New Data Security Standards Published for Contactless Payments

• New data security standards for contactless payments were published by the PCI Security Standards Council (PCI SSC).
• These standards enable the acceptance of contactless payments using a commercial off-the-shelf (COTS) mobile device with near-field communication (NFC).

The Payment Card Industry Security Standards Council (PCI SSC) provides standards to boost global payment account data security.

Understanding CPoC

The PCI Contactless Payments on COTS (CPoC) Standard and supporting validation program allows vendors to provide merchants with contactless acceptance solutions.

• These solutions have been specially designed and tested to secure payment data.
• With contactless payments as well as related cybercrime on the rise, these standards help merchants accept payments securely with no additional hardware.
• The standard outlines a few security requirements for vendors on protecting data, testing requirements, and evaluating solutions.

“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance. Specifically, the PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader,” said Emma Sutcliffe, PCI SSC Standards Officer.

Elements of a CPoC solution

A standard CPoC solution includes the following:

• COTS device with an embedded NFC interface to read payment card or device
• Validated payment acceptance software application that runs on the merchant COTS device to initiate a contactless transaction
• Back-end systems that are independent from the COTS device

CPoC solutions do not permit software-based PIN entry. The security element in these solutions is said to rely on elements such as attestation systems, back-end monitoring, software protection systems, and attestation component on COTS devices.