The PCI Security Standards Council (PCI SSC) has published a new, optional, Software-based PIN Entry on COTS (SPoC)™ Annex for Unsupported Operating Systems (“Unsupported OS Annex”) version 1.0. The purpose of this Annex is to provide additional security and testing requirements to allow solution providers to develop SPoC solutions that merchants can use on commercial off-the-shelf (COTS) devices with unsupported operating systems. The Unsupported OS Annex incorporates stakeholder feedback and comments received via a formal request for comment (RFC) period.
In this post we talk with PCI SSC SVP and Standards Officer Emma Sutcliffe about the new Annex.
Why did PCI SSC develop the Unsupported OS Annex?
Emma Sutcliffe: Some merchants have no access to modern COTS devices or are unable to upgrade their existing COTS devices. Adding this optional support for COTS devices with unsupported operating systems allows merchants to use the security of a SPoC solution. The objective is to provide an additional layer of rigorous security controls to reduce the impact to the security of sensitive assets as a result of using COTS devices with unsupported operating systems.
How does the Annex add support for COTS devices with unsupported operating systems?
Emma Sutcliffe: The security and testing requirements described in the Unsupported OS Annex are designed to protect the confidentiality and integrity of PINs captured on COTS devices with an unsupported operating system. These requirements are intended for SPoC solution providers with demonstrated knowledge and expertise in addressing the threats and vulnerabilities associated with unsupported operating systems, and that have implemented robust risk-management practices as an integral part of the management of the solution.
It is also important to note that the option to use COTS devices with an unsupported operating system is provided for SPoC solutions only, because account data is captured in an external card reader (e.g., SCRP) and not on the COTS device itself. COTS devices with unsupported operating systems cannot be used in Contactless Payments on COTS (CPoC™) solutions.
Who is required to comply with the security and test requirements in the Unsupported OS Annex?
Emma Sutcliffe: The security objectives outlined in the SPoC Unsupported OS Annex are required only for solutions that include unsupported operating systems in their COTS system baseline.
What do SPoC solution providers and SPoC labs need to know about the Unsupported OS Annex?
Emma Sutcliffe: Like the approach we have taken with our Software Security Framework and 3DS Core Standards, the SPoC Unsupported OS Annex has adopted an objective-based approach in defining the security requirements to mitigate the risks associated with the use of unsupported operating systems. This approach, which has been well received by the industry, acknowledges that there is no one-size-fits-all method to address the issue of unsupported COTS operating systems, and SPoC solution providers need the flexibility to determine the most appropriate methods to address risks.
SPoC solution providers wishing to support COTS devices with unsupported operating systems are expected to possess a robust risk-management practice as an integral part of their “business-as-usual” operational process. SPoC solution providers must have the required knowledge, skillset and processes in place to continuously identify security vulnerabilities in the unsupported COTS platforms supported by the solution and have countermeasures in place to address these vulnerabilities that could otherwise impact the security of the SPoC solution or its components.
The SPoC Unsupported OS Annex and supporting documentation, including Technical FAQs, Program Guide, and updated reporting templates, are available in the PCI SSC Document Library.