Anna Delaney: Software point of sale or SoftPOS is a groundbreaking technology which allows businesses to accept card payments directly on their phone or devices without requiring any additional software. But as this new payment method gains wide-spread international adoption, what does this mean for the security of our payment systems? Hello, I'm Anna Delaney and welcome to Sound Off, the show where we explore one topic in under 10 minutes. And with me to discuss how SoftPOS is changing the payments landscape is Troy Leach, previously CTO of the PCI Security Standards Council and now security executive in residence at Cloud Security Alliance. It's a pleasure to have you join us, Troy, thank you so much.
Troy Leach: Thank you, Anna. Appreciate the opportunity to come and talk about innovative thing that's happening in payments right now.
Delaney: Absolutely. Let's start off by talking about SoftPOS, and the general trend of migration to everything in banking, moving from hardware terminals to software.
Leach: I think the pandemic helped to accelerate some of this interest, especially when we look at, so probably should first define, what is SoftPOS. It's software-only point of sale. So, these are devices that by themselves are not required to have some type of light dongle to attach to a phone, like you see with the more traditional square type payments, these are just using an app within a phone, using NFC and then being able to have commerce. And we're seeing more interest in contactless payments and the use of NFC. And up to recently, it was just for that 60% of the market. That was Android devices that we're driving some of these opportunities. But I feel we're in this renaissance of payments. We see you mentioned I have been formerly with PCI Security Standards Council. They've been working at years on several mobile standards. In fact, they are about to meet this month and talk more about an upcoming standard called the mobile payment on COTS as acronym. So the COTS is commercially off-the-shelf devices. These are just the Android, iPhones, whatever device you want to go by, and then turn it into a mobile payment source. So, it's changing how small merchants who, before they couldn't have a hardware-dedicated terminal, the cost may have been too prohibitive in their minds, at least. And so, we're starting to see organizations that - I saw a report from Keiser that said, there's about 120-130 million merchants around the world that do not use any form of payment card acceptance today, simply because for these reasons. And so, I think there's an opportunity going forward for us to see small merchants be empowered and start to have parity. Regardless, if you're in Africa, South America, China or the U.S., you are starting to have a more fair playing ground to be able to accept any form of payment.
Delaney: You've defined SoftPOS. How is it redefining the payment acceptance space?
Leach: So, I think it's looking at security and payments differently. So, starting with payments, I mentioned the opportunities that exist. So, there's no longer a hardware dependency, per se, there is the preference to have a TEE (trusted execution environment). These are little enclaves and protected areas within mobile devices. Many mobile phones do have these, also looking to the cloud. And so, we're seeing all these applications that as a service that are being run, and starting to use something called confidential computing, and providing a way that you can protect information that previously, we hear all these stories about payment data being stolen and memory, and many memory scraping and these type of activities. And now, we have a way to maybe have full encryption all the time to the more sensitive parts of data. And so, I think that's enabled SoftPOS and other types of payments to flourish in the last two to three years. It's funny, we would think about this, the mobile devices themselves, iPhones have only been around for 15 years. The strike, maybe a decade or so. And so, we're moving quickly and accelerating how we form and accept payments through wearables now. Just went to Disney World and essentially, didn't need to take my wallet or my phone. I could use everything related to a little wristband and even my daughter could pay for anything that she wanted. So I think we're in a fascinating time. Now, with that comes the ability in need to secure things differently. And I think where the industry struggled was there was a need to change to, rather more at the station monitoring, more analytics to the types of activity we're seeing in different types of payment environments. And some of the early adopters were saying, "Well, we have the secret sauce, that's a great secret sauce, but it's proprietary, so I can't share it with you." And for us in the security field, we say, well, "It's one thing to say you're protecting consumers' data, it's another thing to show and prove and attest that you're doing that." And so we're starting to build an understanding of the need for demonstration of the good protections that are in place. And I think we're getting there. And today, I think the SoftPOS markets, about six million devices, there are many different analysts that are bullish to say within the next four to five years, that's going to be 35 million or more devices that are going to be SoftPOS-enabled. So, I'm excited to see what this is actually going to entail for the U.S. market, but then just the global market as well.
Delaney: But, of course, there's the flip side, as you mentioned, you alluded to security concerns. I do want to know more about your concerns, as we become increasingly dependent on these systems.
Leach: Yeah, I think part of it gets down to the philosophy. So, what's been around for about 10 years, but gaining traction right now is the philosophy of zero trust. And so, having this approach, where we need to isolate down to what we're trying to protect, having smart identification of that edge and the protection surface that we're trying to guard and then having the right access controls. And going forward, we're going to see a need for higher levels of multi-factor authentication, we're going to see a need for better monitoring and understanding, and being able to demonstrate that. One of the things I like that the non-profit cloud security lines did is they created a framework that maps to 39-40 different frameworks that exist for different financial security protections. So, PCI, some of the Sarbanes Oxley, GDPR, all of these can map back to a basic framework. And from there, then you can start to test and demonstrate that what you're doing is actually going to meet and to hear to not just one or two or three, but possibly 18-20 different types of local legislation, because that's the other thing that's happening right now is we start to see in the last several years, a splintering of what is good enough payments security, so many of these states in here in the U.S., I think 38 states have incorporated some form of new cybersecurity laws in the last two years, we start to see data localization, where countries like India has submitted bills. They just recently in July withdrew a bill about how sovereign the data needs to be in India, we see China, Russia and other countries, even Europe starting to explore data localization. So all of these are going to play a part in how successful and innovative we can be if you have to be just very acute of where that data is going to transition.
Delaney: So, I know you've been working with SoftPOS, just talk to us about what your work is involved so far.
Leach: A lot of the work has been in my prior role at PCI and the work that they're currently doing, and I hope to see a standard out in the near future that's going to provide guidance on how do we go about taking and creating full security because it's not just the security of what people think of, that 15-16-digit credit card number. But we're also talking all of the authentication data as well. So, the PIN number, which has always been something that had to be through a hardware security module, and hardware-based encryption. Now we're starting to look and realize it's 30-plus years old, and maybe there's other ways that we can authenticate even better than what a PIN previously provide, consumers and banks alike. So, that's part of the work is guiding some of those that are exploring that area, but also we talked about as a service. And through Cloud Security Alliance, we are working with a whole bunch of financial institutions doing pilots around all of these small FinTech companies. So there are thousands of small software-as-a service providers that are providing some form of payment solution to these banks. But they're so small that they don't have the large compliance budgets to be able to do a demonstration of an ISO 27000. So what can we do? What level of security and assurance can we provide? Are these small companies just starting to enter into the financial market, a way that they can demonstrate to large banks that they are doing the right, proper due diligence in the work that they're going to be supporting for those banks.
Delaney: Troy, I have so many more questions, but we are to time. We only have 10 minutes. So, Troy, this has been so useful. Thank you for your insight and joining us on Sound Off.
Leach: Thank you, Anna. Appreciate it.
Delaney: I've been speaking with Troy Leach and for ISMG, I'm Anna Delaney.