The PCI Security Standards Council (PCI SSC) announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), to include smartphones and tablets.
According to the press release on Wednesday, the PCI Software-Based PIN Entry on COTS (SPoC) Standard includes requirements for developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
Some of the key security and test requirements from the new standard include:
- Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet
- Isolation of the PIN from other account data
- Ensuring the software security and integrity of the PIN entry application on the COTS device
- Protection of the PIN and account data using a PCI approved Secure Card Reader-PIN (SCRP).
“With the new PIN entry standard, the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application. The payment industry will benefit overall from the wider choice in payment acceptance, as it will drive the growth of electronic transactions,” said Aite Group Senior Analyst Ron van Wezel.