It is difficult to imagine today how life would be without such ubiquitous commodities as the internet, cellphones, and the Internet of Things. In this mobile-connected world, everything and everyone may talk with one another at record speeds. But, as this seemingly futuristic reality comes true so also do new, semi-Orwellian fears; after all, it is now simpler than ever for anyone to observe and record the behaviors of tech users around the world. Hackers have the power to collapse vital systems and deliver sensitive information to the wrong hands on a mass scale. The time has come for a new superhero in the story: cryptography.
As access to mobile devices, smart phones, and the internet increases, the boundaries between malicious platforms and past security solutions dissipate. For example, it isn’t difficult to find applications that can connect to your existing social networks and identify your patterns, preferences, current location, and even the people with whom you associate. This has become a very powerful and convenient tool for merchants around the world, who are interested in expanding their customer bases and enhancing the customer service experience they provide to the max. The expected growth rate for 2020 on the use of mobile commerce is around 38% for people ages 21 to 75, meaning that much of revenue for retailers will be generated by mobile application payments in the near future.
Much like with merchants and retailers, the story has changed when it comes to mobile banking services. Banks have developed a strong network of acquirement affiliates by using mobile point-of-sale (POS) devices, which are regulated and deployed under the rules of PCI compliance. These electronic devices have gained popularity in developing markets such as the micro-merchant segment by allowing electronic payments to take place in a secure and cost-effective manner. On the payment side, the larger banks, meaning those that issue millions of credit and debit cards per year, have also jumped aboard the mobile payment train by launching secure wallets and affiliated banking applications. By using these applications, bank members can pay with their cellphone at any retail place that has a contactless QR reader. Members can also link these transactions to a loyalty or rewards program set up by their favorite merchants.
While the aforementioned applications are convenient advancements in the payments industry, they also pose new and dangerous cybersecurity threats for users. Banks and merchants must take new measures to protect themselves from security breaches. Compliance and protection start with a firm commitment to protecting an organization against fraud. Mobile payment platforms must be regulated by security standards such as PCI DSS. Card brands including Visa, Mastercard, American Express, JCB, China Union Pay, and more can expand and shield their platforms by taking control of all other components in the equation. This control is accomplished via cryptographic solutions, maintained in hardware security modules (HSMs). While there are several factors that go into maintaining a secure hardware cryptographic environment, three of the most important elements are described below.
Code Signing: Code signing is one of the best ways to secure the intellectual property of an organization. Code signing makes sure that every single change made in an application is tracked and authorized. It also ensures that the application has not been altered during any previous authentication processes.
Mutual Authentication: Mutual authentication is done using TLS certificates generated within a hardware enterprise infrastructure using a trusted certificate authority. For every connection to the HSM established from a mobile application that may involve sensitive information extraction or payment transaction, the HSM will authenticate that the user has the required permissions to be granted access. Mutual authentication is an additional level of security to protect the exchange of encrypted messages.
Data Tokenization: In order to reduce the scope of liability and minimize the risks for potential data leaks, it is necessary that all data stored permanently or temporarily within an HSM is encrypted. Tokenization is a secure method that preserves data format (in FPE configurations) and generates a token of clear text data for use in transactions involving sensitive information. This token can be reversed for certain operations using HSM-secured detokenization algorithms.
Futurex offers a wide suite of HSMs and solutions for data security. For more information on how Futurex HSMs protect the most sensitive data on the market, reach out to a Futurex Solutions Architect.