The rapid adoption of digital payments over the past 18 months is bringing more attention to a category of payments that lets merchants accept contactless cards and mobile wallets with just an app on a smartphone.
Juniper Research estimates there were 3.2 million handsets capable of using apps to accept contactless payments on phones worldwide in 2021, and it forecasts that will grow to nearly 24 million over the next four years. This adoption will be driven by card network initiatives like
However, the biggest advantage of POS apps is also their biggest weakness. The fact that it can run on common handsets without additional hardware makes it vulnerable to abuse, especially on Android devices which allow users to install apps from outside the system's built-in app store, providing an avenue for malware infection.
“These risks require the [POS] software to take over some of the security responsibilities that were previously performed by the certified device,” said Asaf Ashkenazi, chief operating officer and president of the French cybersecurity company Verimatrix. “It must be able to protect itself from attacks independently of the device it runs on.”
That said, POS app security has been taken very seriously from the very beginning, according to Christian Damour, a consultant at the French payments security company FIME.
Most products undergo intensive evaluations to ensure that a whole range of security mechanisms from anti-rooting to anti-debugging are implemented in the mobile application before being authorized for deployment, Damour said.
POS apps have been particularly embraced by the card networks, with both Visa and Mastercard creating their own development kits to try and make such technologies more widely available. Analysts anticipate that the low cost of the technology will encourage many smaller merchants to start accepting cards for the first time, further increasing the number of card transactions.
Mastercard addresses security through the use of cloud-based monitoring systems, which have compliance and certification requirements, and work to mitigate any attacks which could not be blocked at the mobile application level.
“We expect more innovations in this space in the coming months and years,” said Nili Klenoff, Mastercard’s senior vice president of global acceptance solutions.
The card networks are also running pilots for next-generation POS apps which can accept contactless transactions requiring PIN entry. The Payment Card Industry security standards council is expected to release specifications for this use case this year.
In the meantime, adoption of POS apps is spreading rapidly across Europe. Polish fintech SoftPos said that over the last 12 months, its product has entered markets in Spain, Hungary and Romania, and it expects to reach between four and five new countries in the months to come.
“Many of our clients own small stores or local restaurants, and have been only accepting cash before choosing SoftPos,” said Grzegorz Nowakowski, co-founder and vice president of SoftPos. “But on the other side we also have big companies from sectors such as food delivery, transport ticket sales or logistics, who have chosen our solution to be implemented into their native apps. That’s a very interesting and promising part of the market, as for example ticket sellers now can handle all the operations using just one app installed on one device, instead of two or three solutions.”
Given the rapid pace of POS app development, Ashkenazi says that there is a need for mandated security requirements from regulators.
“The payments industry has learned from the early days of mobile payment where rigid certification didn’t fit with a software-based ecosystem, slowing innovation,” Ashkenazi said. “While [POS apps are] reducing standardization and certification over hardware terminals, the industry must find the right balance between flexibility and security needs that will allow progress, but will not open the door to fraud.”