PCI SSC has published Software-based PIN-entry on COTS (SPoC)™ v1.1, Contactless Payments on COTS (CPoC™) v1.0 and has updated Technical FAQs for both. So, what is next for new standards development in mobile?
In response to industry feedback, PCI SSC is expanding its suite of mobile payment security standards with a new standards effort for contactless on commercial-off-the-shelf (COTS) devices to address PIN acceptance. The effort has the working title of Contactless on COTS with PIN.
While the PCI SSC security standards already provide for contactless with PIN on purpose-built devices through its PTS POI program and on mobile COTS devices through the SPoC program, the new standard will address the native NFC capabilities and advances in security technology in COTS mobile devices--for example, trusted execution environment (TEE), secure element (SE), secure paths, and trusted application (TA)—that support secure use of screen entry and NFC capture.
This new initiative will protect PAN and PIN through data isolation and data confidentiality mechanisms and protect application and data integrity through cryptographic techniques, attestation controls, and back-end monitoring. The initiative is also intended to address software development kits (SDK) that can provide for some portion of the overall solution.
The development of the new standard is currently underway, and it will follow the PCI SSC standard release process with two RFC opportunities for our community. We expect the first draft to be ready by Q2 2021, with the first RFC starting shortly after. This will be followed by a review period and the second RFC before the document can be finalized and released. While the final completion date will depend on the feedback and comments received, it is currently anticipated for Q4 2021.