PCI Security Standards Council (PCI SSC) has released a new standard for data security of solutions that accept contactless payments.
The standard is for solutions based on commercial off-the-shelf (COTS) mobile devices with near-field communication (NFC).
Vendors can refer to the PCI Contactless Payments on COTS (CPoC) Standard for security requirements to protect payment data. Test requirements for laboratories to assess the CPoC solutions are available via the supporting validation programme.
PCI SSC will publish the validated solutions on its website as a source for merchants and acquirers.
How it works
A CPoC solution consists of a COTS device featuring an NFC interface to read the payment card or device. It also comes with validated payment acceptance software for use on the merchant COTS device to start a contactless payment.
In addition, back-end systems for monitoring, integrity checks and payment processing are available. A CPoC solution does not allow software-based PIN entry.
The security controls in the merchant application and the back-end checks ensure the safety of the CPoC solution and contactless transaction, said PCI Council.
PCI SSC senior vice-president, Troy Leach, said: “Contactless, or tap and go, payment adoption is on the rise globally, and merchants want affordable, flexible and safe options for contactless payment acceptance that allow them to best serve their customers.
“Developed with the input of the global payments industry via the requests for comments (RFC) process, the CPoC Standard is a continuation of the Council’s efforts to provide merchants with secure mobile payment acceptance options they can trust to support their customers and protect the integrity and confidentiality of their payment data.”