The PCI Security Standards Council has been discussing with stakeholders plans for a new security standard that will enable merchants to accept PIN-based payments with the PIN entered on a commercial off-the-shelf device, such as a consumer-grade mobile phone or tablet. In this blog post with PCI SSC Chief Technology Officer Troy Leach, we address some of the key questions around this new initiative.
Is it true that the PCI SSC is working on a new standard for “PIN on glass” or “Mobile PIN” technology?
Troy Leach: Yes, we are starting work on a new standard that specifically focuses on software-based PIN-entry on commercial off-the-shelf (COTS) devices, such as consumer-grade mobile phones or tablets. This is in addition to other PCI Security Standards that already apply to ‘PIN on glass’ technology by addressing ‘glass’ devices like tablets and other touchscreen-based devices that are dedicated for mobile payment acceptance. In fact, there are numerous devices validated against the PIN Transaction Security Point-of-Interaction (PTS POI) standard that provide a secure capability for PIN-entry either directly on a dedicated device, for use of PIN-entry, or through a peripheral device that could be physically or wirelessly attached to a COTS device.
How will this new PCI standard be different from the existing PCI PIN Transaction (PTS) Security Standards?
Troy Leach: The key difference is software PIN-entry. This new standard will provide manufacturers a software-based approach for protecting PIN-entry on the wide variety of COTS devices in the market today. The PCI PTS POI standard will continue to apply to solutions relying upon protections provided by dedicated hardware and its operating system.
In developing this new standard, we will draw from lessons learned from years of doing PIN-entry security through hardware and also the mobile device evaluations against the PCI PTS POI Standard.
What will the PCI software-based PIN-entry on COTS standard address specifically?
Troy Leach: The standard is specifically for solutions that will enable merchants to accept PIN-based payments on a COTS device via software-based PIN capture solutions. It is still in the early stages of development, but the overall goal of the standard is to find a way to authenticate an untrusted device like a COTS device with enough trust elements to protect the overall integrity of the transaction.
These things may change as we get further along in the development process, but some of the specific areas we are exploring include: isolation of the PIN from other cardholder data; dedicated hardware for payment card entry (PTS approved SCRs); software security for mobile applications; and robust remote monitoring of the COTS device.
As part of this initiative, we are also looking at the potential for a supporting program that will validate and list these solutions, or elements of these solutions, on the PCI SSC website.
Why is the PCI SSC looking to address software-based PIN-entry on COTS now?
Troy Leach: The PCI SSC is constantly reviewing changes in payment technology and security techniques and whether our existing standards are flexible enough to address those advancements. Additionally, we work with many different stakeholders that have asked us to consider use cases currently in the market and whether there is clarification needed for existing standards or new forms of testing required that might lead to a new standard. After careful consideration, we determined it was appropriate to create a new standard to address both the risks unique to this payment channel as well as security controls that may only be appropriate as a requirement for these types of scenarios.
When can stakeholders expect a PCI standard for software-based PIN-entry on COTS to be available?
Troy Leach: We are working to have a draft standard available to PCI SSC Participating Organizations for comment in the October timeframe. This will be in addition to dedicated review and comment periods with PCI-recognized security evaluators and other industry stakeholders to determine not only the right type of security controls but also testing procedures that are realistic to demonstrate. In terms of when the final standard will be available, this ultimately depends on the amount and type of feedback we receive, but we are aiming to have it published by the end of 2017. We will keep stakeholders updated on timing as we get further along in the development process.