Best Practices & Requirements for Secure Integration

Developing applications with the Tap to Phone SDK requires a strategic and meticulous approach, as it is directly tied to the payments industry—a sector known for its strict regulations, high security standards, and certifications. These requirements are essential to ensure reliability against fraud and system failures. It is therefore crucial for developers to carefully follow the provided recommendations, ensuring that the development process complies with both technical and regulatory requirements. Managing the mobile computing environment plays a key role in preventing vulnerabilities and protecting the integrity of each transaction.

To support this process, this documentation provides detailed guidelines on using the SDK, along with best practices and mandatory requirements that must be followed. These elements help minimize risks while maximizing the security and efficiency of the application. Adhering to these guidelines ensures a secure and reliable payment experience, adding value to the market by delivering a high-quality and compliant product.

Developing a payment app that meets Visa Tap to Phone and Mastercard Tap on Phone certifications goes beyond standard development concerns, requiring heightened attention to security standards. These certifications include compliance with EMVCo rules for encryption, key management, and contactless communication, as well as adherence to PCI DSS regulations. Each card network imposes specific security, transaction processing, and user interface requirements, making it essential for developers to understand these demands before starting the project. Incorporating security from the start helps avoid rework and potential certification issues.

Even when using a certified SDK, developers must ensure:

• Correct SDK integration: Follow the implementation instructions without modifications and always use the latest SDK versions.

• Application security: Implement additional protections such as code obfuscation, requesting configuration files or parameters via API (instead of using hardcoded values that can be intercepted or modified), follow secure development practices (OWASP), and adopt other security measures to prevent malicious application tampering.

• Transaction processing: Implement anti-fraud mechanisms and audit logs, as well as monitoring services to detect exceptions, transaction delays, conversion rate drops, and activation tracking of deployed applications.

• User interface: Ensure an intuitive, secure, and transparent payment experience.

• Security testing: Perform rigorous security tests to identify and fix vulnerabilities in business processes. Under no circumstances should the SDK be updated without extensive testing to ensure that the app’s core functionalities remain intact. The final responsibility for delivering a high-quality user experience lies with the developers maintaining the application.

• Regular updates: To provide the best experience and security for users, we continuously update our applications to comply with new regulations, laws, and security standards. It is essential to update the SDK at least every six months to keep fraud levels under control and access new features. The development company is responsible for managing version deprecation and device deactivation, ensuring that outdated and potentially vulnerable versions remain under control.

• Clear communication: Inform users about security measures and maintain an accessible privacy policy.