Responding to the market’s growing interest in, and use of, mobile payments, the PCI Security Standards Council (PCI SSC) has announced a new standard for software-based PIN entry on commercial off-the-shelf devices (COTS); such as smartphones and tablets.
“Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency,” explained said Aite Group senior analyst Ron van Wezel. “MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere.”
The problem is the cost of hardware-based chip-and-pin can be prohibitive for small merchants in mobile situations.
“With the new PIN entry standard,” van Wezel continued, “the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application.”
The new standard has been in the pipeline since last summer. In a July 2017 blog post, PCI SSC CTO Troy Leach announced, “We are starting work on a new standard that specifically focuses on software-based PIN-entry on commercial off-the-shelf (COTS) devices, such as consumer-grade mobile phones or tablets.”
This is the standard (PDF) now announced. A separate document, Software-Based PIN Entry on COTS Test Requirements, will be published in the next month.
“With advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device,” said Leach in a new blog post on Wednesday — adding that it was an alternative to, and not a replacement for, the existing PCI PIN Transaction Security Point of Interaction (PTS POI) standard.
There are five core principles to the new standard: isolation of PIN from other account data; ensuring the security of the PIN entry application on the COTS device; active security monitoring of the device; a secure card reader device to encrypt account data; and the restriction of transactions to EMV contact and contactless cards.
Initial reaction from the security industry has been mixed; that is, it is a good basic idea, but with reservations.
“While the new PCI PIN requirements are a good idea,” Joseph Carson, chief security scientist at Thycotic told SecurityWeek, “this introduces increased risks as end to end security for PIN cannot be guaranteed. For example, credit card theft in Europe has been less impacted than credit card theft in the USA due to the PIN requirement — meaning that credit card fraud in Europe has been limited due to the PIN. The new requirements mean the risk of the PIN getting exposed is increased and the risk on cyberattacks against the merchants will also increase. The PIN has been protected up until now; however, this new standard is actually lowering that protection.”
Chris Morales, head of security analytics at Vectra Networks, has a different concern. “I have questions around how the PCI council intends for vendors to implement the required continuous monitoring for security threats,” he said. “Continuous monitoring could be a costly and time-consuming exercise only large vendors or the payment system supplier would be able to afford to implement correctly. I believe these will need to be vetted out with further review by the security community.”
Chris Roberts, chief security architect at Acalvio is also concerned about the monitoring aspect. “Monitoring and actually ‘doing’ anything about it are two different things. We’ve run afoul of that so many times in the past where companies are monitoring but are asleep at the wheel. It might be time for PCI to look at technologies that go beyond simply reacting.
“It’s good they have realized that payments are going mobile,” he added, “but it does feel as if they are in reactive mode as opposed to proactively looking at the marketplace and working with the vendors ahead of time to help shape the future as opposed to being part of the problem in ‘gatekeeping’.”
PCI SSC believes it has got the security right by isolating the PIN within the COTS device from the account identifying information. “This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN,” said Leach. “Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction.”
And it should be said that he has support. Sanjay Kalra, co-founder and chief product officer at Lacework, comments, “Businesses required to comply to PCI cover many industries — retail, hospitality, entertainment, healthcare, electronics and more — and are all rapidly being disrupted by mobile and cloud computing. They need to upgrade their payment processes to reflect the technology disruptions. This update to the PCI standard is welcome and will help organizations safely take advantage of new mobile technologies. Nobody should be surprised if similar changes come to regulations for the cloud.”