At the PCI Security Standards Council (PCI SSC) we continue to evolve PCI Security Standards to provide even further benefits to the payment card industry. This includes making updates to existing standards and introducing new standards to improve security while facilitating better payment experiences and adapting to advancements in technology.
In the area of mobile payment acceptance, over the past year PCI SSC has been discussing with stakeholders plans to update the PCI Software-based PIN Entry on COTS (SPoC) Standard (originally published in 2018) and to introduce a new standard for contactless payments on commercial off-the-shelf (COTS) devices. Here we provide a brief update on what to expect for these standards in 2019.
PCI SPoC Magnetic Stripe Reader (MSR) Annex Planned for May 2019; RFC in Late-February
PCI SSC originally developed the PCI SPoC Standard (published in January 2018) and program in response to market demands for secure SPoC solutions in mature EMV markets. Since its publication, we have heard from industry stakeholders that changing the SPoC Standard to allow non-PIN based magnetic stripe transactions would benefit less mature EMV markets where magnetic stripe with signature (or no CVM) transactions are still common.
We are responding to this industry feedback by developing a temporary extension to the SPoC Standard in the form of a standalone “Annex” document. The PCI SPoC Magnetic Stripe Reader (MSR) Annex will outline the security and testing requirements needed to ensure the protection of account data accepted through SPoC solutions that support magnetic stripe transactions. The intent is to broaden the applicability of the SPoC Standard to meet the need for SPoC solutions that provide merchants in relevant markets with a secure option for acceptance of non-PIN based magnetic stripe transactions.
As part of the PCI SPoC MSR Annex development process, a request for comments (RFC) period will be conducted in late-February 2019. The goal of the 30-day RFC period is to give PCI SSC Participating Organizations, assessors and labs the opportunity to provide feedback on the draft security and testing requirements defined in the Annex. All feedback will be reviewed and considered for development of the final Annex, planned for publication in May 2019. PCI SSC will incorporate the Annex into the SPoC Standard as part of a revision anticipated for 2020.
PCI SSC stakeholders will receive communications with additional information on the SPoC MSR Annex and how to participate in the late-February RFC period.
PCI Contactless Payments on COTS Standard on Track for End of 2019; First RFC in Late-March
Efforts are underway to develop a security standard for accepting contactless payments on a merchant’s commercial off-the-shelf (COTS) phone or tablet. PCI SSC is targeting publication of the Contactless Payments on COTS Standard by the end of 2019.
The aim is to develop security requirements for solutions that enable a merchant’s COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader by leveraging the native NFC capabilities inherent to a COTS phone or tablet. This includes specific criteria for how solution providers protect payment data within their offerings, as well as the test requirements for laboratories to demonstrate the effectiveness of that security.
Currently we are drafting the standard as well as the derived test requirements. Following development of the standard, we will begin work on the accompanying program guide and supporting documents, which will facilitate the assessment by PCI-recognized labs and subsequent listing of these solutions on the PCI SSC website.
As part of this process, we will be soliciting feedback on these documents from the payment card industry over the next few months. This will include gathering input from our dedicated PCI Mobile Task Force comprised of more than 100 PCI constituents, and conducting two request for comments (RFC) periods with PCI SSC stakeholders.
The first RFC period is targeted for late-March 2019. PCI SSC stakeholders can expect additional communications from PCI SSC with information on the standard and RFC opportunities.