COTS Is a Myth
It’s a positive, hopeful one. But, for the time being, a myth just the same.
By Cliff Gray • Cliff Gray; CTO gatheringand
The landscape of payments technology is rapidly evolving in many directions, serving previously unserviceable merchant environments and supporting electronic payments where they were once unsupportable. It’s easy to dismiss the role mobile technology plays in this revolution. These phones-in-name-only pack all the power of a computer into a handheld device, while eliminating power cords, modems, and network cables.
Customer Off-The-Shelf (COTS) technology suggests that a merchant can purchase an Android or Apple device from a retailer of their choice, then use that device as a point-of-sale terminal. Even considering today’s rapidly evolving payments technology, that’s a bold assumption. Beyond violating numerous acquiring and PCI data-security regulations, such an implementation poses significant security challenges.
Modern POS devices are bastions of virtual and physical security. Housings, for example, are tamper proof. The simple act of removing a screw holding the case together will cause the operating software to self-destruct, rendering the device useless. The operating system itself, embedded firmware like network handlers and encryption tools, and installed software all incorporate multiple layers of security to protect sensitive cardholder data. These devices must meet rigorous standards from banks, processors, and network brands.
In fact, security strategies demand that no such capability be supported -
Overseeing it all, PCI and the EMV standards safeguard merchants against sensitive data compromise. Even more important, they protect those same merchants from themselves, so they can remain focused on their business.
Practically speaking, therein lies the first half of the problem: POS is all these devices do. They’re excellent at securing and obfuscating sensitive data while performing transactions, but they aren’t designed to assimilate third-party software packages and functionality. In fact, security strategies demand that no such capability be supported. You don’t build a fortress around a henhouse only to let the fox stroll right in.
The other half of the problem is that phones do everything except payments. For roughly the same price as a POS device, a modern phone does everything a phone is supposed to do, and a great deal more. A wide array of functionality comes as standard equipment, plus the ability to easily download and install software from a vast catalog of options and providers. This describes the underlying false promise of COTS, that merchants can use their devices as they've always seen fit, with payment acceptance as just another app they can download.
Primary Concern
The merchant economy must be able to accept payments securely. Sellers need protection from themselves as much as from hackers and charlatans. This is the primary concern throughout the industry, and typically tops the cost side of an enterprise’s balance sheet.
Manufacturers, banks, and independent software vendors spend significant capital certifying POS devices and deploying them securely. Any product strategy that undermines trust in the device executing the specified tasks, solely for the sake of customer convenience, deserves to be regarded as a myth.
Ingenico and Verifone, the dominant POS device makers in North America, are well on their way to embracing the mobile revolution. They and others now deploy Android-based terminal devices in multiple form factors. Square and Clover have developed next-gen offerings built on Android, and they consistently invest in complementary mobile functionality.
In these cases, however, the end devices that accept the transaction are “hardened,” designed to defend against physical attack, while handcuffing the operating system to fend off digital assaults. Third-party applications cannot be downloaded or installed. From a data-security standpoint, these devices are no different from the proprietary platforms that still dominate the marketplace. They just happen to use a different operating system.
EMV technologies represent huge steps in the right direction, providing proven security frameworks worldwide -
There is reason for optimism, however. EMV technologies represent huge steps in the right direction, providing proven security frameworks worldwide. Universal tokenization, a core tenet of EMV, will eventually render a cardholder’s account number valueless.
And it’s important to showcase the experience of the Android development community, highlighting its decision to adopt the tokenization model right from the beginning. (Alongside iOS, for that matter—both Google Pay and Apple Pay incorporate EMV tokens.)
Signs of Progress
One obvious hurdle remains. Magnetic stripes, which contain the consumer’s unencrypted Primary Account Number (PAN), are required as fallback to EMV in the United States, the only country where this is still the case. This hobbles POS product evolution, much less merchant environments, with obsolete, brutally insecure credentials.
Mag-swipe data is the catalyst behind the semi-integrated revolution. You need only look to the European Union, most of Asia, or many other regions where EMV-only infrastructures result in card-fraud numbers that are a fraction of those in the U.S.
Protected-memory environments can frighten even for the most seasoned developers.-
PIN debit will be difficult as well. Two-factor authentication with a secured PIN is a challenge in any mobile environment. Protected-memory environments can frighten even for the most seasoned developers. PIN-on-Glass will eventually prove viable in many cases but must overcome accessibility design issues.
Signs of progress include Mastercard’s plan to retire the magstripe. Visa has implemented a penalty fee for card-swipe transactions but has yet to announce hard dates to sunset the swipe altogether.
Once in-the-clear swipe data is removed from payment ecosystems, the U.S. will finally benefit from the global EMV strategy, leveraging secure communications and tokenization to eliminate major fraud vectors. When card numbers are replaced by tokens throughout, a 3-year-old Pixel 5 will be as secure as anything else.
Nobody would question that mobile payments are here, and could largely replace legacy POS platforms in many use cases. The question is, how long before you can buy a POS terminal at the Apple Store?