The PCI Security Standards Council has been working with industry stakeholders to develop a security standard for software-based PIN entry on mobile point-of-sale (POS) devices. Specifically, the security standard will help mobile solution providers to develop products that enable merchants to securely accept PIN-based payments with the PIN entered on a commercial off-the-shelf (COTS) device, such as a consumer-grade mobile phone or tablet. Since our last blog post on this initiative, PCI SSC has received great interest and feedback from the industry. Here we get an update from PCI SSC CTO Troy Leach on the standard’s development and address some of the key questions we are hearing. This topic will also be covered at next week’s PCI Europe Community Meeting in Barcelona.
What is the intent of creating a PCI Standard for software-based PIN entry on COTS?
Troy Leach: More and more businesses are using mobile phones and other commercial off-the-shelf (COTS) devices to accept and process payments. The intent of the creating this new security standard is to enable these merchants to securely accept PIN-based payments with the PIN entered on the COTS device.
Newer capabilities in mobile technology now provide an opportunity to secure payment transactions differently than what was previously available while maintaining a level of trust. Most notably, there is now the capability to demonstrate consistent protection and isolation of PIN from EMV-equivalent data throughout the payment transaction.
This new PCI Standard exclusively addresses the PIN when entered by the cardholder in order to separate PIN from EMV track equivalent data. It requires the use of a secure EMV-only card reader, where hardware is the first line of defense.
The standard defines security requirements for existing and future payment acceptance that hopefully will continue to encourage innovation for how we authenticate transactions and protect the payment data.
How does providing a security standard for this method of payment acceptance ultimately benefit the industry?
Troy Leach: This standard will give mobile payment solution providers and application developers a baseline of security requirements for how to enter a PIN into a COTS device, as well as methods to test that security is working, even as updates to the mobile devices and applications occur frequently. This will result in secure solutions that are independently tested to demonstrate PIN is isolated from the EMV data and will provide continuous protection, through ongoing monitoring and other controls.
Merchants benefit by using solutions that have been vetted by payment security laboratories, and their customers benefit by continuing to trust that their payment data remains protected.
How will this standard ensure the security of the PIN in this environment?
Troy Leach: A key security objective is to isolate the PIN at all times from the account identifying information, which may be used in a correlation attack. A correlation attack occurs when a fraudster can obtain some payment data elements, such as magnetic stripe track 2 data, from one part of the payment ecosystem (e.g. skimming an ATM card), and another data element such as a PIN from a separate attack, and then manages to link these data elements to enable a fraudulent transaction.
The standard addresses the security of software-based PIN entry solutions regardless of whether the PIN entered is associated with a credit, debit, or prepaid card, in order to protect and isolate the PIN from the other account identifying information so that it cannot be used in a future correlation attack.
How will the standard require that PIN isolation be done?
Troy Leach: With the exception of PIN entry, the standard requires that transaction security is handled by a secure card reader. The secure card reader encrypts the PAN read from the card, which means it is not available in clear text on the COTS device. It then translates and re-encrypts the PIN received from the COTS device with a key never available to the COTS device.
This approach allows for the PIN to be encrypted in software when entered from the COTS device's touchscreen and prevents the EMV track equivalent data, including PAN, from being available to the COTS device in clear text form as part of a PIN authorized transaction.
What about other data? Can you explain how the standard will make this approach to mobile payment acceptance secure and trustworthy?
Troy Leach: The standard requires three key areas to be addressed:
- Isolation of the PIN from other account data;
- Ensuring the software security and integrity of the PIN entry application on the COTS device;
- Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet.
Collectively, the standard will provide the requirements for each part of a complete solution: a new class of secure card reader (SCRP), the software application and the monitoring service. Vendors can use the standard to design a solution.
Can you talk about the process for developing this standard and explain why PCI SSC is taking this approach?
Troy Leach: Our approach is consistent with how we develop all PCI Standards, in which we draft standards based on market need and involve industry stakeholders in the process. We recognize that this is a complex environment for developing security requirements, and that the standard impacts many different parties. With that in mind, we have worked with the existing dedicated industry Mobile Task Force, along with other specific stakeholder groups to get input on how this will impact the industry and on the security approach we are taking.
Timing is critical as market adoption of this form of payment acceptance is increasing. We want to get these security requirements out as soon as possible to ensure that as these solutions are being developed, they are based on sound security principles and there is a level playing field for their assessment.
Our aim is to first get the standard to market to allow time for stakeholders to understand and review it, and then put in place a supporting validation program for solutions to be tested and listed for merchant use.
What happens next in this process, what should stakeholders expect?
Troy Leach: Next week we will provide the draft standard to PCI Participating Organizations, assessors and Recognized Laboratories for them to review and provide feedback on. The request for comments period (RFC) will run for 30 days, as is our standard process. After that, we’ll review the feedback and evaluate any changes that need to be made to the standard. From there, we’ll determine when it’s feasible to publish the standard. We are targeting the end of 2017.
As part of this initiative, the PCI SSC will also create a supporting program that will validate and list these solutions, or elements of these solutions, on the PCI SSC website. This is planned for later in 2018.
What should Participating Organizations and Assessors keep in mind when reviewing the draft standard and providing comments?
Troy Leach: With any RFC, the most important point to be conscious of is the intended audience for the standard. This standard consists of two related documents: the Security Requirements, which are primarily aimed at mobile solution and component providers, and the Derived Test Requirements, which are aimed at laboratories and assessors that evaluate these solutions and components.