Test Requirements are now available for the recently announced PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. The PCI Software-based PIN Entry on COTS (SPoC) Standard provides a software-based approach for protecting PIN entry on the wide variety of COTS devices in the market today. Here we talk with PCI SSC Chief Technology Officer, Troy Leach, about the importance of the SPoC Test Requirements in bringing to market secure solutions for merchants that enable EMV® contact and contactless transactions with PIN entry on a COTS device using a secure PIN-entry application in combination with a Secure Card Reader for PIN (SCRP).
Who are the SPoC Test Requirements intended for?
Troy Leach: The SPoC Test Requirements are intended for use by laboratories evaluating the security of solutions that vendors submit for SPoC validation and listing on the PCI SSC website. Solution vendors may also use the Test Requirements in their development of solutions as a means of ensuring that the architecture and resulting product elements will meet the SPoC Security Requirements.
What do the SPoC Test Requirements cover?
Troy Leach: The SPoC Test Requirements support the SPoC Security Requirements. The document outlines the procedures that laboratories must perform in order for the solution to be validated and listed on the PCI SSC website. This includes assuring the solution meets each security requirement and is able to sustain criminal attacks.
The PCI SPoC Standard requires the inclusion of a Secure Card Reader – PIN (SCRP) in a SPoC Solution. When will security requirements be available for SCRP devices?
Troy Leach: Security requirements for SCRP devices are being added into the next version of the PIN Transaction Security Point of Interaction Modular Security Requirements and Testing Requirements (PTS POI), which will be published shortly.
This is very important because it introduces a brand new set of testing. Device vendors will submit SCRP devices to PTS Laboratories for security evaluation. Once approved, the device will be listed on the PCI SSC website and can be included in a full SPoC Solution for evaluation. Even if a device is in the market already, it will need to be validated as meeting these new requirements prior to being listed and included in a solution.
Can you provide more insight into the validation program being developed for SPoC?
Troy Leach: We expect to have the validation program documents ready in April. At that point existing PCI-Recognized Laboratories will be able to apply to become SPoC Laboratories, test and validate SPoC Solutions. The SPoC Solution evaluation reports the labs create are then submitted to PCI SSC in order for the solution to be accepted and listed on the PCI SSC website. It’s important to be aware that SCRP devices will be evaluated and submitted through PCI SSC’s existing PTS program and listed on the PCI Approved PTS Device list. SPoC Solutions must include approved SCRP devices from this list. Also note that the SCRP is the only element of the solution that will be separately validated and listed – the SPoC PIN CVM application and monitoring system will be included in the overall SPoC Solution listing on the PCI SSC website.
Now that the SPoC Security Requirements and Test Requirements are both available, what is your advice to solution providers and device vendors interested in developing SPoC Solutions?
Troy Leach: While the Test Requirements are specifically for laboratories interested in becoming qualified to do SPoC Solution evaluations, the PCI SSC also encourages interested solution providers to review both the SPoC Security Requirements and Test Requirements to understand how their solution will be tested and validated as having met the intent of the standard. This will help with understanding questions asked by the lab and with efforts to demonstrate security to the lab.
Additionally, device vendors are encouraged to review the updated PCI PTS POI Modular Security Requirements when they are available soon to understand what’s necessary for getting Secure Card Reader for PIN (SCRP) devices tested and validated for inclusion in SPoC Solutions.
The SPoC validation program documentation is expected to be available in April 2018. It will include details about becoming a SPoC Solution provider and how to submit solutions for assessment, validation and listing on the PCI SSC website for merchant use.
