Skip to main content

FAQs and Webinar Recording - What's the cost of COTS?

The payments industry is undergoing a period of rapid change, with the introduction of programs like PCI Software PIN on COTS (SPoC) and the Tap on COTS programs by card brands (with an up-coming PCI standard as well) changing how we accept card present payments. 

This webinar will investigate both the technical and business aspects of COTS payment, looking at new developments like (the potential) allowance for magnetic stripe readers, and the application of security features within common COTS systems such as StrongBox and SafetyNet.  Business considerations for deployment and use of COTS solutions will be examined, focusing on the difference in up-front and on-going costs between regular POI terminals and COTS based platforms.

Here're the questions that webinar attendees asked and the answers from our presenter, Andrew Jamieson, Technology & Security Director.

  1. Prior to SPOC/SCRP PCI rules, mPOS devices were physically secured and supported MSR/Chip/NFC and PIN. mPOS does not require SPOC (monitoring and attestation system). What's the value proposition to do COTS+SPOC+SCRP versus COTS+mPOS?

    mPOS is a subordinate part of 'traditional' terminals, where the terminal is attached to a mobile phone rather than a landline or physical network. Therefore, the comparisons to mPOS and COTS payments are similar - COTS can provide reduced cost of the physical device (for example, with no keypad and associated security), or even with no physical device at all in the case of contactless.

    However, there is an increased cost for the attestation/monitoring system with COTS solutions, which can be too expensive unless you have a large installed based you are targeting.

  2. How many systems or vendors have been approved under the SPOC requirements?

    At the time of this webinar, there are no vendors who have been approved to PCI SPoC.

  3. What do you think about CVM apps provided as SDKs to third parties such as large merchants?

    An approach to try to abstract the whole 'solution provider' approval requirement for PCI SPoC is not uncommon, as many do see the need to provide 'white-labeled' solutions in one form or another. However, there are complexities in how that works, in regards to the integration of the different aspects of the overall solution, and the application of the monitoring backend.

    Expect to see future versions of COTS standards look to address these issues, as the solutions in the market mature - similar to how this occurred with the PCI P2PE requirements.