The PCI Security Standards Council (PCI SSC) has published a new data security standard for solutions that enable merchants to accept contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device with near-field communication (NFC). Here’s what you need to know about the new PCI Contactless Payments on COTS (CPoC™) Standard and its supporting validation program.
What: A COTS device is a mobile device (e.g., smartphone or tablet) that is designed for mass-market distribution. Contactless or “tap and go” payments are made by a cardholder using a contactless-enabled card or device (e.g., wearable, phone, tablet).
The PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader.
The PCI CPoC Program enables solution vendors to have their solutions evaluated against the PCI CPoC Standard. Validated CPoC Solutions will be listed on the PCI SSC website as a resource for merchants and acquirers in selecting contactless acceptance solutions that have been developed and lab-tested to protect payment data.
Why: The PCI CPoC initiative is part of the Council’s mission to enhance global payment account data security by developing standards and programs that support secure payment acceptance in new and emerging payment channels. Ultimately, the PCI CPoC Standard and Program will lead to more options for merchants to accept contactless payments in a secure manner.
Who: The security and test requirements outlined in the PCI CPoC Standard apply to organizations developing, managing, or deploying contactless payments on COTS solutions, evaluator labs, and assessors.
Specifically, the security requirements are for solution providers to follow when designing contactless payments on COTS solutions, and PCI-recognized laboratories (CPoC Labs) will use the test requirements to evaluate the security of these solutions. PCI-recognized laboratories approved to perform evaluations of CPoC solutions will be listed on the PCI SSC website.
Merchants and acquirers can use the validated CPoC Solutions listing on the PCI SSC website to identify contactless acceptance solutions that have been developed and lab-tested to protect payment data.
How: The PCI CPoC Standard is designed to help vendors develop solutions that protect the confidentiality and integrity of payment account data through a combination of the payment application on the COTS device and the back-end systems. This includes proactive monitoring and integrity checks to ensure the security of the solution is not compromised.
Through the PCI CPoC Program, vendors submit their solutions and required documentation to CPoC Labs, as described in the PCI CPoC Standard and Program Guide. CPoC Labs perform validation testing and document their findings to confirm a solution meets the security requirements in the PCI CPoC Standard and then submit a report to PCI SSC for technical review. Once the report is reviewed and approved by the Council, the CPoC Solution will be listed on the PCI SSC website. This process is described in detail in the PCI CPoC Program Guide.
When and Where: The PCI CPoC Standard and Program Guide are available now in the Document Library on the PCI SSC website.
PCI SSC expects the first solution evaluations to take place in 2020. Once a CPoC Solution is validated, it will be listed on the PCI SSC website under Products and Solutions.
Also on the blog: Coming Soon: New Contactless Standard