Securing Mobile Payment Applications with Tokenization
So whether you are deploying mobile payment collection apps or developing them, these security factors expose you to risk and liability. One path is to ensure that all mobile devices collecting payment card data fall under your PCI compliance scope. Obviously as the number, versions of OS, and ownership of devices expands, keeping them compliant is, well, almost impossible—or incredibly expensive, labor intensive, and use-restrictive.
A better path to take is to tokenize all payment data as it is being entered on the device, either from a swipe reader or manually. TokenEx provides two methods to keep mobile data secure.
- Apps running natively on iOS or Android that collect payment data can use any of the standard public key encryption libraries to connect to the TokenEx Web Services APIs.
- A browser-based collection application on a mobile device can use the TokenEx Browser-based Encryption—Little BBE—designed for mobile operating systems.
Both these methods ensure that no app or browser page on the device actually captures or stores the PAN and other card details. The PAN is immediately encrypted on swipe or manual entry, and sent to the TokenEx Cloud Security Platform to be vaulted and tokenized. The token is returned to the app’s backend systems and used to complete the payment process. TokenEx performs its role in sending the actual PANs to the payment processor of choice.
For a mobile app developer, this ensures that you systems, the systems of your customers who are deploying the app, and the person using the device with the app are not handling the payment card data at all. Plus, you or your customer get to choose the payment processors they work with, relieving you of handling any of the payment processing. All PANs flow through the TokenEx Cloud Security Platform, not your systems. That’s a huge support and risk issue off your plate.
Risks for Mobile Payment Applications
The growth of mobile payments is expected to rise to 47 billion transactions in 2015. That’s a lot of payment data being collected and transmitted that is potentially open to hackers. iOS apps are carefully vetted by Apple and can be tightly linked to ApplePay which has proven secure so far. But for many organizations, ApplePay processing is too expensive—especially for not-for-profits.
Android devices are unfortunately not as protected as iOS and are the target of most of the malware being distributed through apps stores. It’s estimated that over 5 billion Android apps are vulnerable worldwide. If that’s not bad enough, aggressive adware, which can track and transmit all types of information from Android devices can put other apps at risk.
A third front for mobile security risk is in the growing number of apps provided by businesses, such as those distributed by enterprise developers through business app exchanges. These can use—inappropriately—undocumented APIs that can potentially allow malware to invade a device. This is a threat even for iOS, because these enterprise exchange apps do not have to go through Apples’ rigorous testing where using an undocumented API disqualifies the app from the store. So an incorrectly coded iOS app on a business exchange can be vulnerable to malware—potentially exposing all the other apps on the device as well.
Ask Us How to Secure Your Mobile Apps
Our clients depend on TokenEx to provide a complete and customizable tokenization solution for their omni-channel payment streams and PII data. Let us explain how a unified cloud tokenization platform and unique technology such as the transparent gateway and mobile integration can help your organization secure all types of data, limit the scope of PCI compliance, and streamline your payment processing. Contact us today to set up an appointment to discuss your specific challenges.