By David Close
Contactless payments are revolutionizing the way businesses interact with customers. Whether you're managing a department store during the holiday rush or selling produce at a farmers' market, contactless payments extend your point of sale beyond the checkout counter. This is not only expedient for merchants and customers, but also for acquirers, banks and ISOs.
CPoC is a PCI Security Standards Council (PCI SSC) standard and is short for Contactless Payments on COTS; COTS stands for a commercial off-the-shelf device such as a smartphone. The contactless payments are conducted with near field communication (NFC) chips embedded in most modern COTS devices. (The PCI SSC is in the process of evolving its mobile security standards, bringing both PCI Software-based PIN Entry on COTS (SPoC) and CPoC under a single standard called Mobile Payments on COTS.)
CPoC eliminates the need for card-reading hardware, lowering the cost to entry for merchants of all sizes. It also provides a high level of security. Payment data is encrypted and sent to back-end systems for attestation and monitoring—after which it is securely processed—all with no manual PIN entry required. Customers can pay quickly and without hassle. Large merchants gain agility and scalability, while smaller merchants are able to rapidly meet customer demand.
The payments ecosystem continues to shift as merchants quickly respond to consumer needs impacted by the pandemic. Mobile POS devices are already ubiquitous, and CPoC-based solutions have gained momentum in the past 12 months. How can contactless payments spur more sales in less time? Imagine a busy retail store on Black Friday. If the store deploys a CPoC solution, its employees can process customer payments anywhere in the store using CPoC-enabled mobile devices, preventing long checkout lines from ever forming. CPoC is a low-cost, high-efficiency way for merchants to improve the customer experience by offering a level of convenience closer to online shopping.
Part of the CPoC specification is a Federal Information Processing Standards (FIPS)-validated random number generator. That's where a FIPS 140-2 Level 3-validated hardware security module (HSM) fits in: to securely process transactions (including cloud payment processing), authenticate devices and remotely load keys. CPoC transactions can use DUKPT, the same encryption method used in standalone payment terminals today.
In addition, most current mobile devices have secure enclaves, which are a special part of the mobile device where the CPU is walled off from the main processor to provide extra security. Additionally, at the application layer, there is typically white-box cryptography, which combines encryption and obfuscation to embed encryption keys within the application code. What's ahead in payments? As consumers grow more comfortable with mobile payments and contactless payments, CPoC will expand in use. For example, most consumers now have contactless credit and debit cards with an embedded NFC chip, which allows them to communicate with contactless-enabled payment terminals. To complete a transaction, the consumer simply places their card near the terminal.
This is becoming commonplace in grocery stores and major retailers, but imagine being able to pay this way at pop-up shops, food trucks, arts and crafts festivals, and sporting event concession stands. For micro merchants, CPoC is an easy way to expand business—and improve the consumer experience—without the startup costs and hassle. What are we seeing in terms of new developments? New devices, new terminals, new phones and new wearables with contactless and mobile payment functionality. However, the right software is needed. Merchants are looking to implement SoftPOS (software point of sale) solutions enabling them to accept card payments directly on their mobile devices without additional software.
With the payment ecosystem moving away from cash and contact, what we might see less of is actual wallets, with mobile wallets gradually taking their place.
David Close is chief solutions architect at Futurex, a trusted provider of hardened enterprise data security solutions. He is a subject matter expert in enterprise key management best practices and systems architecture and infrastructure design. Contact him at linkedin.com/in/davidclose or www.futurex.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next