Norton Rose Fulbright - Data Protection Report blog

On January 24, 2018, the governing body for credit and debit cards, known as the Payment Card Industry (PCI) Security Standards Council, announced a new set of security requirements designed to address an increasingly popular way that merchants offer to consumers to pay for purchases:  smartphones and tablets.  Especially for smaller merchants, the ability to use a mobile point-of-sale solution offers flexibility, efficiency, and convenience—all enhancing the customer experience.

As of October 1, 2015, however, payment mechanisms got more complicated, as the United States began implementing a new credit card security standard called EMV.  (EMV is an acronym for EuroPay, MasterCard, and Visa.)  Retailers were presented with two ways to implement the new EMV standard: chip-and-PIN and chip-and-signature.  Chip-and-signature is closer to the way credit cards have previously been used in the U.S.: the cardholder inserts the card into the reader and then signs a pad or paper receipt.  In contrast, chip-and-PIN represents a more dramatic change for retail customers, although it is commonly used in many other countries around the world.  The chip-and PIN process resembles an ATM transaction:  the cardholder inserts the card into the reader, and then enters a PIN associated with that card.  That PIN is intended to be a form of authentication that the person using the card is the legitimate owner.  The combination of “something you have” (the card) plus “something you know” (PIN) is designed to provide a higher level of security.  Smaller merchants may have found that the chip-and-PIN alternative, while attractive from a security and liability standpoint, was cost-prohibitive because of the need to invest in expensive new hardware.

Recognizing that issue, the PCI Security Standards Council has issued the new set of requirements for software-based PIN entry on devices like smartphones and tablets (referred to as “commercial off-the-shelf” devices, or “COTS’).  The key security point is to isolate the PIN from the other data, while using a new set of security controls extending beyond the physical hardware.  In other words, rather than a single piece of expensive hardware that requires both the cardholder data and the PIN, the new requirements call for a software-based PIN entry on the merchant-provided COTS device, plus a separate physical card and chip reader that is connected to the COTS device.  That separate reader ideally will be more cost-effective for smaller merchants than current hardware alternatives, although that card reader and software solution will still need to be assessed to be compliant with the PCI security standards.

These new standards are aimed at providing guidance to the solution providers that are designing both the PIN reader software to be used on the COTS device and the physical card readers.  The PCI Security Standards Council has indicated that, within the next month, it will issue testing processes for labs that will be evaluating the solutions against this new standard.  Thereafter, a listing of PCI-validated solutions will be available on the PCI Security Standards website for merchants to use.

For more information: