PCI Software-Based PIN Entry on COTS Q&A with Jeremy King
1953 views
The PCI Security Standard Council recently announced a new standard for software-based PIN entry on commercial off-the-shelf (COTS) devices. Here we talk with Jeremy King about the new PCI Standard and what it means for the payment card industry.
 |
The PCI Security Standard Council recently announced a new standard for software-based PIN entry on commercial off-the-shelf (COTS) devices. Here we talk with Jeremy King about the new PCI Standard and what it means for the payment card industry.
PLUS: What is the PCI Software-Based PIN Entry on COTS (SPoC) Standard?
Jeremy King: The PCI Software-Based PIN Entry on COTS (SPoC) Standard provides requirements for developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
There are two sets of interrelated requirements that make up the standard – the Security Requirements for solution providers to use in designing each part of a complete solution, and the Test Requirements, which outline testing processes for laboratories to use in evaluating solutions against the standard.
The Security Requirements are available now on the PCI SSC website. The Test Requirements will be published next month, followed by a supporting program that will list validated solutions on the PCI SSC website for merchant use.
PLUS: What is a COTS device?
Jeremy King: A commercial off-the-shelf (COTS) device is a mobile device (e.g., smartphone or tablet) that is designed for mass-market distribution, and is not designed specifically for payment processing.
PLUS: What comprises a SPoC Solution according to the PCI SPoC Security Standard?
Jeremy King: The primary elements of the solution will include a Secure Card Reader for PIN (SCRP) that will be similar to the existing SCR listings with additional requirements; a validated software application on the COTS device that can securely accept PIN as the CVM; and a robust monitoring system that checks for anomalies in the environment and integrity of the other components within the solution.
Solution providers and application developers can use the standard to design each part of a complete solution.
PLUS: Why is the PCI SSC developing the PCI SPoC Standard now?
Jeremy King: PCI SSC regularly monitors changes in payment technology and security techniques and evaluates if PCI Standards need to evolve or if new standards need to be developed. As more and more businesses are using smartphones and other commercial off-the-shelf (COTS) devices to accept and process payments, there is a need for a structured and secure payment acceptance approach for software PIN entry on COTS.
The intent of the creating the PCI SPoC Standard is provide merchants with secure PIN entry solutions that have been evaluated and tested by payment security laboratories.
PLUS: What are the key principles of the PCI SPoC Standard?
Jeremy King: The standard is made up of these core principles, which will factor in to the solution as a whole:
• Isolation of the PIN from other account data;
• Ensuring the software security and integrity of the PIN-entry application on the COTS device;
• Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet.
PLUS: How is the PCI SPoC Standard different from the PCI PIN Transaction Security Point of Interaction (PTS POI) Standard?
Jeremy King: The PCI SPoC Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The PCI PTS POI standard will continue to apply to dedicated point of interaction devices for the purpose of payment acceptance.
PLUS: How will the PCI SPoC Standard ultimately benefit the industry?
Jeremy King: The PCI SPoC Standard will give payment solution providers and application developers a baseline of security requirements for how to enter a PIN into a COTS device, as well as methods to test that security is working, even as updates to the mobile devices and applications occur frequently. This will result in secure solutions that are independently tested to demonstrate PIN is isolated from the account data within the COTS device and will provide continuous protection, through ongoing monitoring and other controls.
Merchants benefit by using solutions that have been vetted by payment security laboratories, and their customers benefit by continuing to trust that their payment data remains protected.
PLUS: Will the new standard mean POS terminals will start disappearing?
Jeremy King: We expect PCI approved PTS POI PED devices will continue to be used as a secure, fast and efficient means of undertaking a transaction. Vendors will be able to continue to submit their range of devices for PCI approval, and this new standard will simply provide vendors with another option to add to the portfolio of solutions that they offer. It may well result in new vendors entering the market, and this is always welcome.
Journal: PLUS Journal 2 (249) 2018
Tweet
- Does the rehabilitation improve the competition?
- Crypto currencies: components of the might-have-been “connected world”?
- New financial technologies:is the legal transformation inevitable?
- RBS in the era of digital banking: who is "to blame" and what’s to be done
- Big Data in banking: no universal recipes
- Why does blockchain fails to meet expectations?
- Blockchain and artificial intelligence: the synergy effect
- Diebold Nixdorf: ATM business as a service and other results of the synergy
- INPAS: new tasks for the first Russian PSP
- The way to the customer's money is through the RBS
- The 10th Ural Forum: information security of the finance sector as a Nation-wide task
- PCI Software-Based PIN Entry on COTS Q&A with Jeremy King
- V PLUS-Forum “Online & Offline Retail 2018”: first results
- Cards, Payments and Mobile 2018: the May PLUS-Forum program is published!