What is included in the mPOS security standard from PCI SSC?

2022-06-30 08:55:19 By : Mr. Jason Chen

The PCI Security Standards Council published new security requirements for mobile point-of-sale systems. What is...

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.

Please check the box if you want to proceed.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

included in the new set of requirements, and what POS threats do they address?

Mobile point-of-sale systems (mPOS) are mobile devices, such as smartphones or tablets, that act as digital cash registers and are used as a replacement or add-on for a traditional electronic point-of-sale (EPOS) system. The mPOS systems are cheaper to implement than traditional EPOS systems, yet still provide payment security and fast transaction processing, relying on software-based controls to ensure the security of the transaction and PIN data.

However, the Payment Card Industry Security Standards Council (PCI SSC) and other security experts have had concerns over an mPOS' ability to match the same strict hardware standards to which traditional, purpose-built and independently tested merchants' credit card terminals must adhere.

The PCI PIN Transaction Security Point of Interaction (PTS POI) standard exists for hardware-based devices that accept PINs, and it ensures the confidentiality, integrity and availability of the PIN data. There is clearly a need for an mPOS security standard that addresses the risks associated with a mobile payment acceptance system where the cardholder's PIN is verified on a commercial off-the-shelf (COTS) device.

Therefore, the PCI SSC is introducing the PCI Software-Based PIN Entry on COTS (SPoC) standard, which has many similarities to the PTS POI standard -- such as security being built into the design -- and provides a security risk framework to protect the confidentiality and integrity of sensitive payment information captured and processed on a PIN cardholder verification system.

The mPOS security standard focuses on five core principles:

One difference between the two standards is that acceptance and security controls are contained within the physical boundaries of the device for the PTS POI standard, whereas the mPOS security standard introduces a different set of security controls to mitigate the risks associated with a software-centric solution that doesn't have a dedicated, hardware-based, electronic PIN pad.

Possibly the most important control is that the primary account number should never be entered on the mobile device with the PIN. The PIN must be captured by an SCRP attached to the COTS device that encrypts the contact or contactless transaction. This isolates the PIN within the COTS device from the account identifying information, the objective being to prevent the possibility of a correlation attack, in which an attacker can obtain enough payment metadata from different parts of the payment system to make fraudulent transactions.

To further protect the PIN, an active monitoring system must check for anomalies in the COTS environment, as well as the integrity of the other components within the solution to ensure it has not been manipulated or compromised.

The validation program is still being finalized, but once it's available later in 2018, providers can submit their full SPoC system for evaluation. The final reports will be submitted to the PCI SSC to be validated and listed on its website.

This new mPOS security standard means merchants will have a wider choice of payment acceptance systems, though SPoC is only permitted for contact and contactless EMV chip transactions processed online; offline payment transactions are prohibited.

Ask the expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ...  Continue Reading

As bitcoin use increases, so too have the number of cyber attacks on cryptocurrency exchanges and wallets. Learn how to keep bitcoin use secure.  Continue Reading

Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property.  Continue Reading

Enterprises often use signal boosters and distributed antenna systems to improve carrier signal strength. Neutral host networks ...

It's helpful for network admins to know how to convert binary to decimal, and vice versa, for IPv4 addressing, subnet masks, ...

For businesses, mounting ownership costs, unrealistic performance expectations, client device chaos and competing technologies ...

No one can relax in digital business: Those trailing behind must conquer the basics to get on the innovation path, while ...

The metaverse poses many of the same risks and security pitfalls that the internet does. Here's a look at 10 of those issues and ...

Pharmaceutical giant Eli Lilly has embarked on an enterprise data initiative that paves the way for greater AI use. Read about ...

Windows upgrades have caused numerous issues in the past, and the move to Windows 11 is no exception. Learn what problems IT can ...

While patching desktops has some universal aspects across systems, there are specific Linux best practices that Linux ...

These 12 tools approach patching from different perspectives. Understanding their various approaches can help you find the right ...

Tech buyers are interested in the breadth and depth of services sold through the HPE GreenLake service, but want proof of cost ...

PowerShell has practical integrations that provide users with cross-platform capabilities. Get to know prerequisites and ...

There are several reasons to export data out of CloudWatch Logs and into S3. Use this step-by-step tutorial to automate the ...

Leading comms tech provider enters into partnership with incumbent Belgian operator to deliver dedicated next-generation spectrum...

The country’s upcoming spectrum auction marks the start of larger scale deployments of 5G in the subcontinent, but telcos will ...

Customers of enterprise network provider now have access to an integrated service that brings together the software-defined wide ...

All Rights Reserved, Copyright 2000 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info