Testing 1, 2, 3: How to Ace mPOS Functional and Security Testing

by Christian Damour 0

The explosion of mobile point-of-sale (mPOS) technology has seen a host of new players enter the market, each seeking to carve out a place in a global market predicted to grow by 40% every year until 2018 (Smart Insights). Before an mPOS terminal product can be launched, however, manufacturers must first prove that it is fit-for-purpose, or risk the long delays and major cost commonly associated with re-engineering their product. To this end, addressing the functional and security requirements when the product is in early-stage development is a must.

There are a number of key stages to achieving this goal. Mastering each of these (usually with the help of a specialist partner) gives mPOS manufacturers the confidence to bring their solutions to market quickly, efficiently and cost-effectively.

Functional testing is an integral part of the development stage as mPOS terminals must align with EMV Level 1 and Level 2 contact (and contactless if required) specifications. This process, however, can present challenges. In traditional POS terminals, all of the components are standardised, which makes the testing process relatively simple. In contrast, the complex nature of mPOS means that the user interface, software kernel, PIN pad, card reader and the mobile device itself, are often disparate. This lack of standardisation can lead to delays in times to market and can generate unforeseen development costs.

To better support the functional testing requirements of mPOS manufacturers, EMVCo is working to see how the existing EMV Specifications can be evolved. Compliance experts like FIME work closely with EMVCo as Technical Associates and a member of the Board of Advisors to contribute to the latest developments.

In time, a coherent testing framework will undoubtedly emerge. Until then, however, manufacturers must use and adapt the existing specifications. By understanding EMV Level 1 and Level 2 testing, and recognising the challenges mPOS presents, functional testing can be performed quickly and efficiently. That said, EMVCo does not offer any assistance in clarifying its requirements, so manufacturers will benefit from seeking the advice of specialist third-parties to ensure they are appropriately resourced to manage this stage of the testing and certification process.

Security testing is another essential stage in the development of an mPOS product. Arguably, mPOS terminals need to meet even more rigorous standards than traditional POS terminals. Smartphone technology is constantly active and connected through 3G and 4G, and it is therefore vulnerable to malware attacks. In addition, mPOS payments require the presence of a dedicated hardware card reader including a PIN pad which is entirely independent from the mobile device, as well as an mPOS application that could reside in the software of the mobile device. Both of these elements must be subjected to stringent security testing and certification.

The Payment Card Industry (PCI) Security Standards Council (SSC) manages a number of security standards to which all mPOS devices must comply. The PCI SSC established the PIN Transaction Security Framework to address the security evaluation and approval of payment security devices, which provide points of interaction security requirements for terminals. Additionally, Visa, together with numerous local schemes, also have their own requirements.

Manufacturers cannot consider these security standards as an afterthought; non-compliance will prevent their products from interoperating appropriately, proving costly, if not entirely prohibitive, further down the line. The testing and compliance work here commonly breaks down into three phases:

Scoping – This is undertaken to assess which security requirements are applicable to the device.

Pre-assessment – This phase is designed to review all of the documentation in order to evaluate the device’s security during the development phase.

Security evaluation – Undertaken by a PCI SSC accredited laboratory, this includes a documentation review, source code review, penetration testing and an estimation of the hardware and software’s resistance to attacks.

Again, as with EMVCo, it is worth noting that PCI SSC does not offer any assistance in clarifying their requirements, so identifying a partner will save manufacturers time and money.

Happily, mPOS manufacturers are not alone in their quest to conquer the testing environment. Those that foster a willingness to partner with sector specialists will save the most time and money, both in terms of accelerating time-to-market, and improving the fortitude of their products post-launch. Timing is everything in today’s early-stage, high growth mPOS market. For many manufacturers, the time taken to achieve the required technical interoperability, certification and compliance to industry standards could spell the difference between gaining first-mover traction and getting lost in the pack. With this in mind, these truly are ‘testing times’.