EMVCo Certifies Trustonic to Secure Mobile Payments Apps

Mobile device and app security leader Trustonic today announces that its trusted execution environment (TEE)* solution is the first hardware-backed TEE to complete the EMVCo Software-Based Mobile Payments security evaluation process.

EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions. As such, this evaluation process confirms that the Trustonic TEE provides a robust security foundation that meets the requirements of software-based mobile payment (SBMP) and acceptance solutions.

“This technology is already protecting payment apps from small startups through to some of the largest OEMs and mobile payment providers in the world; all via a simple SDK,” comments Dan Rawlings, CCO, Trustonic. “This certification, and the adoption of Trustonic Application Protection in the financial sector, confirms what many fintechs, banks, payment schemes and mPOS developers already know. Trust, credibility and confidence are built and maintained with high levels of assurance, and combining software and hardware-backed security is the only way to achieve that when the stakes are high.”

The Trustonic Application Protection (TAP) development toolkit enables developers to easily build and deploy a range of secure financial applications including mobile payment, banking, and acceptance use cases like mobile point of sale (mPOS), ‘tap on phone’ and software-based PIN entry on COTS (SPoC). This protects mobile applications by securing sensitive code, data and processes in Trustonic’s heavily protected TEE. The environment continuously upgrades over the course of an app’s lifecycle to take advantage of the most advanced hardware and software security technologies available on smartphones. The platform includes Trustonic’s Trusted User Interface (TUI), which isolates and protects sensitive input and display user interactions from the device operating system – like PIN entry – in app user interfaces.

“Hardware-backed TEE technology plays a big role in enabling the mobile financial ecosystem to mature and achieve its potential,” adds Tim Hartog, Director Mobile Payments at Riscure, the independent security test laboratory that performed the security evaluation. “This is because hardware-backed TEE technology, like Trustonic’s TEE, can protect apps even if attackers have root privileges on the device. With Trustonic providing access to the TEE through TAP, solution developers are now able to effectively secure PIN entry on smartphones. This is a key enabler for using smartphones as acceptance devices.”

Dan Rawlings concludes: “The payments and banking ecosystems are leading the way when it comes to securing apps and data. As regulations like PSD2, SCA and GDPR evolve, privacy is pushed into the consumer domain, security is becoming a differentiator. Developers need to know that hardware no longer limits innovation and user experience, the flexibility of TEE security is nuanced and can be used to deliver simpler, richer and faster user experiences.”