Crossbow Labs

Decoding The PCI CPoC Standard

decoding-the-pci-cpoc-standard

Part 1: Getting Started on CPoC

Introduction

Using the upcoming technologies for better and easy user experience is necessary, but as always, new use-cases walk hand-in-hand with new security threats.

In the field of payment security, mobile based payments have always been a hot topic of discussion. With the need to go contactless on the scene, NFC based payments on mobile phones is leading its way.

In a typical NFC based payment ecosystem, a NFC enabled payment card, or a NFC device is tapped on a NFC receiver hardware. This negates the need for swiping the card, which is the traditional method of payments. Thus, the term “Tap & Go”.

PCI CPoC

There is a rise in the preference for NFC based payment devices from merchants as it is a cost-effective option when compared to the cost involved in procuring a dedicated hardware for a traditional PED / POS device.

With NFC based systems, the merchants must simply download the application on their mobile phones which are NFC enabled. The merchants can accept payments as soon as it is setup. The process is as easy as it is on paper.

The PCI council saw this upcoming trend and identified the need to secure cardholder data and payment data. The Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™) was released by PCI Security Standards Council (SSC) in December 2019.

The purpose of the standard is to provide a set of principles and baseline the requirements for a mobile payment-contactless acceptance solution, where the contactless read functions are performed using the NFC interface that is embedded to a COTS (Commercial-of-the-shelf) device, e.g., smartphone or tablet.

Descoping PIN Entry

PCI SSC’s stand on the PIN entry / PIN translation devices remains the same, that is, only PCI PTS approved hardware devices can be used for PIN translation or PIN block encryption at the point of sale.

For PIN entry on COTS, PCI SSC has developed a different standard called ‘Software-Based PIN Entry on COTS Security Requirements’.

Though the CPoC standard allows PIN to be entered on the mobile, it mandates that PIN entry be performed on a PTS approved device to ensure that there is no compromise on the security payment and card holder data. To avoid confusion and the hassle of carrying another PCI PTS compliant hardware for PIN translation in the NFC based payment scenario, COTS standard does not allow PIN based transactions. It simply restricts its coverage to NFC based card transactions which work on “tap” & “Go” without entering any PIN.

The components of a CPoC solution and an overview of the requirements of the PCI CPoC standard will be discussed in Part 2 and Part 3 of this series.