In December, PCI SSC plans to publish a new standard for solutions that enable “tap and go” transactions on merchant smartphones and other commercial-off-the shelf (COTS) mobile devices. The PCI Contactless Payments on COTS (CPoC™) Standard is a leading topic of discussion at this week’s PCI Europe Community Meeting in Dublin. Here we talk with John Markh, PCI SSC Standards Manager, for an update on this initiative.
What can stakeholders expect in December?
John Markh: In December the Council plans to publish the CPoC Standard for solutions that enable merchants to accept contactless transactions on their COTS devices without added hardware.
The standard will include:
- Security Requirements: Criteria for solution providers on how to protect payment data within their solutions.
- Test Requirements: Criteria for laboratories (labs) to evaluate solutions for validation and listing on the PCI SSC website through the supporting CPoC Program.
- Guidance: Additional information to assist in understanding the intent of each security requirement, and in some cases, examples of security controls that can be used by the CPoC Solution providers to meet the requirement.
The standard will be supported by a program for the evaluation and listing of CPoC Solutions on the PCI SSC website.
Is this standard specific to contactless card transactions, or does it support any type of contactless payment transactions?
John Markh: The CPoC Standard is designed for solutions that accept payments with EMV chip contactless cards and any type of contactless device that complies with EMV contactless standards. In addition, contactless magnetic stripe data (MSD) transactions that use a dynamic transaction verification code can also be supported by CPoC Solutions.
The PCI PIN Transaction Security Point of Interaction (PCI PTS POI) Standard has enabled contactless acceptance for many years and will continue to do so by providing security requirements for mobile and other devices that are purpose built for payments. CPoC expands our support for contactless payments with a standard specifically for contactless acceptance on merchant COTS devices.
As you’ve noted, existing PCI Standards support contactless payments already. What makes this new standard different?
John Markh: With a growing number of merchants now relying on smartphones to take payments, CPoC Solutions will provide merchants with more secure options for contactless acceptance.
The purpose of the CPoC Standard is to provide a set of principles and requirements for a mobile contactless payment acceptance solution where the contactless read functions are performed using the NFC interface that is native to and embedded in a COTS device.
There are few key things that differentiate CPoC from other PCI Standards that support contactless transactions.
First, CPoC is specific to solutions for merchant mobile COTS devices, as opposed to mobile devices dedicated to payments, which are covered by the PTS POI Standard. Second, CPoC is for solutions that require no additional hardware to accept contactless transactions, whereas Software-based PIN Entry on COTS (SPoC) Solutions require a dongle to accept contactless payments.
Lastly, CPoC does not support PIN entry for contactless payments, as opposed to PCI PTS POI and SPoC which apply to devices and solutions designed for PIN entry.
Why doesn’t CPoC support PIN entry?
John Markh: The Council is committed to ensuring the integrity of PIN data per the PCI PIN Security Standard, and as such maintaining security and isolation of the PIN from other cardholder data remains a priority for all PCI Standards.
In CPoC, this objective is met by not supporting PIN entry. CPoC Solutions do not allow acceptance of PIN in order to prevent correlation of PIN with PAN in the COTS device memory.
How will SPoC be aligned with CPoC? What happens next on this front?
John Markh: We are planning to start working on version 2.0 of the SPoC Standard in early 2020. Updates will align it with evolutions in the mobile space, incorporate learnings from the development of CPoC, and incorporate the SPoC Magnetic Stripe Readers (MSR) Annex into the SPoC Standard.
As part of the revision process, we will also review and update the SPoC Standard to account for the changes in the next revision of PCI PTS POI Standard, which is anticipated for publication in the first half of 2020. PCI PTS POI v6.0 will update the SCRP (Secure Card Reader – PIN) approval class to allow support for magnetic stripe, which will remove the need for an additional device per the SPoC MSR Annex.
Continued evolution of standards to secure emerging payment channels is a priority for the Council. How does PCI SSSC plan to keep pace with changes in the mobile acceptance space?
John Markh: Payments industry participation and input plays a key role in our efforts to evolve PCI Standards to support and align with changes in payments and technology.
In the case of our mobile payment acceptance standards, we are pleased to have an engaged and active mobile task force that is working closely with us to identify mobile and regional trends and how they are impacting our standards.
Additionally, we will continue to work with the broader payment industry through the RFC process, which provides PCI SSC stakeholders the opportunity to participate in the ongoing evolution of PCI Standards by reviewing proposed updates and providing feedback
Also on the blog: PCI on Mobile Payment Acceptance: SPoC and Contactless Updates
