Troy Leach: The most significant shift is how we use a well-known verification method, PIN, and securely enter that information in a new way on a new device category. Traditionally, accepting PIN required hardware-based mechanisms, such as an electronic PIN pad. However, with advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device. The existing PCI PIN Transaction Security Point of Interaction (PTS POI) Standard remains relevant and will continue to be used by hardware vendors to deliver solutions to market.
Troy Leach: The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The PCI PIN Transaction Security Point of Interaction (PTS POI) Standard will continue to apply to dedicated point of interaction devices for the purpose of payment acceptance. One difference between the two standards is that acceptance and security controls are contained within the physical boundaries of the device for the PTS POI Standard, whereas the SPoC Standard introduces a different set of security controls to mitigate risks associated with a software-centric solution.
For the SPoC Standard, we have introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies.
However, there are also many similarities between the two standards such as expectations in security design. In fact, a requirement of software-based PIN entry is that the account data is received and encrypted by a Secure Card Reader for PIN (SCRP) attached to the COTS device. That is a new form factor that will be introduced within PCI PTS POI v5.1, which will be released soon.
Troy Leach: The standard is comprised of two documents – the Security Requirements and the Test Requirements.
Security Requirements are objectives for the solution provider that designs the overall solution or components, such as the application that receives the PIN. The Security Requirements can also help other organizations understand expectations for securing these types of payments.
The Test Requirements create validation mechanisms for payment security laboratories to evaluate the security of a solution. These will be published in the next month, followed by a supporting program that will list PCI validated Software-Based PIN Entry Solutions on the PCI SSC website for merchant use.
Troy Leach: The standard is made up of several core principles, which will factor into the solution as a whole:
Troy Leach: A key security objective is to isolate the PIN within the COTS device from the account identifying information, which might be used in a correlation attack. A correlation attack occurs when a fraudster can obtain some payment data elements, such as magnetic stripe track 2 data, from one part of the payment ecosystem (e.g. skimming of payment card), and another data element such as a PIN from a separate attack, and then manages to link these data elements to enable a fraudulent transaction.
This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN. Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction.
The standard requires that the PIN is further protected by the continuous monitoring of the environment to confirm the integrity of the PIN CVM Application that receives the PIN as well as for anomalies in the COTS environment.
Troy Leach: Software security is critical to protecting payment data in these types of transactions. PIN CVM Applications will provide security for the user interface for PIN entry, the initial encryption of the PIN and delivering the encrypted PIN to the SCRP. It is important to get that right.
As such, the standard emphasizes secure software development and release practices as well as many software protections to maintain integrity against attack. The monitoring environment is an important control that supplements the software security by continuously validating the integrity of the COTS software security environment.
Troy Leach: The SPoC Standard includes a number of requirements to ensure that the overall solution, PIN CVM application or the COTS device itself has not been manipulated or compromised. These security requirements are designed to monitor the systems continuously for anomalies or other errors. Reporting of these anomalous activities are required to be reviewed quickly and resolved according to the established automated and manual procedures.
Troy Leach: The primary elements of the solution will include a Secure Card Reader for PIN (SCRP) that will be similar to the existing SCR listings with additional requirements; a validated software application on the COTS device that can securely accept PIN; and a robust monitoring system that checks for anomalies in the environment and integrity of the other components within the solution.
Solution providers and application developers can use the standard to design each part of a complete solution. The validation program is still being finalized but when available later this year, the solution provider will submit the full SPoC Solution for evaluation. The final reports will be submitted to the PCI SSC for validation and listing on the PCI SSC website.
Troy Leach: No. This standard is intended to address innovations for acceptance by offering an optional alternative to traditional hardware terminals and PIN entry devices. The SPoC Standard requires the use of hardware to provide account data protection using encryption established by a PCI SSC approved Secure Card Reader for PIN (SCRP). By using an SCRP, the standard ensures account data is kept separate from PIN data.
Troy Leach: There is no impact on POS terminal vendors. We expect PCI approved PTS POI PED devices will continue to be used. Vendors will be able to continue to submit their range of devices for PCI approval, and this new standard will simply provide vendors with another option to add to the portfolio of payment solutions that they offer.
Download the Software-Based PIN entry on COTS Security Requirements
This is a guest post from the PCI Security Standards Council. It was originally published on the PCI Perspectives Blog as an interview with PCI SSC Chief Technology Officer, Troy Leach.