New PCI standard for software-based PIN entry on COTS

The PCI Security Standards Council (PCI SSC), which leads a global effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs, released a new standard pertaining to commercial off-the-shelf devices (COTS) such as smartphones and tablets. The new PCI Software-Based PIN Entry on COTS (SPoC) Standard contains requirements for developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant's consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN, the council stated in a press release about the new requirements.

"The PCI Council has a long history of developing standards for protecting PIN as a verification method in hardware-based solutions," said PCI SSC Chief Technology Officer Troy Leach. "Existing PCI PIN Standards require hardware-based security protection of the PIN.

"We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself. The PCI Software-Based PIN Entry Standard gives solution providers and application developers a baseline of security requirements specifically for accepting EMV contact and contactless transactions using software-based PIN entry."

Popularity of COTS

Aite Group Senior Analyst Ron van Wezel noted that the flexibility and efficiency of mobile POS (MPOS) solutions have made them very popular with smaller merchants, who use them to take orders and accept payments via tablet or smartphone, anytime and anywhere. "However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive," he added. "With the new PIN entry standard, the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen.

"This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application. The payment industry will benefit overall from the wider choice in payment acceptance, as it will drive the growth of electronic transactions."

Key principles

The PCI SSC listed the following key security principles included in the standard's security and test requirements:

• Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet;
• Isolation of the PIN from other account data;
• Ensuring the software security and integrity of the PIN entry application on the COTS device;
• Protection of the PIN and account data using a PCI approved Secure Card Reader for PIN (SCRP).

"This standard gives solution providers and application developers a baseline of security requirements for how to securely accept PIN-based transactions on a COTS device, as well as methods to test that security is working, even as updates to the devices and applications occur frequently," Leach said. "PCI validated solutions will meet a robust set of security objectives that have been tested by independent laboratories."

To read further insights about the new SPoC Standard visit the PCI SSC blog post by Laura K. Gray at blog.pcisecuritystandards.org/new-pci-software-pin-entry-on-cots-standard . For the full text of the new standard, see www.pcisecuritystandards.org/documents/SPoC_Security__Requirements_v1.0.pdf .

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.