The PCI Security Standards Council has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf (COTS) devices such as smartphones and tablets.
What are we talking about here?
Stores that offer customers the possibility to purchase things with their payment card usually have a hardware terminal and PIN entry device. But this can be too pricey an option for small merchants in markets that require EMV chip-and-PIN acceptance.
A cheaper option is to get a cost-efficient card reader and connect it to a smartphone or tablet equipped with a secure PIN entry application.
But securing the PIN and account data is of crucial importance, and that’s why the PCI Council has developed this new standard.
The PCI Software-Based PIN Entry (SPoC) Standard
The SPoC Standard actually consists of two documents: the Security Requirements and the Test Requirements.
The former document has already been published, and is aimed at entities developing PIN CVM (cardholder verification method) applications, evaluator labs, assessors and organizations managing and deploying PIN CVM solutions.
The Test Requirements, scheduled to be published next month, provide validation mechanisms for payment security laboratories to evaluate the security of software-based PIN Entry solutions.
Solutions that pass the tests will be listed on the PCI SSC website for merchant use.
Key security principles of the SPoC Standard
There are several:
- The PIN must be isolated from other account data within the COTS device
- The PIN and account data must be protected by using a PCI approved Secure Card Reader for PIN (SCRP), which can encrypt and maintain confidentiality of account data
- The security and integrity of the PIN entry application on the COTS device must be ensured (via software development, good release practices, and software protection against attack).
“For the SPoC Standard, we have introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies,” adds PCI SSC Chief Technology Officer Troy Leach.
“More and more businesses are now accepting payments with smartphones, tablets and other COTS devices, especially within the small business community. The PCI SSC Software-Based PIN Entry Solution listing will provide these merchants with a resource for selecting PIN entry solutions that have been evaluated and tested by payment security laboratories, and their customers will benefit by having the best available protection for their payment data.”