Earlier this month, the PCI Security Standards Council released a new security standard that allows for PIN entry on commercial off-the-shelf devices (COTS) such as a smartphone in your pocket or a tablet on your desk right now. Called Software-Based PIN Entry (SPoC) the standard — which you read for yourself — has some interesting components that are useful to understand.
First, the standard relies on another device to capture the PIN, in this case the COTS device — the EMV transaction occurs via a secure card reader (i.e. dongle) attached to the COTS device through its audio jack or via Bluetooth. All cardholder data is taken in via the dongle and is encrypted as is the industry norm these days.
In PCI’s words “The security requirements are for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).” This level of hardware security is not unlike other payment devices currently which have P2PE built in. The result is a highly secure transaction.
Another important part of the specification has to do with the COTS devices themselves and their integrity. If off-the-shelf devices are going to be used for secure transactions, the standard requires that safety measures are in place to ensure the device hasn’t been tampered with. For example, Jailbroken or rooted devices won’t be allowed because, at that point, there’s less of a guarantee that the device doesn’t have malicious code at work in the background. Externally based device attestation is an important feature of the standard which brings an extra level of security to the device.
We expect that this new standard could be just what the US market — especially among SME laggards — needs to complete its migration to EMV.
Anything that enables us to create a safer payments environment using EMV is a good thing. Indeed, for the ISVs, ISOs, or merchants who haven’t yet delivered EMV to their customer bases, the concept of a low-cost COTS device should be very appealing and most likely increase EMV adoption. We expect that this new standard could be just what the US market — especially among SME laggards — needs to complete its migration to EMV.
Even though this standard was just released, you might be wondering when the PCI Council and industry at large will have enough confidence to side-step a secure card reader/dongle and just use contactless only. Creditcall has a proof-of-concept project whereby we’ve turned an NFC-enabled Android phone into a contactless-only terminal, thus removing the need for a secure dongle. Unfortunately, there are some complexities that must be addressed.
When it comes to EMV certification of such a payment solution, you need: Level 1, which tests the electrical and physical interfaces, and the transmission of data, between the payment terminal and the card; Level 2, which covers the "kernel" software that processes and validates the data exchanged with the card using the Level 1-certified device; and Level 3 which is the certification with the various acquiring processors such as First Data, Elavon or Worldpay for the individual card brands such as Visa, Mastercard, Discover or Union Pay International. The Level 1 and Level 2 certifications ensure that payment device manufacturers have the necessary hardware and software on their payment device to meet the EMV standards.
Level 2 and Level 3 are easy enough to do. The issue is with Level 1, this certification is tied to a particular combination of hardware and antenna. With so many different NFC chipsets, the certification process becomes extremely complicated and would result in a myriad of different certifications. Still, it’s safe to assume that at some point EMVCo and the industry will figure out how to make it work in a manageable way.
For now, PIN-on-COTS is good for the consumer and great for the US payments market still seeking to complete its EMV migration. At Creditcall, we feel we’re well ahead of the curve concerning this standard as we’ve been looking at this for some time now and we’re ready to work with solution providers to deliver these solutions to their customers.
Fill out the form below and we will get in touch with you shortly
The Generational Shift in Consumer Shopping Behaviors
With every generation, consumer behaviors change. Gen Z (ages 18-24) and Zillennial (25-26) shoppers grew up online. Many don’t remember a tim...Learn More
An Introduction to Payment Terms and Concepts
The payments space has a language all of its own. Who are acquirers? What’s a payment terminal? What about a PayFac? Whether you’re a new busi...Learn More
How NMI is Making 2023 the Best Year Yet for Our Partners
The payments industry has changed dramatically over the past several years. In 2020, consumer expectations shifted, and we saw a sudden rise i...Learn More
What You Need to Know About Buy Now, Pay Later Legislation
What if you could finance and pay for a purchase over time without a credit check or signing up for a personal loan? Buy Now, Pay Later (BNPL)...Learn More
4 Steps to Make Your ISO Business More Profitable in 2023
As headlines warn of a potential recession, consumers are tightening their belts in preparation for a challenging year. While so much negative...Learn More
NMI Achieves Milestone Year in 2022 With Industry Recognition, Acquisitions and New Partnerships
Through acquisitions and continued platform investments, the company will continue to support partners from sign-up to pay-out across the comm...Learn More
The Evolution of Public Parking Payments
Parking payment solutions have evolved significantly since their inception. The first parking meters were installed in Oklahoma City in 1935 (...Learn More
The State of Public Transportation in the United States, the United Kingdom and Europe
'A developed country is not a place where the poor have cars. It's where the rich use public transportation.' - Gustavo Petro Public transpor...Learn More
Adding Value to Payment Solutions: 3 Ways to Generate More Revenue
Generating more revenue can be tricky - especially as consumers and businesses tighten their belts and cut back on spending. Should you add mo...Learn More
New NMI Report Finds Convenience and Speed Drive Consumers’ Eagerness to Try New Payments Innovations
SCHAUMBURG, IL – JANUARY 17, 2023 – NMI, a leading full commerce enablement technology company, today released its inaugural Payments Innovati...Learn More