Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

PCI Council Introduces New Standard for Mobile Card Payments

Responding to the market’s growing interest in, and use of, mobile payments, the PCI Security Standards Council (PCI SSC) has announced a new standard for software-based PIN entry on commercial off-the-shelf devices (COTS); such as smartphones and tablets.

Responding to the market’s growing interest in, and use of, mobile payments, the PCI Security Standards Council (PCI SSC) has announced a new standard for software-based PIN entry on commercial off-the-shelf devices (COTS); such as smartphones and tablets.

“Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency,” explained said Aite Group senior analyst Ron van Wezel. “MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere.”

The problem is the cost of hardware-based chip-and-pin can be prohibitive for small merchants in mobile situations.

“With the new PIN entry standard,” van Wezel continued, “the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application.”

The new standard has been in the pipeline since last summer. In a July 2017 blog post, PCI SSC CTO Troy Leach announced, “We are starting work on a new standard that specifically focuses on software-based PIN-entry on commercial off-the-shelf (COTS) devices, such as consumer-grade mobile phones or tablets.”

This is the standard (PDF) now announced. A separate document, Software-Based PIN Entry on COTS Test Requirements, will be published in the next month.

“With advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device,” said Leach in a new blog post  on Wednesday — adding that it was an alternative to, and not a replacement for, the existing PCI PIN Transaction Security Point of Interaction (PTS POI) standard.

There are five core principles to the new standard: isolation of PIN from other account data; ensuring the security of the PIN entry application on the COTS device; active security monitoring of the device; a secure card reader device to encrypt account data; and the restriction of transactions to EMV contact and contactless cards.

Advertisement. Scroll to continue reading.

Initial reaction from the security industry has been mixed; that is, it is a good basic idea, but with reservations.

“While the new PCI PIN requirements are a good idea,” Joseph Carson, chief security scientist at Thycotic told SecurityWeek, “this introduces increased risks as end to end security for PIN cannot be guaranteed. For example, credit card theft in Europe has been less impacted than credit card theft in the USA due to the PIN requirement — meaning that credit card fraud in Europe has been limited due to the PIN. The new requirements mean the risk of the PIN getting exposed is increased and the risk on cyberattacks against the merchants will also increase. The PIN has been protected up until now; however, this new standard is actually lowering that protection.”

Chris Morales, head of security analytics at Vectra Networks, has a different concern. “I have questions around how the PCI council intends for vendors to implement the required continuous monitoring for security threats,” he said. “Continuous monitoring could be a costly and time-consuming exercise only large vendors or the payment system supplier would be able to afford to implement correctly. I believe these will need to be vetted out with further review by the security community.”

Chris Roberts, chief security architect at Acalvio is also concerned about the monitoring aspect. “Monitoring and actually ‘doing’ anything about it are two different things. We’ve run afoul of that so many times in the past where companies are monitoring but are asleep at the wheel. It might be time for PCI to look at technologies that go beyond simply reacting.

“It’s good they have realized that payments are going mobile,” he added, “but it does feel as if they are in reactive mode as opposed to proactively looking at the marketplace and working with the vendors ahead of time to help shape the future as opposed to being part of the problem in ‘gatekeeping’.”

PCI SSC believes it has got the security right by isolating the PIN within the COTS device from the account identifying information. “This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN,” said Leach. “Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction.”

And it should be said that he has support. Sanjay Kalra, co-founder and chief product officer at Lacework, comments, “Businesses required to comply to PCI cover many industries — retail, hospitality, entertainment, healthcare, electronics and more — and are all rapidly being disrupted by mobile and cloud computing. They need to upgrade their payment processes to reflect the technology disruptions. This update to the PCI standard is welcome and will help organizations safely take advantage of new mobile technologies. Nobody should be surprised if similar changes come to regulations for the cloud.”

Related: PCI Security Standards Council Releases PCI DSS Version 3.2 

Related: PCI DSS 3.2: Third Party Service Providers, It’s Time to Step Up 

Related: PCI Council Updates Point-to-Point Encryption Standard 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.