Contactless payments are no longer the future - they're now. Worldpay's Global Payments Report 2021 predicts that by 2024, cash will account for less than 10% of in-store payments in the US and 13% of payments worldwide, while digital wallets will account for one in three in-store payments globally (33%).
Near Field Communication (NFC) enables short-range communication between compatible devices, offering unprecedented convenience, sleek usability, and immediate connection for the payments industry. In 2000, Verimatrix (in its former guise as Inside Secure) pioneered this technology with the R2R patent (Reader to Reader). Since then, this technology has brought on a slew of new and exciting payment use cases like digital wallets, tap to phone, and contactless payments. However, now that payments are moving from hardware to software, there are also new - and less exciting - vulnerabilities that must be addressed. Here are a few best practices to help keep NFC payments secure:
Solve for User Error with Environmental Checks
Here's the truth: malicious hackers aren't the only causes of security breaches. In fact,
according to a study by IBM, human error is the main cause of 95% of cyber security breaches.
However, this doesn't mean that developers and security teams don't need to solve for user error. If a device is stolen, or if a merchant deliberately chooses to undermine the native security controls of their mobile device by "jailbreaking" or "rooting" it, this increases the risk of malware infection and puts the technology you've built in a vulnerable position.
Creating an automated check network will ensure that your payment software executes as intended, even if it is running in an unsafe environment. A robust security approach to environmental threats will allow you to adjust your app's reaction based on the detected threat. Rather than disabling your app altogether, customizable tools will allow you to manage risk and define your own appetite. This means you will be able to block certain features of your app if it is operating in a vulnerable environment, rather than shutting down the entire app at once. Ultimately, customizable tools help you protect your technology and the end user's experience.
Keep Encryption Keys Safe and Hidden
The delivery and storing of financial data require encryption. Exposed cryptographic keys are a known vulnerability in app code, especially for payments technology. Proper protection of keys and obscuring algorithms will keep critical payment applications and data safe - even if a hacker has complete access to the device on which the algorithms are executing.
Of course, securing the keys that unlock your cryptography goes beyond protecting them within the mobile app code. Key management also needs to be carefully considered, including who holds the keys, how they are generated and distributed, the process for rotation (i.e., creating new and retiring old keys) and how the keys are protected when stored. Without the proper handling of keys during their life cycle, the keys could be disclosed, modified, or substituted by unauthorized personnel who could then intercept sensitive cardholder data.
The complexities required to create strong and efficient whitebox cryptographic implementation means that most people developing payment technology will outsource the task to an expert external vendor. This can add further and unnecessary complexity to your key management. However, remaining in control of your keys is the best practice even if you do choose an outside security vendor for key management. Traditionally, security vendors provide a software library, which means that the vendor controls the keys that "unlock" the whitebox. If the keys in this library are shared between multiple customers, someone else's insecure application can put yours at risk.
However, whitebox cryptography with Verimatrix gives you the best of both worlds - you get to maintain total control of your keys while depending on a trusted partner to keep your operation secure.
Proper Implementation of the Right Security Tools
Payments is a regulated industry, before products can be launched they typically have to approved by key stakeholders. This often involves independent security audits. It is critical to correctly implement security solutions to ensure they safeguard data and payments to a reasonable and appropriate degree. The minimum bar for market entry is often defined in industry specification.
No cybersecurity solution is a magic box that solves all your problems. The right tools must be properly integrated and configured to guarantee the effective protection of your system and network. This can be mysterious for many organizations because app protection is a low level and intricate task. Without the specific knowledge to configure the tools, your setup process will often be time-consuming.
The best approach is to source your security tools from a vendor with proven experience in payments space. A vendor that understands not only the security aspects but the process and audits you will be required to complete - that way they will be able to keep the journey smooth for you. Partnering with a trusted vendor (especially one that can offer zero code implementation) significantly decreases the burden on your team.