The PCI Security Standards Council (PCI SSC) has been working with industry stakeholders to develop a security standard for software PIN-entry on commercial off-the-shelf (COTS) devices, such as mobile phones or tablets. Specifically, the security standard will help solution providers to develop products that enable merchants to securely accept payments on COTS devices using a PIN as the Cardholder Verification Method (CVM). Since our last blog post on this initiative, What to Know About the PCI Software PIN-Entry on COTS Standard, PCI SSC received hundreds of comments from PCI Participating Organizations, PCI Labs and assessors during the request for comments period and has been working to update the draft standard documents for publication. Here we get the latest update from Chief Technology Officer Troy Leach on the standard’s development and what stakeholders can expect next.
What has been the level of industry involvement in the development of this standard?
Troy Leach: It has been great to see so much interest and engagement from the industry on this standard - we received a great deal of feedback over the past six months from the PCI Mobile Task Force, PCI Labs, PCI Participating Organizations and assessors. The feedback covers a wide range of areas and has been incredibly helpful in the development of effective security requirements for this acceptance environment.
How is this feedback being addressed?
Troy Leach: PCI SSC reviews every comment, line by line, and it is categorized appropriately. The majority of feedback is ultimately reflected within the final version, which allows the document to best serve the end-users.
When is the standard expected to be available?
Troy Leach: Our goal is to publish the standard as soon as it’s available so that solution vendors, testing laboratories and organizations considering using such solutions will have the information as quickly as possible. This will allow more time for the market to react and develop to the requirements.
The standard is comprised of Security Requirements and Test Requirements. We expect to publish the Security Requirements by the end of January 2018. Shortly after, PCI SSC will publish the Test Requirements that labs will use to evaluate solutions for compliance with the standard.
Following the publication of these two documents, PCI SSC will develop and publish program materials to define qualification criteria for all parties and the solution and validation and listing process. We expect to have this work completed before the end of April.
What will a validated Software PIN-Entry on COTS solution consist of?
Troy Leach: The primary elements of the solution will include a Secure Card Reader for PIN (SCRP) that will be similar to the existing SCR listings with additional requirements for PIN-based transactions. Additionally the solution will have a validated software application on the device that can securely accept PIN-based transactions. The other critical part of the solution will be a robust monitoring system that ensures no anomalies in the environment and the integrity of the other components.
Solution providers and application developers can use the standard to design a complete solution, or one of these three components.
How do the Security Requirements and the Test Requirements work together to provide secure solutions?
Troy Leach: The documents are aligned around the goal of securing PIN-based payment transactions on a COTS device. The difference between the two sets of requirements is mostly the intended audience. Security Requirements are objectives expected to be met by the solution provider in their design, and for other organizations to use in understanding expectations for securing these types of payments. Test Requirements create validation mechanisms for labs to use to evaluate the relative security.
Consistent with other PCI Standards, the two documents are intended to be used together to fully understand the requirements, both security and testing, that apply to all stakeholders involved.
When is a validation program for Software PIN-Entry on COTS solutions expected to be available?
Troy Leach: We are developing a phased validation process covering the assessment labs first and then the solutions that have completed an evaluation. We plan to have the program expectations available before the end of April 2018. At that time, labs will be able to submit Software PIN-Entry on COTS reports to the PCI SSC for solutions to be PCI validated and listed on the PCI SSC website.
What happens next in this process, what should stakeholders expect?
Troy Leach: PCI SSC will complete its review of stakeholder feedback and final document revision and expects to publish the Security Requirements on the PCI SSC website in early 2018, followed by the Test Requirements. Note that once a new standard is published, it is not unusual to have a potential errata or revision within the next year to provide clarifications to intentions or add alternative security controls. As we do with all of our standards, we will keep stakeholders informed as we monitor the standard and its adoption.
