New Opportunities for iPhone Mobile Payment Application Vendors:

Leveraging NFC and Ensuring EMVCo Compliance

In today’s digital economy, secure payment systems are essential for protecting sensitive financial data and maintaining consumer trust. EMVCo, a global technical body, has established the Security Evaluation for Software-Based Mobile Payment (SBMP) program to assure robust security of such solutions. This program provides a methodology for evaluating the security of mobile payment applications against evolving threats.

Developing Contactless Payment Applications for iPhone

The recent opening of NFC capabilities for iPhone developers, as outlined by Apple’s support for Host Card Emulation (HCE) transactions in apps (learn more here), has unlocked exciting opportunities for vendors of mobile payment applications.

Starting with iOS 17.4, which includes APIs that support contactless transactions, developers can now build iOS applications that leverage NFC technology to enable secure, contactless payments without relying on additional hardware.

By integrating NFC capabilities, vendors can create innovative payment solutions, enhance interoperability across platforms, and stay competitive in the growing mobile payment market.

However, such applications must comply with the strict security standards defined by EMVCo to ensure data protection and sufficient defense against different types of attacks.

Building Secure iOS Applications: Leveraging Apple’s Ecosystem and Designing Robust Architecture

The closed iOS ecosystem offers significant advantages for applications handling sensitive data. Its tightly controlled hardware-software integration, rigorous app review process, and uniform security updates provide a robust foundation for safeguarding user information. By restricting third-party app stores and limiting unauthorized modifications, Apple minimizes potential vulnerabilities, creating a more secure environment for both developers and users.

Nevertheless, while the ecosystem provides strong built-in protections, the ultimate security of an application depends on its architecture. Developers must prioritize secure design principles, such as data encryption, secure API communications, and robust session management, to ensure sensitive data remains protected, even within a secure operating system like iOS.

Creating a secure iOS application also presents diverse challenges, including protecting sensitive data, implementing jailbreak detection, preventing reverse engineering, and rigorous management of cryptographic keys.

To address these challenges, developers must not only leverage Apple’s built-in security features but also adopt secure coding practices and design resilient architecture. Furthermore, the implementation of these security measures should undergo thorough evaluation in accordance with the methodology defined by EMVCo to ensure their effectiveness in protecting sensitive information.

What is the EMVCo SBMP Certification Program?

The EMVCo SBMP certification program is designed to assess the security of software-based mobile payment solutions, which rely on mobile devices to process transactions. Unlike hardware-based solutions, which use secure elements, software-based solutions depend on advanced security techniques such as white-box cryptography, code obfuscation, and runtime protections to protect sensitive data.

The program evaluates payment applications against a set of security requirements, ensuring that they are resilient to common attack vectors, such as reverse engineering, tampering, data extraction, etc. Achieving compliance with the SBMP program demonstrates that a payment solution meets industry-recognized security standards.

Security evaluation for EMVCo certification must be conducted by an EMVCo-recognized laboratory.

The Role of Independent Vulnerability Analysis and Penetration Testing

Independent security assessments that include vulnerability analysis and penetration testing add an additional layer of assurance. 

The rationale behind this is as follows:

• Uncovering Hidden Weaknesses
  Independent evaluation can identify vulnerabilities that may be overlooked during in-house testing, as it provides a fresh perspective and leverages external expertise. The penetration  tests simulate real-world attack scenarios, providing insights into potential weak points in the application’s design and implementation.
   
• Evolving Threat Landscape 
  Cyber threats are constantly evolving. Independent penetration testing ensures that your application is resilient to emerging attack techniques, staying one step ahead of potential adversaries.
   
• Building Trust
  Demonstrating that your payment solution has undergone rigorous independent testing can enhance stakeholder confidence. It reassures partners, customers, and regulators that your application prioritizes security.
   
• Regulatory and Industry Compliance 
  Many regulators and industry partners require independent security assessments as part of their approval processes. Proactively conducting these evaluations can streamline certification and compliance efforts.

IS Laboratory offer

As a laboratory accredited by EMVCo, IS Laboratory performs EMVCo SBMP security evaluations, including code and documentation review, vulnerability analysis and penetration testing to ensure compliance of the solution with EMVCo standards.

IS Laboratory offers EMVCo SBMP security evaluations of mobile solutions for both platforms: Android and iOS .

If you are in the development phase of your payment solution for iOS and planning to obtain EMVCo certification, this is an excellent moment to request a proposal for our services.

Moreover, IS Laboratory can organize workshops on mobile security and security evaluation requirements and perform gap analysis to help you to prepare for a formal security evaluation.

If you have any questions regarding any service that IS Laboratory can provide for vendors of  software-based mobile payment solutions, please contact us at contact@is-laboratory.com