We use a smartcard (Mifare DESfire EV1) that supports AES encryption. The nice thing about this solution is that the mobile phone never needs to get access to the secret key and that we can still verify the authenticity of the card. The secret key will only be known to the software (the payment system) and the card. The process is quite simple and described in the diagram below.
It would be technically possible to install a program on the phone that records the password or pin that is entered. To counter the security risk this introduces we use a random virtual keyboard. This keyboard consists of buttons with multiple characters (or numbers) on it. After each button is pressed all characters are randomly allocated to a button. In case there are 4 characters per button and the password has 6 digits, then 46 passwords are possible. This makes it almost impossible to capture the password in one try.
The Cyclos smartphone POS turns each NFC enabled android phone or tablet into a POS device. This allows shops to receive payments from customers who have an NFC payment card. The POS can also be used for loyalty schemes, in schools, universities and in much more places. The Cyclos POS also allows 'PIN less' payments. A maximum payment amount and maximum (total) daily amount for PIN less payments can be defined by the administration. Within these limits a user can perform payments just by holding the NFC card near the POS. This option still offers high security. The user must be aware though that if the card is lost other users could use it (of course within the limits).
The diagram below explains how the process technically works. How to enable the smartphone POS is described in our wiki. If you you have an nfc enabled phone and and a mifare DESfire EV1 smartcard, you can also test the Smartphone POS using our demo.
Next to this mobile POS, the software already supports a complete SMS payment system. SMS notifications to the buyer on payments made at a POS devices can easily be turned on within the software. Of course, this will make the system really secure, but it will also increase the costs of each transaction a little bit; therefore, depending on the project this can be turned on or off.