New PCI SSC Guidance on Software-based PIN Entry on COTS

Article PCI DSS
PIN Entry on COTS


The PCI SSC released new guidance regarding software-based PIN entry on commercial off-the-shelf (COTS) devices on January 24, 2018. As more and more organizations move towards using mobile phones and other COTS devices to accept and process payment cards, the need to provide secure and compliant solutions is increasing.

Although you may see devices like Square currently included on the list of PTS compliant devices, the issue is that, while the device itself is considered compliant, it is the use of the mobile application that resides on the COTS device that is putting many organizations in a non-compliant state. When staff can manually type in cardholder information or have a customer type their PIN directly on the COTS device, then the security of the mobile device is in scope for PCI compliance. Just like with general purpose workstations, using your COTS device (that also has access to the Internet, Facebook, etc.) requires that you properly secure the device and associated network in order to be compliant with the PCI DSS.

The intent behind this new guidance is to outline processes for developers that are creating solutions to enable merchants to securely accept PIN-based payments with the PIN being entered on the COTS device. It exclusively addresses when the PIN is entered by the cardholder and requires the use of a secure, EMV-only card reader. The reader will encrypt the primary account number (PAN) as it is read from the card, which means it is not entering the device in readable / clear text format. The PIN is also being encrypted within the software after it is entered on the touchscreen.

The key objective is to isolate the PIN, at all times, from any account identifying information (i.e. the EMV chip or magnetic stripe). This new standard defines the components that will be necessary and also outlines requirements for actively monitoring the software application and protecting against potential threats to the payment environment. Vendors can now use this standard to design and develop secure solutions. The PCI SSC plan to launch a support program to validate and list these solutions, similar to the validated P2PE solutions, later this year.

Some additional guidance from our Security Advisor team below:

[Ko]: To quote the ancient Chinese Philosopher Laozi, “A journey of a thousand miles begins with a single step.” The PCI SSC has taken a step in the right direction in bringing clear guidance on what mobile payment application developers need to do to make mobile payment acceptance easier to use and validate as PCI DSS compliant.

I’d be lying if I didn’t admit that I was disappointed that this new guidance didn’t also provide guidance on securing EXISTING mobile payment application technology, but I can certainly understand that with the horse out of the barn, so to speak, it would be difficult to retrofit security solutions to existing deployments.

Stay tuned to this channel, as, now that there is a defined standard, developers will be working overtime to get compatible solutions to market quickly. If you need a solution now, there are PCI-listed P2PE vendors that offer mobile payment solutions today.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.