Security & Fraud

PCI Council Releases Standard For Software-Based PINs

The PCI Security Standards Council announced news on Wednesday (Jan. 24) that it has instituted a new PCI security standard having to do with PINs.

In a press release, the group said the new PCI security standard is for software-based PIN entry with off-the-shelf devices, including smartphones and tablets. The standard, dubbed PCI Software-Based PIN Entry on COTS, provides security requirements when developing services that allow for EMV-based contact and contactless purchases with a PIN number on the merchant’s consumer device that relies on a secure PIN entry application and a Secure Card Reader for PIN.

“Mobile point-of-sale (mPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency. MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere. However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive,” said Aite Group Senior Analyst Ron van Wezel in the press release. “With the new PIN entry standard, the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost-efficient card reader connected to it, along with a secure PIN entry application. The payment industry will benefit overall from the wider choice in payment acceptance, as it will drive the growth of electronic transactions.”

According to the PCI Security Standards Council, key security requirements in the standard include actively monitoring the service, isolating the PIN from other account data, ensuring the software security of the PIN app and protecting the PIN and account data.

“The PCI Council has a long history of developing standards for protecting PIN as a verification method in hardware-based solutions. Existing PCI PIN Standards require hardware-based security protection of the PIN,” said PCI SSC Chief Technology Officer Troy Leach in the same press release. “We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself.”

——————————

PYMNTS LIVE ROUNDTABLE: TUESDAY, JULY 14, 2020 AT 12:00 PM (ET)

Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.

TRENDING RIGHT NOW