Today, the PCI SSC published a minor revision to the PCI SPoC Security Standard. Version 1.1 of the standard aligns with the recently published PCI PTS POI v6.0, allowing SPoC solutions to work with PCI PTS SCRP devices that support magnetic-stripe readers.
In this post we talk with PCI SSC SVP and Standards Officer Emma Sutcliffe about the revised standard.
What is the PCI SPoC Standard?
Emma Sutcliffe: The PCI Software-based PIN Entry on COTS (SPoC) standard allows solution providers to support mobile payment acceptance using smartphones and other commercial off-the-shelf (COTS) devices in a secure fashion, leveraging proactive security techniques to manage constantly evolving threats and to protect payment data.
Why is PCI SSC introducing SPoC Standard version 1.1?
Emma Sutcliffe: SPoC v1.1 includes a minor revision of the SPoC Standard and the SPoC Magnetic Stripe Readers (MSR) Annex, mainly to align with the recently published PCI PTS POI v6.0. The updated security requirements and test requirements will allow SPoC solutions to integrate with PCI PTS SCRP devices that support magnetic-stripe readers.
What has been introduced in version 1.1?
Emma Sutcliffe: The existing security requirements have been updated to allow the SPoC solutions to work with SCRP devices that include an optional physical interface for reading magnetic-stripe cards as defined in PCI PTS v6.0. Additionally, the revision includes a number of clarifications based on feedback received from stakeholders – for example, providing additional guidance to clarify the frequency of the risk assessment.
What do Solution Providers and SPoC Labs need to know about the changes to the SPoC Program with this Standard update?
Emma Sutcliffe: There are several updates to the program, which will be reflected in the SPoC Program Guide v1.2. Two updates include the removal of the “Designated Change” change type and adding support for optional SPoC Application Programming Interfaces (APIs). These two changes align the SPoC Program Guide with the Contactless Payments on COTS (CPoC) Program Guide published at the end of 2019.
In addition, the updated SPoC Program Guide provides clarification around the use of vendor-supported COTS Operating Systems.
SPoC Labs should also be aware that, where a Solution Provider demonstrates PCI DSS or PCI PIN compliance for their backend environment(s), a current Attestation of Compliance (AOC) for the backend environment(s) must be received from the SPoC Solution Provider and provided to PCI SSC via the portal when the SPoC Solution is submitted for review.
How does the PCI SPoC v1.1 revision benefit the payment card industry?
Emma Sutcliffe: By supporting PTS SCRP devices that include the ability to read magnetic-stripe cards, the SPoC solutions provide merchants with the option to use PTS approved devices, which include tamper-resistance and tamper-responsiveness, thereby increasing their resilience against the threat of data compromise.
In 2019, PCI SSC stated that it would begin work on version 2.0 of the SPoC standard, which would incorporate the Annex and provide additional updates. Will the SPoC Annex be incorporated in this v1.1 revision of the Standard?
Emma Sutcliffe: No. Over the course of the year, the priorities and feedback from the payment industry have evolved. Considering that a primary goal of this revision is to align with the publication of PCI PTS POI v6.0, the SPoC MSR Annex will remain as a standalone document with security requirements and test requirements for solution providers who want to support optional standalone magnetic-stripe reading devices in SPoC solutions.
What updates have been made to the Technical FAQs?
Emma Sutcliffe: The updated Technical FAQ document – now version 1.5 – includes additional clarification on the use of supported COTS operating systems, and many important program-related questions. SPoC vendors and labs should take the time to review the additional information and clarifications published.
Also on the blog: PCI on Mobile Payment Acceptance: SPoC and Contactless Updates