Earlier this year, the PCI SSC published the PCI Software-based PIN Entry on COTS (SPoC) Standard, which provides a software-based approach for protecting PIN entry on the wide variety of commercial off-the-shelf devices in the market today, such as smartphones and tablets. Today, the PCI SSC published several FAQs to help address common questions received from industry stakeholders. We look at a few of them here.
Q: Is Software-based PIN Entry on COTS (SPoC) synonymous with PIN on Glass?
A: No. The SPoC Standard covers a software-based approach for accepting PIN as the cardholder verification method on a merchant owned COTS device. The phrase “PIN on Glass” is often used generically regarding a variety of use cases, with the commonality simply being entering a PIN value on to a glass-based capture mechanism (i.e., a touch screen) on a variety of device types.
A SPoC Solution includes an SCRP (Secure Card Reader – PIN), a PIN CVM application, the merchant’s COTS device as well as back-end monitoring and attestation systems. These elements all work together to ensure the PIN, accepted by a software application on the COTS device, is isolated within the COTS device from other sensitive account data. The back-end monitoring and attestation systems continuously monitor the entire solution for anomalous activity and to ensure The Solution has not deviated from the baseline (i.e. tampering, rooting or physical attacks). In other words, within a SPoC Solution, the merchant-facing COTS device is only one element of the entire Solution, whereas a POI device is generally a single device.
There are numerous PCI PTS approved hardware-based point of interaction (POI) devices for acceptance of PIN using a touch screen (i.e., “PIN on Glass”). These POI devices are purposely built for payment acceptance. Therefore, care must be taken when using the generic phrase “PIN on Glass”, as, for example, a PTS-approved POI device that accepts PIN on Glass is very different from a SPoC Solution that uses a merchant-facing COTS device to accept PIN.
Q: Are non-EMV based contactless transactions allowed under the Software-based PIN Entry on COTS (SPoC) Standard?
A: The Standard has been developed for chip-based transactions which support dynamic transaction data. The only method explicitly excluded is contact magnetic stripe because it has static transaction data. Contact magnetic stripe read capabilities are not permitted within SCRPs and contact magnetic stripe transactions are not permitted to be accepted or processed by SPoC solutions.
Q: Are magnetic stripe-based transactions allowed by the Software-based PIN Entry on COTS Standard?
A: No. Contact magnetic stripe readers (MSR) are not allowed in a SPoC Solution. Only a Secure Card Reader – PIN, or SCRP, is allowed to be used with a PIN CVM application as part of a solution. The SCRP is a new type of Secure Card Reader (SCR) approval class within the PTS POI Standard that disallows any contact MSR capabilities. Only EMV contact and contactless transactions are allowed in the SPoC Standard. Simply disabling any contact MSR capabilities in the SCRP firmware or via the PIN CVM Application is not allowed – the SCRP shall not incorporate a contact MSR.
Q: Does the Software-based PIN Entry on COTS (SPoC) Standard cover both merchant COTS devices in attended and unattended environments in The Solution?
A: The intent of the SPoC standard is for merchant COTS devices in attended environments. Attended environments apply when the COTS device is made available to the customer by the merchant during a payment transaction. Merchant COTS devices in unattended environments pose a higher risk of compromise and are not permitted under this standard. Unattended environments mean the COTS device is not in the merchant’s physical possession at the time of the payment transaction (i.e. part of a kiosk, part of a vending machine).
Q: What constitutes a SPoC Solution? Does the SPOC standard cover separate components or is it a single solution?
A: Only the Secure Card Reader - PIN (SCRP) will have a separate listing as they are evaluated and listed as part of the PTS POI Standard. However, all SCRPs associated with a SPoC Solution will be included as part of the evaluation of a SPoC Solution and listed as part of that SPoC Solution’s approval.
A SPoC Solution consists of a PCI-approved SCRP(s), a PIN CVM Application, a merchant COTS device(s) and back-end monitoring and attestation systems. The SPoC Solution will be listed on the PCI website along with the individual elements. There will not be any individual SPoC component listings (except for the SCRP as detailed above) at this time.
Q: Can a merchant put together their own SPoC solution by choosing a SCRP, PIN CVM Application and back-end monitoring system?
A: No. Only complete SPoC Solutions will be approved and listed on the PCI SSC website.
