PCI Security Standards Council Publishes Security Requirements for Software-Based PIN Entry on COTS Devices
Today the PCI Security Standards Council (PCI SSC) announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. The PCI Software-Based PIN Entry on COTS (SPoC) Standard provides requirements for developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).
“Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency. MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere. However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive,” said Aite Group Senior Analyst Ron van Wezel. “With the new PIN entry standard, the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application. The payment industry will benefit overall from the wider choice in payment acceptance, as it will drive the growth of electronic transactions.”
“The PCI Council has a long history of developing standards for protecting PIN as a verification method in hardware-based solutions. Existing PCI PIN Standards require hardware-based security protection of the PIN,” said PCI SSC Chief Technology Officer Troy Leach. “We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself. The PCI Software-Based PIN Entry Standard gives solution providers and application developers a baseline of security requirements specifically for accepting EMV contact and contactless transactions using software-based PIN entry.”
Key security principles included in the standard’s security and test requirements are:
- Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet;
- Isolation of the PIN from other account data;
- Ensuring the software security and integrity of the PIN entry application on the COTS device;
- Protection of the PIN and account data using a PCI approved Secure Card Reader for PIN (SCRP).
The Software-Based PIN Entry on COTS Security Requirements are for solution providers to use in designing each part of a complete solution. These requirements are available now on the PCI SSC website.
The Software-Based PIN Entry on COTS Test Requirements outline testing processes for laboratories to use in evaluating solutions against the standard. These will be published in the next month, followed by a supporting program that will list PCI validated solutions on the PCI SSC website for merchant use.
For more information on the new standard, read PCI Perspectives blog post New PCI Software-Based PIN Entry on COTS Standard .
“This standard gives solution providers and application developers a baseline of security requirements for how to securely accept PIN-based transactions on a COTS device, as well as methods to test that security is working, even as updates to the devices and applications occur frequently. PCI validated solutions will meet a robust set of security objectives that have been tested by independent laboratories,” added Leach. “More and more businesses are now accepting payments with smartphones, tablets and other COTS devices, especially within the small business community. The PCI SSC Software-Based PIN Entry Solution listing will provide these merchants with a resource for selecting PIN entry solutions that have been evaluated and tested by payment security laboratories, and their customers will benefit by having the best available protection for their payment data.”
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
PCI Security Standards Council
Mark Meissner, +1-202-744-8557
Om Business Wire
(c) 2018 Business Wire, Inc., All rights reserved.
Business Wire, a Berkshire Hathaway company, is the global leader in multiplatform press release distribution.
Følg saker fra Business Wire
Registrer deg med din epostadresse under for å få de nyeste sakene fra Business Wire på epost fortløpende. Du kan melde deg av når som helst.
Siste saker fra Business Wire
Kristen Lisanti Joins BCW as Chief Culture Officer18.10.2018 17:17 | Pressemelding
BCW (Burson Cohn & Wolfe), a leading global communications agency, today announced that Kristen Lisanti has joined the firm as Chief Culture Officer, responsible for establishing an engaging culture at BCW that honors the diversity of its people and connects them through deep values, a global passion for the agency’s business and a fresh, new approach to employee satisfaction. In addition to driving employee engagement and building a global training program, Lisanti, based in New York, will be charged with establishing BCW as a best place to work around the world. “The culture of any organization is a critical pillar to its success,” said Donna Imperato, Global CEO, BCW, to whom Lisanti reports. “I’ve always focused on creating and nurturing the right culture. It doesn’t happen by itself and it requires just as much attention as other business aspects of an organization. BCW will be among the first in our industry to hire a global Chief Culture Officer whose sole focus will be to ensur
Limelight Networks and Ericsson to Accelerate Content Delivery and Edge Cloud Adoption18.10.2018 15:00 | Pressemelding
Limelight Networks (NASDAQ: LLNW) and Ericsson (NASDAQ: ERIC) have signed an agreement to collaborate on content delivery and edge cloud services. As more traffic shifts to the public internet from private networks, the need for high performance networks and distributed infrastructure is required to maintain a high-quality user experience. A key solution to this is edge cloud computing. Providing computing capabilities close to the user or device gives a superior quality of service. For new low latency applications such as IoT, gaming, and virtual reality, robust computing capabilities at the edge of the network are needed. Communications service providers and technology companies will play a pivotal role in scaling the next wave of internet traffic. Ericsson is partnering with service providers globally to build the Ericsson Unified Delivery Network (UDN) Edge Cloud Platform – a web-scale edge delivery network, driving performance benefits and cost efficiencies. Content delivery is th
World Leader in High-End Mobile Security, Kaymera Technologies, to Expand Adaptive Mobile Threat Defense Footprint18.10.2018 13:56 | Pressemelding
Kaymera Technologies, the leader in high-end Mobile Threat Defense solutions, today announced that BGŻ BNP Paribas have chosen the Kaymera’s Adaptive Mobile Threat Defense Platform to help protect personal and business-related mobile data across its employee base and business partners. According to a recent reports survey of IT Security professionals on Bring Your Own Device (BYOD), one in five organizations has suffered a mobile security breach, primarily driven by malware and malicious WiFi. 24% of organizations confirmed their mobile devices have connected to malicious WiFi networks while 48% were unsure if there have been any mobile security incidents. With at least one device in every large organization likely infected with malware, and one-third of executives experiencing network attacks, most enterprises are looking for a strong defense system against mobile threats. “We were looking for solutions to further increase mobility across our organization by boosting our mobile securi
Piraeus Bank Signs Financing Agreement of €40 million with Thomas Cook Hotel Investments18.10.2018 13:18 | Pressemelding
Piraeus Bank signed a financing agreement of €40 million with Thomas Cook Hotel Investments (TCHI), a joint venture between Thomas Cook plc and LMEY Investments AG. Piraeus Bank is the sole financial partner of TCHI in Greece and the financing will be used to invest in local hotel properties. Thomas Cook Hotel Investments was established in March 2018 to support the growth of Thomas Cook’s own-brand hotels in Spain and Greece. The portfolio of TCHI includes owned hotel properties in Rhodes and Crete under the brand of Sunwing. Thomas Cook Group is one of the world’s leading leisure travel groups, with sales of £9 billion in the year ended 30 September 2017, serving over 20 million customers annually. Thomas Cook was the biggest international tour operator in Greece this year, while it served 3 million customers. Funding of tourism, a vital sector for the Greek economy, is a key priority for Piraeus Bank. With a tourism portfolio in excess of €2 billion, the Bank supports tourism busine
StarLeaf Reinforces Its Global Expansion With New Office in Norway18.10.2018 13:00 | Pressemelding
StarLeaf, a leading provider of premium meeting room solutions and video conferencing services, has expanded its global reach with a new office in Oslo, Norway, enabling it to meet increased demand and serve local customers and partners. This announcement is further testament to the company’s fast-paced growth in key markets, which sees StarLeaf systematically increase its global footprint into key regions and countries. “Norway has a prominent history of originating and using video conferencing and collaboration technologies. However, today businesses are looking for next-generation solutions that deliver greater flexibility and scalability, to match their plans for growth and investment,” said Peter Sanevall, StarLeaf Country Manager for the Nordics Countries. “With the opening of our Oslo office, we are well-positioned to address this demand.” StarLeaf provides an end-to-end business collaboration and meeting room solution delivered by the StarLeaf Cloud and its premium hardware sys
Starbucks Evolves Structure in EMEA to Accelerate Long-Term Strategic Growth18.10.2018 12:30 | Pressemelding
Starbucks Coffee Company (NASDAQ: SBUX) today announced our intention to fully license Starbucks operations in France, the Netherlands, Belgium and Luxemburg to its longstanding strategic partner Alsea, S.A.B. de C.V. (BMV: ALSEA), the largest independent chain restaurant operator in Latin America. Under this proposal, which is subject to relevant local laws, and discussions with relevant employee representatives, Alsea will have the rights to operate and develop Starbucks stores in these markets, building on Starbucks regional growth agenda that drives value through strategic licensed relationships. At the same time the company would introduce a new support structure in its head office in London to better serve an increasingly licensed strategy. “We’re very pleased to build on our 16-year history with Alsea, a long-term strategic partner to Starbucks, with the intention to license our business operations in France, the Netherlands, Belgium and Luxemburg,” said John Culver, group presi