PCI SSC has published a new data security standard to accept contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device with near-field communication (NFC).
The Contactless Payments on COTS (CPoC) enables contactless payment acceptance on a merchant COTS device using an embedded NFC reader.
The PCI CPoC is a program to enhance global payment account data security and it helps the merchants to enable solution vendors to have their program evaluated against the PCI CPoC Standard.
“Providing the payments industry with standards and resources that support secure payment acceptance in the new and emerging card and card-rooted payment channels is a key focus for the Council,” said PCI SSC Standards Officer Emma Sutcliffe.
The PCI CPoC solution is to provide security and test requirements that enable contactless payment acceptance on a merchant COTS device via the embedded reader.
The CPoC Solution includes a COTS device that embedded with the NFC interface to read the payment card or payment device.
“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance. Specifically, the PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader,” said PCI SSC Standards Officer Emma Sutcliffe.
CPoC Solution security Requirements
The CPoC solution enables a cardholder to pay with a contactless-enabled card or device (e.g., wearable, phone, tablet) at a merchant using a COTS device and associated CPoC application for authorization of contactless chip-based card payment transactions.
The COTS device, the NFC interface typically is controlled natively through the COTS operating system (OS). The security model calls for a set of protection mechanisms that span the NFC interface, COTS OS, and CPoC application.
“Developed with the input of the global payments industry via the requests for comments (RFC) process, the CPoC Standard is a continuation of the Council’s efforts to provide merchants with secure mobile payment acceptance options they can trust to support their customers and protect the integrity and confidentiality of their payment data,” added Leach.
The combination of security controls built into the merchant application and ongoing monitoring and integrity checks performed by the back-end systems, merchants and consumers can have confidence in the security of the CPoC Solution and the contactless transaction.