PCI Council Releases Standard For Software-Based PINs

The PCI Security Standards Council announced news on Wednesday (Jan. 24) that it has instituted a new PCI security standard having to do with PINs.

In a press release, the group said the new PCI security standard is for software-based PIN entry with off-the-shelf devices, including smartphones and tablets. The standard, dubbed PCI Software-Based PIN Entry on COTS, provides security requirements when developing services that allow for EMV-based contact and contactless purchases with a PIN number on the merchant’s consumer device that relies on a secure PIN entry application and a Secure Card Reader for PIN.

“Mobile point-of-sale (mPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency. MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere. However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive,” said Aite Group Senior Analyst Ron van Wezel in the press release. “With the new PIN entry standard, the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost-efficient card reader connected to it, along with a secure PIN entry application. The payment industry will benefit overall from the wider choice in payment acceptance, as it will drive the growth of electronic transactions.”

According to the PCI Security Standards Council, key security requirements in the standard include actively monitoring the service, isolating the PIN from other account data, ensuring the software security of the PIN app and protecting the PIN and account data.

“The PCI Council has a long history of developing standards for protecting PIN as a verification method in hardware-based solutions. Existing PCI PIN Standards require hardware-based security protection of the PIN,” said PCI SSC Chief Technology Officer Troy Leach in the same press release. “We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself.”