News

PCI SSC unveils PIN-on-glass security standard

January 26, 2018

The PCI Security Standards Council has issued a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices such as smartphones and tablets.

The PCI Software-Based PIN Entry on COTS Standard provides requirements for developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant's consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN.

"Existing PCI PIN Standards require hardware-based security protection of the PIN," Troy Leach, PCI SSC chief technology officer, said in the release. "We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself. The PCI Software-Based PIN Entry Standard gives solution providers and application developers a baseline of security requirements specifically for accepting EMV contact and contactless transactions using software-based PIN entry."

Key security principles in the standard include:

• Active monitoring of the service to mitigate against potential threats to the payment environment.
• Isolation of the PIN from other account data.
• Ensuring the software security and integrity of the PIN entry application on the COTS device.
• Protection of the PIN and account data using a PCI approved secure card reader for PIN.

The Software-Based PIN Entry on COTS Security Requirements are available on the PCI SSC website.

Requirements outlining testing processes for laboratories to use in evaluating solutions against the standard will be published in the next month, followed by a supporting program that will list PCI validated solutions on the PCI SSC website for merchant use.

Learn more about the new standard.