The Council is currently working on the next evolution of its mobile security standards. To date, PCI SSC has two mobile standards: PCI Software-based PIN Entry on COTS (SPoC) Standard, which provides a software-based approach for protecting PIN entry on the wide variety of COTS devices, and PCI Contactless Payments on COTS (CPoC) Standard which addresses security for solutions that enable merchants to accept contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device with near-field communication (NFC). The Council is currently developing a new mobile standard that builds on the existing SPoC and CPoC standards and will be designed to support future evolution of mobile payments. The working title of this new standard is Mobile Payments on COTS.
Mobile Payments on COTS will be a modular, objective-based, security standard that will support various types of payment acceptance channels and consumer verification methods on COTS devices. The standard will support existing SPoC and CPoC payment acceptance channels, as well as introduce new requirements to support emerging and evolving payment acceptance practices and technologies. Development of the new standard will also take into consideration observations and feedback received since the SPoC and CPoC programs were launched. The goal is to create a flexible mobile standard and program that supports a wide range of payment acceptance channels, different verification methods, and flexibility for payment solution development.
The new standard is being developed hand-in-hand with leading mobile payment security experts via the Council’s industry-led Mobile Task Force. An initial draft of the standard is currently underway. As always, the Council will seek industry feedback on the draft standard before it is finalized. A Request for Comment (RFC) period is planned in the second half of 2021, with a second RFC period planned in early 2022. The Council is targeting publication for the first half of 2022; however, completion of the standard will ultimately be driven by the feedback received during the development schedule.
Also on the blog: Just published: SPoC Unsupported Operating Systems Annex