FAQs & Webinar Recording for 'PCI PIN on COTS - The Changing Face of POS'
Andrew Jamieson recently hosted a webinar on the new PCI PIN on COTS standard and here're all the questions that were asked during the webinar.
- Who is responsible for the monitoring?
The solution provider holds the ultimate responsibility for the monitoring. However, this my be implemented through a number of technological methods and through different business relationships.
- This is regarding the enablement token - can a SPoC solution be switched off for a week and then switched back online to accept transactions? This would be relevant to merchants that only operate on weekends.
The enablement token system allows for the SPoC devices to be inactive for some arbitrary period. During this time, their enablement token will expire, but they will be issued with 'new' tokens once the PIN CVM application is restarted and the monitor has determined that the system still appears to be in an unmodified and untampered state.
- When will SPoC be required for MPOS-based systems?
It is not expected that SPoC compliance will be mandated any time soon - certainly not within the next few years - if ever. At the moment, SPoC is one of a number of methods that a vendor or market may take to allow for the acceptance of PIN based transactions. It is not intended to replace any of the other methods, just to augment those that already exist.
However, if the questions is "Will SPoC compliance be mandated for solutions that accept PIN on mobile COTS devices?"- that is likely to occur, but it is up to the individual payment brands.
- PIN entry devices mostly deal with contact cards. With the increased push for contactless and mobile payment by the major brands, would the market for PIN entry devices decrease in demand?
It is likely that the global use of PINs will decline over time as a percentage of transactions, as solutions are implemented which have the ability to accept transactions with no-CVM - such as low value contactless - as well as solutions which implement different CVM methods such as biometrics. However, PINs are expected to be around for some time yet, so it's unlikely that the demand for PIN entry solutions will decline, but that they will be actually used for PIN transactions for a smaller percentage of the time.
- Are there specific requirements about where the SPoC AES PIN key must be generated and stored?
I recommend that you refer to the SPoC Testing Requirements for further details. There are no specific implementations mandated, but secure methods for random number generation and the secure storage of keys is required.
- If an Acquirer or a Payment Gateway wants to deploy SPoC, are the payment brands ready?
Payment brands are expected to be working on SPoC ready programs now.
- Is there a vendor that can "install" a SPoC solution?
No, the solutions are targeted at smaller merchants and so they can install them on their own by downloading the vendor application through the respective app store of their COTS OS.
- Are there operation system limitations for this solution? Does SPoC work for COTS devices supporting iOS, Android and Windows operating systems?
There are no mandates for specific OS support in the PCI PIN on COTS standard, so any of these may be implemented if they meet the minimum security requirements.
- Does the standard cover use cases where COTS device is used (without SCRP) to read EMV chip data through NFC?
The PCI SPoC requirements forbid the use of the internal NFC interface of the COTS device for capture of card data. This is because one of the primary tenants of the SPoC security model is the separation of the customer card data from the customer PIN, so card data must be captured and collected on the external SCRP device.
- Is 'physical tamper protection' required for SCRP design? In terms of design, what main hardware and mechanical features are required?
Yes, physical tamper protection is required for an SCRP. Indeed, this is in some ways required to exceed the physical requirements of a 'normal' SCR that is approved under the PCI PTS requirements.
- Why can't it be applied to an unattended system?
The threat landscape for an unattended device is quite different, and includes a much greater risk of physical attack. Because COTS devices are not tamper responsive, it is considered too much of a risk to have SPoC solutions deployed in an unattended environment.
- What evidence is required to prove security if a scheme other than 'whitebox' security is presented?
For both whitebox and other security methods implemented - either for protection of cryptographic keys, or for protection of the PIN CVM application itself - the SPoC lab is required to evaluate and quantify the security provided. This is similar to how physical attacks are tested and quantified in the PCI PTS testing.
- How must SCRP be connected to COTS? Can they interface over a wireless network?
There are no mandates for how an SCRP may interface to the COTS device, beyond the fact that interface musty be secure. So, it can use (recent and known-secure) wireless interfaces, or a physical interface.
- Who are the SPoC solution providers in market today?
As of May 2018, there are no approved SPoC solutions, as the standard has only just been released and there are no approved SPoC labs to evaluate solutions yet.
- When will UL be available to test PIN on COTS applications? I've heard that the labs aren't certified yet.
There are no approved SPoC labs as of May 2018, but UL expects the approved lab list to be posted in the next few months, and for UL to be included in this round of approved labs. From this time, UL will be able to evaluate SPoC solutions. However, if you are working on a SPoC solution now, I strongly recommend you get in touch now as development is likely to take longer than the lab approval process, and we can help you avoid mistakes early in the design that may have considerable time/money costs to fix if only identified later in the process.
- Will domestic payment schemes like EFTPOS support this?
It is up to each domestic payment scheme to determine suitability for the use of SPoC solutions in their environment, but I do expect that most will decide that SPoC is acceptable with the possibility of some additional caveats.
- What do MNO, TEE and DESV mean?
MNO = Mobile Network Operator - the company that operates the mobile phone network.
TEE = Trusted execution Environment - a separate operating environment that exists on some devices that is used to protect sensitive data, and secure the execution of sensitive functions.
DESV = Designated Entity Supplemental Validation - additional requirements that may be applied to a company above and beyond the 'normal' PCI DSS requirements. Contained in Appendix A3 in PCI DSS v3.2.
- Why is SCRP needed?
The requirement protects the key management used to secure the PIN to the Acquirer, ensuring that the 'traditional' key management practices can be implemented, and ensuring security of the PIN outside the immediate environment of the COTS system.
- What are the advantages of SPoC compared to MPOS?
In regards to a 'traditional' MPOS device that may include PIN entry and be approved to PCI PTS, SPoC is simply another method to allow for PIN entry/ The hardware of an SCRP may be less expensive than a 'traditional' MPOS due to the lack of keypad, and may indeed be less prone to failure (if a contactless only interface, it may have no moving parts at all).
- How will I recognize a fraudulent SPoC device and/or Secure PIN Entry application, before I enter my PIN?
Details on the SPoC application will be contained in a Security Policy on the PCI website, the same way that pictures of PIN entry terminals are provided on the PCI website. Of course, it is reasonable to expect that customers will not check this themselves, so there is no real way to identify a SPoC assessed and compliant application from any other application. However, this is no different from 'traditional' PIN entry terminals, where there is no way to tell if a device is TS approved or not - and indeed there are some PTS approved terminals which are visually very similar to COTS tablets and phones.
To combat this concern, PCI SPoC only works with chip based transactions, so that customers can be educated to never use their magnetic stripe card with PIN entry on such a system.
- Are there developments that would allow us to avoid having a separate hardware device?
At this stage, the requirements are very firm that SPoC systems must use an approved SCRP, and there is no ability to have a compliant solution that uses the internal NFC interface of a COTS device.
- Is the 'enablement' token identical to a secure 'session'? Can we execute multiple transactions within a secure session?
The enablement token is different from a secure session. The token is like a 'watchdog' timer that must be regularly reset to allow the continued operation of the SCRP. Certainly it is possible to have multiple transactions within one secure session, and within the operational window provided by one enablement token.
- Who runs the PIN CVM application?
The PIN CVM application is executed on the merchant COTS device, not the customer's device.
- Will 'tap on phone' be based on a complete new standard?
Yes, PCI SPoC is not intended to address 'tap on phone' transactions, which use the the internal NFC interface of the COTS device.
- Can you give examples of merchants who would be especially interested in a SPoC solution?
It is expected that such solutions would be generally implemented by smaller merchants - such as tradespeople, market stall operators, and smaller businesses such as cafes.
- Is the SPoC solution related to a specific SCRP?
A SPoC PIN CVM application may support multiple SCRP devices, but each must be approved and tested with the SPoC application to ensure that there is a compliant and secure coupling between the systems.
- What kind of keys are used by COTS for PIN encryption and who provides the key?
The key management between the COTS device, the SCRP, and the monitor is expected to be different for each SPoC implementation based on the design of the SpoC solution provider. However, the cryptographic key that is used to encrypt the PIN from the COTS device to the SCRP must be an AES key.
- When will UL accept evaluation requests?
UL can assist vendors with their implementations right now!
- Can the SCRP be operating in a mobile phone device?
There is no current requirements that prevent the integration of the SCRP into the COTS platform, as long as it meets the requirements for a PCI PTS compliant SCRP.
- Which SPoC component manages/supports the dialog with chip application according to the EMV flow's scenario?
The SCRP is responsible for the EMV transaction flow.
- Currently the list of certified SCRP devices at PCI Council website is empty. What is your prognosis for SCRP market extending?
As of May 2018, there are no listed SPoC solutions because this is a brand new program. I expect there to be a lot of interest moving forward, and for multiple solutions to be listed prior to year end.
- If SCRP is the device directly connected to the acquirer bank, how will the encryption key (i.e. DUKPT) on PIN block synchronize between the SCRP and the bank? Will it operate in the same way as today's PIN PAD device?
Key management from the SCRP to the acquirer is performed as per usual practices with that acquirer.