Ingenico Blog / U.S.

shaping the future of payment

New PCI Software-Based PIN Entry on COTS Standard

PCI.pngThe PCI SSC has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The security requirements are for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP). Here we talk with PCI SSC Chief Technology Officer Troy Leach about the new standard, what makes it different than other PCI PIN Standards, and how it’s designed to secure payment data.

Tell us about this new standard and what it means for the payment card industry?

Troy Leach: The most significant shift is how we use a well-known verification method, PIN, and securely enter that information in a new way on a new device category. Traditionally, accepting PIN required hardware-based mechanisms, such as an electronic PIN pad. However, with advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device. The existing PCI PIN Transaction Security Point of Interaction (PTS POI) Standard remains relevant and will continue to be used by hardware vendors to deliver solutions to market.

How is this standard different from the PCI PTS POI Standard?

Troy Leach: The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The PCI PIN Transaction Security Point of Interaction (PTS POI) Standard will continue to apply to dedicated point of interaction devices for the purpose of payment acceptance. One difference between the two standards is that acceptance and security controls are contained within the physical boundaries of the device for the PTS POI Standard, whereas the SPoC Standard introduces a different set of security controls to mitigate risks associated with a software-centric solution.

For the SPoC Standard, we have introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies.

However, there are also many similarities between the two standards such as expectations in security design. In fact, a requirement of software-based PIN entry is that the account data is received and encrypted by a Secure Card Reader for PIN (SCRP) attached to the COTS device. That is a new form factor that will be introduced within PCI PTS POI v5.1, which will be released soon.

Who is the standard designed for specifically?

Troy Leach: The standard is comprised of two documents – the Security Requirements and the Test Requirements.

Security Requirements are objectives for the solution provider that designs the overall solution or components, such as the application that receives the PIN. The Security Requirements can also help other organizations understand expectations for securing these types of payments.

The Test Requirements create validation mechanisms for payment security laboratories to evaluate the security of a solution. These will be published in the next month, followed by a supporting program that will list PCI validated Software-Based PIN Entry Solutions on the PCI SSC website for merchant use.

What are some of the key areas that the Security Requirements address?

Troy Leach: The standard is made up of several core principles, which will factor into the solution as a whole:

  • Isolation of the PIN from other account data;
  • Ensuring the software security and integrity of the PIN entry application on the COTS device;
  • Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet;
  • Required Secure Card Reader for PIN (SCRP) to encrypt and maintain confidentiality of account data;
  • Transactions restricted to EMV contact and contactless.

Explain how the standard addresses the security of the PIN in this environment?

Troy Leach: A key security objective is to isolate the PIN within the COTS device from the account identifying information, which might be used in a correlation attack. A correlation attack occurs when a fraudster can obtain some payment data elements, such as magnetic stripe track 2 data, from one part of the payment ecosystem (e.g. skimming of payment card), and another data element such as a PIN from a separate attack, and then manages to link these data elements to enable a fraudulent transaction.

This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN. Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction.

The standard requires that the PIN is further protected by the continuous monitoring of the environment to confirm the integrity of the PIN CVM Application that receives the PIN as well as for anomalies in the COTS environment.

Software security is an important element of this standard and a priority focus area for the PCI SSC. Can you talk about how the security requirements emphasize software security?

Troy Leach: Software security is critical to protecting payment data in these types of transactions. PIN CVM Applications will provide security for the user interface for PIN entry, the initial encryption of the PIN and delivering the encrypted PIN to the SCRP. It is important to get that right.

As such, the standard emphasizes secure software development and release practices as well as many software protections to maintain integrity against attack. The monitoring environment is an important control that supplements the software security by continuously validating the integrity of the COTS software security environment.

You mentioned active monitoring as a key security principle. How does the standard address this component?

Troy Leach: The SPoC Standard includes a number of requirements to ensure that the overall solution, PIN CVM application or the COTS device itself has not been manipulated or compromised. These security requirements are designed to monitor the systems continuously for anomalies or other errors. Reporting of these anomalous activities are required to be reviewed quickly and resolved according to the established automated and manual procedures.

What makes up a PCI Software-Based PIN Entry Solution?

Troy Leach: The primary elements of the solution will include a Secure Card Reader for PIN (SCRP) that will be similar to the existing SCR listings with additional requirements; a validated software application on the COTS device that can securely accept PIN; and a robust monitoring system that checks for anomalies in the environment and integrity of the other components within the solution.

Solution providers and application developers can use the standard to design each part of a complete solution. The validation program is still being finalized but when available later this year, the solution provider will submit the full SPoC Solution for evaluation. The final reports will be submitted to the PCI SSC for validation and listing on the PCI SSC website.

Does this new standard remove the need for POS hardware such as payment terminals and card readers?

Troy Leach: No. This standard is intended to address innovations for acceptance by offering an optional alternative to traditional hardware terminals and PIN entry devices. The SPoC Standard requires the use of hardware to provide account data protection using encryption established by a PCI SSC approved Secure Card Reader for PIN (SCRP). By using an SCRP, the standard ensures account data is kept separate from PIN data.

What impact does this standard have on POS terminal vendors?

Troy Leach: There is no impact on POS terminal vendors. We expect PCI approved PTS POI PED devices will continue to be used. Vendors will be able to continue to submit their range of devices for PCI approval, and this new standard will simply provide vendors with another option to add to the portfolio of payment solutions that they offer.

Download the Software-Based PIN entry on COTS Security Requirements

This is a guest post from the PCI Security Standards Council. It was originally published on the PCI Perspectives Blog as an interview with PCI SSC Chief Technology Officer, Troy Leach.
Share your comments

Subscribe by Email

Enter your email address to receive our latest blogs covering payment industry trends, insights, and best practices - right to your inbox.

Follow Us

Ingenico Twitter Ingenico Linkedin Ingenico YouTube Ingenico Instagram
Checklist / Choosing the Right Payment Technology Partner
Download

Categories

Archives

  • Why More Merchants and Solution Providers Are Turning to the Subscription Model for Payment Terminals
  • 2022 Holiday Shopping Trends
  • Perfecting Personalized Experiences via Payment Data
  • What Does the Payments Landscape Have in Common with House of the Dragon?
  • Why Tap to Phone Could Accelerate Digital Payments
  • How to Level the Playing Field for SMB Retail
  • The Next Big Thing: Payments Platform as a Service
  • Travel Lightly with a Nimble POS System
  • Will Mobile Wallet Payments Adoption Increase in the U.S.?
  • Consumers’ Preferred Payment Methods, by Generations
  • Payment Terminal as a Sales Lifeforce
  • What Is Common Debit Aid And Why Does It Matter?
  • Is Your Legacy POS Sale Dead To You?
  • Serve Customers Success with Restaurant POS Innovations
  • Summer is Here: So is the Multi-Touch Customer Experience
  • What Can a POS System Do for the Customer Experience?
  • Lose the Lines, Gain the Sales
  • Can Better Fulfillment Lead to a Stronger Customer Experience?
  • Leveraging Digitization for a Better In-Store Experience
  • How Connectivity and Enablement Lead to a Better Customer Experience
  • Following Up on ETA TRANSACT 2022
  • Are You Ready to Date Your Customers?
  • Leverage the Right Checkout Technology for a Better Customer Experience
  • Leveraging Technology to Elevate the Guest Experience
  • How Augmented Reality Can Impact Your Business
  • Why Opting In On Digital Services Matters
  • Leveraging Pay-at-the-Table to Improve the Customer Experience and Streamline Operations
  • What’s the Difference Between PIN on Glass and PIN on Mobile?
  • Is Retail Ready for Crypto?
  • Driving a Better Fan Experience in the Stadium
  • Why Self Service is the Answer for a Better Customer Experience
  • How ISVs Can Benefit from Listening to Their Merchant Customers
  • Recapping NRF 2022: Retail’s Big Show: What’s in Store for This Year and Beyond
  • A Balanced Security Approach to Payments Must Include Your Employees
  • Three Key Considerations For A Better Retail Experience in 2022
  • Five Things the Retail Environment Expect from Payment Solutions
  • Buy Now Pay Later: Add Now, Don’t Wait Until Later
  • Five Ways Investing in a Cloud POS System Can Benefit Your Business
  • Four Reasons Why an Android Platform is a Key Ingredient for Your Restaurant Technology Recipe
  • Three Ways to Delight Your In-Store Customers This Holiday Season
  • Improve Your Banking Customer’s Experience in Three Ways
  • The Need for Frictionless Payments
  • Transition to a Smart POS Era
  • Reimagine Retail with the Point of Decision in Mind
  • Should Merchants Care About Cryptocurrency Right Now?
  • Maintain the Health of Your Payment Tech Investment with Estate Management
  • Overcome Four Key Challenges in Restaurants with Pay-at-the-Table
  • Four Ways SMBs Can Meet Post-Pandemic Customer Needs
  • How ISVs Can Help Merchants Improve Customers Experience and More with Payment APIs
  • Six Ways Technology Has Changed Traditional Payments
  • Has the Retail Consumer Changed for Good?
  • VARs: Offer Future-Proof, Cost-Effective Solutions with Android
  • Go Beyond PCI Compliance with a Balanced Security Approach
  • Four Reasons Why Transit Operators Need Contactless Payments
  • What is WIC and How Does It Work?
  • Guiding Your Merchant Customers into the Era of Android
  • Going Beyond Contactless with Value-Added Service
  • 6 Challenges with Non-Phone-Based Biometrics
  • Enhance the Patient Experience with These Six Use Cases
  • What Are Biometric Payments and How Do They Work?
  • The Android Platform: What It Is and How Your Business Can Benefit from It.
  • What is Click & Collect and Why Should Retailers Care?
  • 4 Ways Restaurants Can Prepare for a Post-COVID World
  • 5 Use Cases That Food and Drug Retailers Need to Offer Their Customers
  • What do Superhero Movies and Agile Payment Solution Roadmaps Have in Common?
  • 5 Payment Trends to Expect in 2021
  • QR Code Payments: Should Merchants Accept It? Maybe
  • Mobile Payments Solutions and Services in a Post-COVID World
  • Don’t Let EMV Be an Afterthought for Your Self-Service Solutions
  • QR Code Payments: What Are They and How Do They Work?
  • What is Ecos and What It Means for Merchants?
  • Understanding Common Debit AID and Why It Matters
  • Retail and the Power of Influence
  • How Travel and Hospitality is Going to Change in the Coming Years
  • Why Every Merchant Needs Omnichannel Payments Post-COVID-19
  • Card-Present Transactions Are Better for Your Grocery Business
  • Retail Challenges in a Post-COVID World
  • Consider As-a-Service Model for Your Payment Solution Needs
  • Android Payment Solutions Can Be a Game Changer for SMBs
  • Why Validated P2PE Services Will Be a Major Asset for Grocers in 2021
  • 6 Takeaways from the 2020 Holiday Shopping Season
  • Four Ways ISVs Can Help Their SMB Customers Boost Business
  • Repair and Warranty: Do I Really Need it for My Payment Solutions?
  • How To Prepare Your Hospitality & Travel Businesses For a Post-COVID World
  • 4 Things Every Theme Park and Attraction Should Be Doing Now To Adapt to the New Technology Landscape
  • The Changing Retail Consumer and What Merchants Can Do
  • Here’s How You Can Prepare Your Small Business Customers for 2021
  • The Holiday Season is Set to Change the Future of Retail Shopping
  • Android Payment Solutions: Overcoming Four Common ISV Challenges
  • How Grocery Store Owners Can Prepare for Their Busiest Holidays
  • Hospitality Round-Up: Hotels & Travel in a Post-COVID World
  • Three Common Challenges to Effectively Deploying Payment Solutions in Grocery
  • How Merchant Expectations from Their Payment Solutions Are Changing
  • Offer Kiosks to Enhance Your Clients' Omnichannel Businesses
  • What Consumers and Merchant Expect from Their Checkout
  • Protect Your Payment Tech Investment with a Strong Customer Care Program
  • How the Pandemic Facilitated Increased Adoption of Three Existing Technologies in Retail
  • POS Data Security: Are You Doing Enough to Keep Merchants Safe?
  • 3 Issues Customers Face at Retail Checkout and How to Solve Them
  • Retail Round-Up: Digital Transformation of Retail
  • Restaurant Round-Up: Food Delivery Takes Center Stage
  • Present and Future of Self-Service Solutions
  • Grocery Round-Up: From Delivery to Smart Shopping Carts
  • Data and Business Intelligence Can Help Grocers Grow
  • The Past, Present and Future of Contactless Technology
  • Hospitality Round-Up: How Will Travel and Hotels Change
  • Use Contactless to Enhance Guest Experience in Your Hospitality Business
  • Consumer Demands for Self-Service Drive New Opportunities for Retail ISVs
  • Smart Payment Strategy for FX Volatility
  • Restaurant Round-Up: The Future of Dining
  • How Gen Z Consumer Trends Are Impacting Payments
  • COVID19: Insights and Help from Our Partners
  • Retail Round-Up: How Are Retail Stores Fairing During These Unprecedented Times
  • The Future of Contactless Is Now
  • Enhance Your Customer Engagement Strategy with These Four Tips
  • Location, Location, Location: The Importance of Self-Service Kiosk Placement
  • 5 Questions to Ask Yourself Before You Implement New Payment Solutions
  • Understanding Emerging Retail Trends for Grocery Stores
  • Go Contact-Free with Contactless
  • Recapturing Hospitality’s Magic Moments
  • Payments Strategies to Mitigate Business Risks of COVID-19: Learnings from China and Asia Pacific
  • Biometrics for Payments: Are They Secure?
  • Protecting Payments While Working Remotely
  • Drive Digital Transformation in Your Business with Cloud-Based POS Services
  • What’s Next for Grocery Payment Innovation?
  • Single Certification: Why It’s Worth It
  • How Digital Identities Might Soon Change the Way People Shop
  • Biometrics in Payments 101: What Can Retailers Expect to See?
  • How Professional Services Can Solve the Challenges Merchants Face Today
  • The Future of Payments is Invisible
  • Here’s Why Value-Added Services are the Logical Next Step for Loyalty
  • Why Validated P2PE Services are a Major Asset for Merchants
  • Innovative Payments Can Help Attract Adventure and Luxury Travelers
  • Contactless Payments Create New Opportunities for ISVs
  • Managing for Success in a Multigenerational Workforce
  • Merchants and Consumers Agree: Payment Security is Essential at Checkout
  • 5 Ways Healthcare Providers Can Enhance Patient Experience
  • What Should You Look for in a Payment Solution?
  • Make Online Shopping a Success for You and Your Customers in 2020
  • NRF’s 2020 Big Show Takeaway: Retailers are Looking to the Future to Ensure Success
  • Enhance Your Guests’ Hotel Stay with RFID Technology
  • Restaurants Can Improve Operations and Customer Experience with Pay-at-the-Table
  • How to Help Physicians Collect Healthcare Payments from Patients
  • Self-Service Has Become A Leader in Improving Customer Experience in Transit
  • ­­­Why Should Merchants Invest in P2PE?
  • Start 2020 Strong with the Right Payments Technology Partner
  • PIN on Mobile Will Bring Big Business Payment Tech to Small Business and Micro-Merchants
  • Transform Customer Experience with Android-Powered Payment Solutions
  • Innovate Restaurant Experience for Customers with Payment Technology in 2020
  • Exceed Travelers’ Expectations in 2020 with Innovative Payment Technology
  • Build Customer Loyalty with Mobile Wallets
  • Can IoT Help Retailers Keep Customers in the Store?
  • This Holiday Season, Let All Your Channels Sing Together
  • Offering Choices Is More Important than Ever During the Holidays
  • Tech-Enabled Stadiums and Arenas are Taking Fan-Experience to the Next Level
  • Can the U.S. Catch Up to China When it Comes to Mobile Wallet Adoption?
  • Managing Increased Patient Responsibility with Payment Solutions
  • How to Make Omnichannel Retail a Seamless Experience
  • Boost Your In-Store Success with These Five Strategies
  • Five Ways Retailers Can Get the Most Out of This Holiday Shopping Season
  • Fact or Fiction? The Truth About the “Retail Store Apocalypse”
  • Restaurants Incorporating Customer-Facing Technology Are Positioned for Growth
  • 3 Things to Know About P2PE v3.0
  • Technology Can Greatly Improve the Customer Experience – Or Ruin It. Here’s What You Need to Know
  • Technology and Personalization: The Key to Reinventing Retail?
  • You Should Be Using a Semi-integrated Payment Architecture. Here’s Why
  • Prepare for BOPIS in Your Grocery Environment with these Six Steps
  • Retailers, Are You Prepared with Your 2020 Retail Strategy?
  • Four Challenges Grocers Face While Adopting BOPIS
  • Self-Service Tech in QSR: Why User Interface May Be More Important Than You Thought
  • What It Takes for Your Clients to Accept Mobile Payments
  • Implementing Unattended Solutions in Your Business? Consider These Three Things
  • Enhance Your Hotel Guest’s Experience with More Choice for Check-in
  • Elevate the Commerce Experience with Faster Grocery Checkouts
  • Develop a Successful Mobile Strategy in Four Steps
  • Antimicrobial Technology in Quick Service Restaurants: When Hand-Washing Isn’t Enough
  • Self-Service Kiosks: Adoption and Challenges in Implementation
  • Smart Cities May Be the Solution to Sustaining Rapid Urbanization – Especially in Transit
  • In Healthcare, Better Care Starts in the Waiting Room
  • Three Ways Hospitality Businesses Can Delight Their Guests
  • Don’t Underestimate the Importance of Process in Your Balanced Security Approach
  • Four Factors to Consider When Upgrading your Payment Technology
  • Self-Service Kiosks are Becoming Popular in Restaurants. Here's Why
  • Create Rich Emotional Connections with Your Customers to Boost Your Retail Business
  • Are Wearables the Next Big Thing in Payments?
  • eCommerce is Growing but U.S. Shoppers Still Like Visiting Brick and Mortar Stores
  • Three Ways You Can Gather Customer Feedback and Enhance Experience in Your Restaurant
  • Mobile Wallets Should be Part of Your Payment Strategy
  • The Four Trends Driving the New World of Commerce
  • Customer Centricity is Shaping Payments in the Travel Industry
  • Using Artificial Intelligence in Retail to Transform the Customer Experience
  • 4 Ways Clinical Mobility Can Help Healthcare Providers
  • How Mobile POS Solutions Can Enhance the Hospitality Guest Experience
  • Maximize Back-to-School Shopping by Optimizing Your Strategy for Gen Z
  • Your Balanced Security Approach Can (and Must) Include Your Employees
  • Contactless Payments for U.S. Transit: A Long Time Coming
  • 3 Ways You Can Keep Your Restaurant Customers Coming Back for More
  • Bring your Mobile POS Solution to Market with These Best Practices
  • Think Pay-at-the-Table Isn’t for You? Think Again.
  • Combat the Spread of Viral Infections with Antimicrobial Technology

    • Subscribe