The PCI SSC has announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The security requirements are for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP). Here we talk with PCI SSC Chief Technology Officer Troy Leach about the new standard, what makes it different than other PCI PIN Standards, and how it’s designed to secure payment data.
Tell us about this new standard and what it means for the payment card industry?
Troy Leach: The most significant shift is how we use a well-known verification method, PIN, and securely enter that information in a new way on a new device category. Traditionally, accepting PIN required hardware-based mechanisms, such as an electronic PIN pad. However, with advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device. The existing PCI PIN Transaction Security Point of Interaction (PTS POI) Standard remains relevant and will continue to be used by hardware vendors to deliver solutions to market.
How is this standard different from the PCI PTS POI Standard?
Troy Leach: The PCI Software-Based PIN Entry (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. The PCI PIN Transaction Security Point of Interaction (PTS POI) Standard will continue to apply to dedicated point of interaction devices for the purpose of payment acceptance. One difference between the two standards is that acceptance and security controls are contained within the physical boundaries of the device for the PTS POI Standard, whereas the SPoC Standard introduces a different set of security controls to mitigate risks associated with a software-centric solution.
For the SPoC Standard, we have introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies.
However, there are also many similarities between the two standards such as expectations in security design. In fact, a requirement of software-based PIN entry is that the account data is received and encrypted by a Secure Card Reader for PIN (SCRP) attached to the COTS device. That is a new form factor that will be introduced within PCI PTS POI v5.1, which will be released soon.
Who is the standard designed for specifically?
Troy Leach: The standard is comprised of two documents – the Security Requirements and the Test Requirements.
Security Requirements are objectives for the solution provider that designs the overall solution or components, such as the application that receives the PIN. The Security Requirements can also help other organizations understand expectations for securing these types of payments.
The Test Requirements create validation mechanisms for payment security laboratories to evaluate the security of a solution. These will be published in the next month, followed by a supporting program that will list PCI validated Software-Based PIN Entry Solutions on the PCI SSC website for merchant use.
What are some of the key areas that the Security Requirements address?
Troy Leach: The standard is made up of several core principles, which will factor into the solution as a whole:
- Isolation of the PIN from other account data;
- Ensuring the software security and integrity of the PIN entry application on the COTS device;
- Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet;
- Required Secure Card Reader for PIN (SCRP) to encrypt and maintain confidentiality of account data;
- Transactions restricted to EMV contact and contactless.
Explain how the standard addresses the security of the PIN in this environment?
Troy Leach: A key security objective is to isolate the PIN within the COTS device from the account identifying information, which might be used in a correlation attack. A correlation attack occurs when a fraudster can obtain some payment data elements, such as magnetic stripe track 2 data, from one part of the payment ecosystem (e.g. skimming of payment card), and another data element such as a PIN from a separate attack, and then manages to link these data elements to enable a fraudulent transaction.
This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN. Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction.
The standard requires that the PIN is further protected by the continuous monitoring of the environment to confirm the integrity of the PIN CVM Application that receives the PIN as well as for anomalies in the COTS environment.
Software security is an important element of this standard and a priority focus area for the PCI SSC. Can you talk about how the security requirements emphasize software security?
Troy Leach: Software security is critical to protecting payment data in these types of transactions. PIN CVM Applications will provide security for the user interface for PIN entry, the initial encryption of the PIN and delivering the encrypted PIN to the SCRP. It is important to get that right.
As such, the standard emphasizes secure software development and release practices as well as many software protections to maintain integrity against attack. The monitoring environment is an important control that supplements the software security by continuously validating the integrity of the COTS software security environment.
You mentioned active monitoring as a key security principle. How does the standard address this component?
Troy Leach: The SPoC Standard includes a number of requirements to ensure that the overall solution, PIN CVM application or the COTS device itself has not been manipulated or compromised. These security requirements are designed to monitor the systems continuously for anomalies or other errors. Reporting of these anomalous activities are required to be reviewed quickly and resolved according to the established automated and manual procedures.
What makes up a PCI Software-Based PIN Entry Solution?
Troy Leach: The primary elements of the solution will include a Secure Card Reader for PIN (SCRP) that will be similar to the existing SCR listings with additional requirements; a validated software application on the COTS device that can securely accept PIN; and a robust monitoring system that checks for anomalies in the environment and integrity of the other components within the solution.
Solution providers and application developers can use the standard to design each part of a complete solution. The validation program is still being finalized but when available later this year, the solution provider will submit the full SPoC Solution for evaluation. The final reports will be submitted to the PCI SSC for validation and listing on the PCI SSC website.
Does this new standard remove the need for POS hardware such as payment terminals and card readers?
Troy Leach: No. This standard is intended to address innovations for acceptance by offering an optional alternative to traditional hardware terminals and PIN entry devices. The SPoC Standard requires the use of hardware to provide account data protection using encryption established by a PCI SSC approved Secure Card Reader for PIN (SCRP). By using an SCRP, the standard ensures account data is kept separate from PIN data.
What impact does this standard have on POS terminal vendors?
Troy Leach: There is no impact on POS terminal vendors. We expect PCI approved PTS POI PED devices will continue to be used. Vendors will be able to continue to submit their range of devices for PCI approval, and this new standard will simply provide vendors with another option to add to the portfolio of payment solutions that they offer.