maxkabakov - Fotolia

What is included in the mPOS security standard from PCI SSC?

The PCI SSC developed an mPOS security standard to improve mobile payment and PIN systems. Expert Michael Cobb looks at what the requirements are and how they help.

The PCI Security Standards Council published new security requirements for mobile point-of-sale systems. What is included in the new set of requirements, and what POS threats do they address?

Mobile point-of-sale systems (mPOS) are mobile devices, such as smartphones or tablets, that act as digital cash registers and are used as a replacement or add-on for a traditional electronic point-of-sale (EPOS) system. The mPOS systems are cheaper to implement than traditional EPOS systems, yet still provide payment security and fast transaction processing, relying on software-based controls to ensure the security of the transaction and PIN data.

However, the Payment Card Industry Security Standards Council (PCI SSC) and other security experts have had concerns over an mPOS' ability to match the same strict hardware standards to which traditional, purpose-built and independently tested merchants' credit card terminals must adhere.

The PCI PIN Transaction Security Point of Interaction (PTS POI) standard exists for hardware-based devices that accept PINs, and it ensures the confidentiality, integrity and availability of the PIN data. There is clearly a need for an mPOS security standard that addresses the risks associated with a mobile payment acceptance system where the cardholder's PIN is verified on a commercial off-the-shelf (COTS) device.

Therefore, the PCI SSC is introducing the PCI Software-Based PIN Entry on COTS (SPoC) standard, which has many similarities to the PTS POI standard -- such as security being built into the design -- and provides a security risk framework to protect the confidentiality and integrity of sensitive payment information captured and processed on a PIN cardholder verification system.

The mPOS security standard focuses on five core principles:

  1. isolate the PIN from other account data;
  2. ensure the software security and integrity of the PIN entry application on the COTS device;
  3. actively monitor the service to mitigate potential threats to the payment environment within the phone or tablet;
  4. require Secure Card Reader for PIN (SCRP) to encrypt and maintain the confidentiality of account data; and
  5. restrict transactions to EMV chip contact and contactless cards.

One difference between the two standards is that acceptance and security controls are contained within the physical boundaries of the device for the PTS POI standard, whereas the mPOS security standard introduces a different set of security controls to mitigate the risks associated with a software-centric solution that doesn't have a dedicated, hardware-based, electronic PIN pad.

Possibly the most important control is that the primary account number should never be entered on the mobile device with the PIN. The PIN must be captured by an SCRP attached to the COTS device that encrypts the contact or contactless transaction. This isolates the PIN within the COTS device from the account identifying information, the objective being to prevent the possibility of a correlation attack, in which an attacker can obtain enough payment metadata from different parts of the payment system to make fraudulent transactions.

To further protect the PIN, an active monitoring system must check for anomalies in the COTS environment, as well as the integrity of the other components within the solution to ensure it has not been manipulated or compromised.

The validation program is still being finalized, but once it's available later in 2018, providers can submit their full SPoC system for evaluation. The final reports will be submitted to the PCI SSC to be validated and listed on its website.

This new mPOS security standard means merchants will have a wider choice of payment acceptance systems, though SPoC is only permitted for contact and contactless EMV chip transactions processed online; offline payment transactions are prohibited.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing