PCI SSC publishes contactless data security standard

A new data security standard has been published by the PCI Security Standards Council (PCI SSC) which will enable merchants to use commercial off-the-shelf mobile devices with near-field communication (NFC) to accept contactless payments.

As a result of the PCI Contactless Payments on COTS (CPoC) program, vendors will now have the ability to provide merchants with ‘developed and lab-tested’ contactless acceptance solutions assured to protect payment data.

Emma Sutcliffe, PCI SSC Standards Officer, commented: “Providing the payments industry with standards and resources that support secure payment acceptance in new and emerging card and card-rooted payment channels is a key focus for the Council. 

“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance. Specifically, the PCI CPoC Standard provides security  and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader.”

The standard includes a set of requirements for vendors in regard to both lab tests, which will evaluate the solutions through the supporting valuation program, and safety, which will instruct the user on how to protect payment data.

The primary elements of the solution include:

  • A commercial off-the-shelf mobile device with an embedded NFC interface to read the payment card or payment device

  • A validated payment acceptance software application that runs on the merchant commercial off-the-shelf mobile device initiating a contactless transaction

  • Back-end systems that are independent from the commercial off-the-shelf mobile device and support monitoring, integrity checks and payment processing.

Troy Leach, PCI SSC Senior Vice President, added: “Contactless, or tap and go, payment adoption is on the rise globally, and merchants want affordable, flexible and safe options for contactless payment acceptance that allow them to best serve their customers. 

“In addition to PCI Software-based PIN Entry on COTS (SPoC) Solutions that enable contactless payment acceptance with a dongle attached to the mobile COTS device, the PCI CPoC Standard and Program now provide merchants the option to use validated solutions that require no additional hardware to accept contactless transactions.

“Developed with the input of the global payments industry via the requests for comments process, the CPoC Standard is a continuation of the Council’s efforts to provide merchants with secure mobile payment acceptance options they can trust to support their customers and protect the integrity and confidentiality of their payment data.”

Ongoing monitoring and integrity checks by the back-end systems of the CPoC Solution have also been incorporated thus allowing merchants and consumers to have confidence in the security of the processed contactless transactions.