—PCI Contactless Payments on COTS (CPoC™) Standard Provides Security and Test Requirements for Solutions that Enable Contactless Payment Acceptance on Merchant Mobile Devices Using NFC—
WAKEFIELD, Mass.-Saturday 7 December 2019 [ AETOS Wire ]
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
View source version on businesswire.com: https://www.businesswire.com/news/home/20191204005591/en/
(BUSINESS WIRE)
-- Today the PCI Security Standards Council (PCI SSC) published a new
data security standard for solutions that enable merchants to accept
contactless payments using a commercial off-the-shelf (COTS) mobile
device (e.g., smartphone or tablet) with near-field communication (NFC).
Using the PCI Contactless Payments on COTS (CPoC™) Standard and
supporting validation program, vendors can provide merchants with
contactless acceptance solutions that have been developed and lab-tested
to protect payment data.
“Providing
the payments industry with standards and resources that support secure
payment acceptance in new and emerging card and card-rooted payment
channels is a key focus
for the Council,” said PCI SSC Standards Officer Emma Sutcliffe. “The
PCI CPoC Standard is the second standard released by the Council to
address mobile contactless acceptance. Specifically, the PCI CPoC
Standard provides security and test requirements for solutions that
enable contactless payment acceptance on a merchant COTS device using an
embedded NFC reader.”
“Contactless,
or tap and go, payment adoption is on the rise globally, and merchants
want affordable, flexible and safe options for contactless payment
acceptance that allow them to best serve their customers. In addition to
PCI Software-based PIN Entry on COTS (SPoC) Solutions
that enable contactless payment acceptance with a dongle attached to
the mobile COTS device, the PCI CPoC Standard and Program now provide
merchants the option to use validated solutions that require no
additional hardware to accept contactless transactions,” said PCI SSC
Senior Vice President Troy Leach.
The PCI CPoC
Standard includes security requirements for vendors on how to protect
payment data in CPoC Solutions and test requirements for laboratories
(labs) to evaluate these solutions through the supporting validation
program. Validated CPoC Solutions are listed on the PCI SSC website as a
resource for merchants and acquirers. Program details are outlined in
the CPoC Program Guide, which is available now on the PCI SSC website.
The primary
elements of a CPoC Solution include: a COTS device with an embedded NFC
interface to read the payment card or payment device; a validated
payment acceptance software application that runs on the merchant COTS
device initiating a contactless transaction; and back-end systems that
are independent from the COTS device and support monitoring, integrity
checks and payment processing. Software-based PIN entry is not permitted
in a CPoC Solution.
Through a
combination of the security controls built into the merchant application
and ongoing monitoring and integrity checks performed by the back-end
systems, merchants and consumers can have confidence in the security of
the CPoC Solution and the contactless transaction.
“Developed with the input of the global payments industry via the requests for comments (RFC)
process, the CPoC Standard is a continuation of the Council’s efforts
to provide merchants with secure mobile payment acceptance options they
can trust to support their customers and protect the integrity and
confidentiality of their payment data,” added Leach.
The PCI CPoC Standard and Program documents are available on the PCI SSC website.
For more information on the new CPoC Standard and Program read PCI Perspectives Blog post Just Published: PCI Contactless Payments on COTS.
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
Contacts
Mark Meissner
PCI Security Standards Council
+1-202-744-8557
press@pcisecuritystandards.org
Twitter @PCISSC
