Plans to Develop Security Standard for Payment Acceptance on Merchant COTS Devices

PCI SSC is in the beginning stages of developing a security standard for accepting contactless payments on a merchant’s commercial off-the-shelf (COTS) phone or tablet.

Here we talk with PCI SSC Chief Technology Officer Troy Leach to learn more about this new initiative.

Why is PCI SSC developing a standard for accepting contactless payments on a merchant’s COTS device?

Troy Leach: The role of PCI SSC is to evaluate all forms of payment transactions and identify security measures to protect the transaction. This includes identifying whether existing requirements within our standards are applicable to address the security and integrity of emerging technologies or whether more specific testing criteria are required. Based on industry feedback, we have determined that there would be benefit in developing a new standard specifically for use of securing solutions that enable a merchant’s COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader.

What will the standard address and who is it intended for?

Troy Leach: The aim is to develop security requirements for solutions that enable a merchant’s COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader by leveraging the native NFC capabilities inherent to a COTS phone or tablet. This includes specific criteria for how solution providers protect payment data within their offerings, as well as the test requirements for laboratories to demonstrate the effectiveness of that security.

We are still in the very early stages of the process, so the details of the standard are yet to be developed. We will be working with the industry over the next several months to determine the areas the standard needs to address and to build out the specific requirements accordingly.

What is the anticipated timeline for the development of the standard?

Troy Leach: PCI SSC has begun development of this standard in 2018. Timing of the standard’s publication will depend on the type of input and feedback we receive from the industry during the anticipated request for comments periods (RFC). As this initiative progresses we will keep stakeholders informed on the development process and these opportunities for providing feedback.

Originally posted by Laura K. Gray on PCI Security Standards Council here.