PCI SSC recently completed the first of two request for comments (RFC) periods on the draft PCI Contactless Payments on COTS Standard and published a Magnetic Stripe Readers (MSR) Annex to the Software-based PIN Entry on COTS (SPoC) Standard. Chief Technology Officer Troy Leach discusses these new initiatives and explains how they fit into the PCI Council’s overall approach to developing standards and programs that support mobile payment acceptance.
First, can you provide some insight into the PCI Council’s approach to developing standards and programs that support mobile payment acceptance?
Troy Leach: Merchants want affordable, flexible and safe options for mobile payment acceptance that allow them to best serve their customers. The PCI Council’s focus is to develop security standards and programs for payment acceptance solutions that give merchants secure options they can trust to support their customers and protect the integrity and confidentiality of their payment data.
PCI Standards have supported mobile payment acceptance for many years, with the PCI PIN Transaction Security Point of Interaction (PTS POI) Standard providing security and testing requirements for mobile devices dedicated to payments. With a growing number of merchants now using smartphones and other commercial off-the-shelf (COTS) devices, PCI SSC has expanded its support for mobile payment acceptance to develop new standards that leverage security techniques to provide proactive controls for managing threats and protecting data. These include the Software-based PIN Entry on COTS (SPoC) Standard, as well as the Contactless Payments on COTS (CPoC) Standard currently in development.
What’s new with SPoC?
Troy Leach: We’ve just published a Magnetic Stripe Readers (MSR) Annex to the Software-based PIN Entry on COTS Standard, which provides an optional path for vendors to develop SPoC Solutions that support merchant acceptance of both magstripe and chip card payments using a single solution. The SPoC Annex outlines additional security and testing requirements for SPoC Solutions. This is optional support for magnetic stripe readers (MSR) that are used with a SPoC PIN CVM Application for payment acceptance.
The annex does not introduce any changes to SPoC or PTS Secure Card Reader - PIN (SCRP) Requirements. There are minor modifications to the SPoC Program Guide to accommodate the evaluation and listing of MSRs used in SPoC Solutions and to the Attestation of Validation (AOV) to include MSRs as a supported device type. We’ve also updated the SPoC Technical FAQs to align with the publication of the annex and to include guidance on what is considered “correlatable data” and further clarification on which MSR devices can be used with a SPoC Solution.
The annex incorporates stakeholder feedback received during the request for comments (RFC) period earlier this year, and it is available now for use by vendors that wish to submit their Magnetic Stripe Reader(s) for evaluation and approval and SPoC Solution providers that want their SPoC Solution to be capable of accepting magnetic stripe cards.
We plan to begin work on version 2.0 of the SPoC Standard later in 2019, which will incorporate the annex and include additional updates to the standard. The draft standard will be shared with PCI SSC stakeholders via the RFC process in early 2020.
How does the SPoC Annex fit into the PCI Council’s approach to mobile payment acceptance security standards?
Troy Leach: Since publication of the SPoC Standard in 2018, PCI SSC received industry feedback that adding support for magnetic stripe readers to the standard would benefit both merchants that accept loyalty and gift cards, which are enabled for magstripe transactions only, and merchants in less mature EMV markets where magstripe card acceptance is still common.
We’ve responded to this feedback by developing the SPoC Annex. By providing vendors the option to add MSR support to their SPoC Solutions, the intent is to enable a secure way for merchants to accept both magstripe and chip card payments using a single SPoC Solution.
How does the SPoC Annex ensure protection for payment data in SPoC Solutions that support magnetic stripe transactions?
Troy Leach: A critical security aspect of the SPoC Annex is that the Track 2 data and the associated PIN cannot be obtained together and that the account data remains encrypted within the COTS environment. When undertaking an MSR transaction, the PIN keypad is not displayed and no PIN entry can be prompted. All MSRs associated with a SPoC Solution will encrypt account data within the reader at which point it will remain protected until decrypted in the separate processing environment.
What is the latest on the development of the Contactless Payments on COTS (CPoC) Standard?
Troy Leach: We just completed the first RFC for the CPoC Standard. We are now reviewing this feedback and will be sharing the summary of how we are addressing it with those that participated, per the new additions to our RFC process. A second RFC is currently planned for August 2019, which will be open to the PCI Mobile Task Force, Participating Organizations, assessors and labs.
How will this new PCI contactless standard support secure mobile payment acceptance?
Troy Leach: The PCI Council has had standards for traditional contactless payment acceptance, or “tap and go”, for years. But the PCI Contactless Payments on COTS (CPoC) Standard focuses on a new area for us - identifying security strategies for demonstrating a contactless transaction can remain secure using a commercial off-the-shelf (COTS) mobile device.
The intent of this new contactless standard is to standardize the security of solutions that enable merchant acceptance of contactless payments on their COTS device without the need of any additional hardware. This will provide many more opportunities for merchants, especially those not based in a fixed location or those new to card acceptance, to accept contactless payments in a secure manner.
What constitutes a CPoC Solution according to the CPoC Standard?
Troy Leach: The primary elements of a CPoC Solution include a COTS device with NFC (near-field communication) interface embedded into the COTS device to read the payment card or the payment device initiating a non-PIN based contactless transaction; a validated payment acceptance software application that runs on the merchant COTS device; and back-end systems that are independent from the COTS device and support monitoring, integrity checks and payment processing.
Through a combination of the merchant application and the back-end systems, merchants and consumers can have confidence in the security of the CPoC Solution and the contactless transaction.
What makes the CPoC Standard different from SPoC, which also supports contactless payments?
Troy Leach: There are many similarities in our approach to security requirements for both standards. The design of the payment acceptance method is what makes each unique and requires separate testing and a separate standard.
For SPoC, it is designed specifically first for PIN entry using a validated external reader (I.e. SCRP) within a COTS environment, whereas CPoC uses the NFC interface directly in the COTS device without the allowance of PIN entry.
Will PCI SSC consider PIN entry for CPoC in the future?
Troy Leach: As of now, CPoC is not being designed for PIN entry. However, as part of our process for maintaining and evolving our standards, we will monitor this aspect and what’s needed to best support the industry moving forward. Maintaining security and isolation of the PIN from other cardholder data remains a priority for all of our standards.