The PCI Security Standards Council (PCI SSC) has announced security requirements for software-based PIN entry on commercial off-the-shelf devices (COTS) such as mobiles and tablets.
The PCI Software-Based PIN Entry on COTS (SPoC) Standard offers measures to allow secure EMV contact and contactless transactions on the merchant’s consumer device using secure PIN entry application combined with a Secure Card Reader for PIN (SCRP).
According to the security requirements, active monitoring of the service is required to avoid any potential threats to the payment environment within the COTS device.
In addition, the standards say that the PIN has to be isolated from other account data.
The council further advises to confirm the software and integrity of the PIN entry application, along with protection of both PIN and account data by using a Secure Card Reader-PIN (SCRP) approved by the PCI.
PCI SSC chief technology officer Troy Leach said: “Existing PCI PIN Standards require hardware-based security protection of the PIN.
“We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself.
“The PCI Software-Based PIN Entry Standard gives solution providers and application developers a baseline of security requirements specifically for accepting EMV contact and contactless transactions using software-based PIN entry.”