Earlier this year, the PCI SSC published the PCI Software-based PIN Entry on COTS (SPoC) Standard, which provides the security requirements and associated testing requirements for a software-based approach for protecting PIN entry on the wide variety of commercial off-the-shelf devices in the market today, such as smartphones and tablets. Today, the PCI SSC released the PCI SPoC Program Guide. Using this documentation, vendors can submit SPoC solutions to be validated and listed on the PCI SSC website for merchant use. Here we talk with PCI SSC Senior Director of Certification Programs, Gill Woodcock, about how vendors and labs can use the SPoC Program Guide to participate in the validation and listing process for SPoC solutions.
What is covered in the SPoC Program Guide?
Gill Woodcock: The SPoC Program Guide outlines elements of a SPoC solution, roles and responsibilities for various parties involved in development and validation of a SPoC solution, the evaluation and reporting process, and how to maintain a PCI validated SPoC solution listing on the PCI SSC website.
What are the elements of a SPoC solution?
Gill Woodcock: The primary elements of a SPoC solution as outlined in the PCI SPoC Standard and supporting Program Guide are a Secure Card Reader for PIN (SCRP); a validated PIN CVM Application that can securely accept PIN; a merchant’s COTS device; and a robust backend system that performs attestation, monitoring and processing.
Who is the SPoC Program Guide intended for?
Gill Woodcock: The SPoC Program Guide applies to vendors developing and seeking validation of their SPoC solution, and evaluation labs performing the testing and validation of solutions.
Can all PCI-recognized labs perform evaluations of SPoC solutions?
Gill Woodcock: No, only existing PCI-recognized labs that have been additionally qualified to conduct SPoC solution evaluations (SPoC labs) can determine whether a solution meets the requirements of the SPoC program. A list of PCI-recognized labs that can perform SPoC evaluations will be posted on the PCI SSC website.
Can you explain how the evaluation process works for SPoC solutions?
Gill Woodcock: All parts of a SPoC solution must be evaluated before that solution can be listed on the PCI SSC website. This includes the Secure Card Reader-PIN (SCRP) device (which must be approved to the PCI PTS Standard version 5.1 or higher), the PIN CVM application, the monitoring/attestation system, the Backend Monitoring Environment and the backend processing environment, if separate. We strongly recommend vendors interested in having their solutions evaluated read the SPoC Program Guide and contact a SPoC lab early in the process to understand the entirety of the evaluation process.
Do Qualified Security Assessors (QSA) have any role in SPoC solution evaluations?
Gill Woodcock: If PAN (primary account number) or SAD (sensitive authentication data) is stored, processed or transmitted anywhere in the SPoC solution’s Backend Monitoring Environment then that environment is in-scope for PCI DSS and must be assessed and validated by a QSA Company for compliance with the PCI DSS (including Appendix A3: Designated Entities Supplemental Validation (DESV)). The SPoC lab performing the solution evaluation must supply evidence that the PCI DSS assessment has been successfully completed as part of their submission to PCI SSC. Only SPoC labs are approved to evaluate SPoC solutions as meeting the requirements of the SPoC program and to make report submissions confirming that to PCI SSC.
How do the PCI PIN Security Requirements fit into SPoC solution evaluations?
Gill Woodcock: PIN processing (e.g. decryption of the PIN) must not be performed in the Backend Monitoring Environment. However, the Backend Processing environment that performs PIN decryption as part of the authorization must comply with PCI PIN Security Requirements per SPoC Security Requirements 5.1.3. The SPoC lab performing the solution evaluation must supply evidence that a successful PCI PIN Security assessment has been performed on the backend processing environment as part of their submission to PCI SSC.
What do merchants and acquirers need to know about the SPoC Program Guide and solution evaluation process?
Gill Woodcock: The SPoC Program Guide and solution evaluation process is aimed at vendors of solutions and the SPoC labs that will perform evaluations. Merchants and acquirers will benefit from a listing of PCI SPoC solutions on the PCI SSC website in due course. We hope to have solutions listed by the end of 2018. Look for more information from us about the benefits of using a PCI SPoC solution in your payment acceptance environment!