and in-app purchase bypassing
• Safeguarding against both high-volume and stealthy attacks by ensuring every API call is authenticated, eliminating the inaccuracies associated with heuristic and volumetric detection methods
• Implementing Promon’s Callback SDK so app developers can dynamically collect data from our security findings

Response (1C-3)

A&M must possess the ability to respond to any potential attacks that it has identified. The response process must be data-led and documented. Attacks detected by the A&M of the COTS-based MPoC Software must be reported to the A&M back-end.

How Promon products facilitate meeting response requirements

Promon products provide a complete level of compliance relevance to this section.

Promon SHIELD® for Mobile and Promon App Attestation™ offer security mechanisms such as:

• No reliance on third-party attestation services, so users have complete control over the attestation process
• Unified attestation mechanism that simplifies security management and ensure uniform protection for app mobile apps
• Transaction-based, continuous validation, rather than session-based verification, so app protection is continuous and comprehensive

Anti-Tampering (1C-4)

A&M is a high-value target for attackers. Modification of A&M data or code can allow for the bypass of security mechanisms. The COTS-based MPoC Software needs to be protected against tampering and secured from alteration. The back-end must be able to detect failures in A&M functions.

An important section in the anti-tampering requirements of 1C-4 is 1C-4.4. It requires that any A&M used by the COTS based MPoC software is resistant to tampering to an attack rating of 25 points using the attack-costing framework. This is important, since a compromise on A&M component on the COTS device or data transmitted to the back-end “may be the same as effectively disabling security checks”, according to the Standard.

How Promon products facilitate meeting anti-tampering requirements

Promon products provide a complete level of compliance relevance to this section.

Promon SHIELD® for Mobile and Promon App Attestation™ offer security mechanisms such as:

• Safeguarding apps from tampering, along with reducing the risk of stolen asserts or manipulated transactions
• Providing anti-tampering mechanisms that protect mobile apps against both static and dynamic modifications
• Making the attestation functions extremely hard to inspect, tamper, or otherwise modify, as self-contained attestation code is embedded in SHIELD, which is itself heavily obfuscation and encrypted

Application Security (2B-1)

Application security requirements covers all security mechanisms that MPoC Applications that share or access the memory of the COTS-based MPoC Software they are integrating. These MPoC apps must be created using secure software development best practices and meet the Secure Software Lifecyle (SLC) requirements.

An important section of 2B-1 is 2B-1.2, which requires that MPoC Application data and code are protected against modification to an attack rating of 25 points using the attack costing framework. The standard is explicit that such anti-tampering resistance must include protection at runtime, as well as the configuration files and binary code of the app.

How Promon products facilitate meeting app security requirements

Promon products provide a complete level of compliance relevance to this section.

Promon SHIELD® for Mobile, Promon IP Protection Pro™, Promon App Attestation™, Promon Asser Protection™, and Promon SDK Protection™ offer security mechanisms such as:

• Integrating security best practices into every stage of the app development process to provide a secure software development lifecycle (SSDLC) that
• Providing enhanced post-compile binary code obfuscation for MPoC software and SKDs with Promon’s Jigsaw engine
• Validating device integrity and creating a protected runtime for MPoC software

Conclusion

There are two more points made by the PCI MPoC Standard that are important to highlight in this compliance checklist.

Liability

When discussing the MPoC solution in Domain 5, the Standard makes these points about liability:

• The Standard does not make necessary for the MPoC solution provider to develop, implement, or operate all of these systems
• It is the responsibility of the MPoC solution provider to ensure that the relevant requirements for each are met, so that the entire solution is compliant and secure
• Requirements can be met in one of two ways:
  • A monolithic solution: The MPoC solution provider is responsible for the assessment and compliance of all aspects of the overall MPoC solution
  • A composite solution: The MPoC solution provider utilizes separately assessed and listed MPoC products.

Promon products can contribute to this composite security solution for PCI MPoC compliance.

Layering

The Standard is clear on the need for a multi-layered approach to security. Layered security architecture means that multiple levels of protection must be bypassed before an attacker can extract an asset, whether in a full or partial attack.

When covering the Attack Costing Framework in Appendix B, the Standard explains the requirement of “Layered security” in software tamper-response systems and technology. Such a layered approach must give consideration to layer numbers, relevance, and likely attack stages.

Promon’s products and technology work together in building protection layers for the MPoC software. So, for example, while the SHIELD RASP benefits by themselves are significant and add multilayered runtime security, they should be considered together with the solutions for obfuscation, software, and hardware attestation as well as cryptography. Together, these protections reinforce each other providing world-class, state-of-the-art protection.