The PCI Security Standards Council (PCI SSC) has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets.
The PCI Software-Based PIN Entry on COTS (SPoC) Standard provides requirements for developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
“Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency. MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere.
However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive,” observes Aite Group Senior Analyst Ron van Wezel. “With the new PIN entry standard, the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen.
This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application. The payment industry will benefit overall from the wider choice in payment acceptance, as it will drive the growth of electronic transactions.”
Key security principles included in the standard’s security and test requirements are:
- Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet
- Isolation of the PIN from other account data
- Ensuring the software security and integrity of the PIN entry application on the COTS device
- Protection of the PIN and account data using a PCI approved Secure Card Reader-PIN (SCRP).
“This standard gives solution providers and application developers a baseline of security requirements for how to securely accept PIN-based transactions on a COTS device, as well as methods to test that security is working, even as updates to the devices and applications occur frequently. PCI validated solutions will meet a robust set of security objectives that have been tested by independent laboratories,” says PCI SSC Chief Technology Officer Troy Leach.
“More and more businesses are now accepting payments with smartphones, tablets and other COTS devicesespecially within the small business community. The PCI SSC Software-Based PIN Entry Solution listing will provide these merchants with a resource for selecting PIN entry solutions that have been evaluated and tested by payment security laboratories, and their customers will benefit by having the best available protection for their payment data.”