Mobile Secure Payment Requirements

SpoC Testing Overview

03 September 2019

A big change in payment security is upon us. The PCI Security Standards Council, which oversees the development, enhancement, storage, dissemination and implementation of security standards for account data protection, has released a new and exciting standard that tackles the everchanging landscape of mobile payment. With the introduction of Software PIN on COTS (SPoC), PCI SSC is remapping the way mobile secure payments will look in the future. SPoC is only the beginning, as upcoming standards, such as Contactless Payment on COTS (CPoC), as well as a replacement to PA-DSS are all inbound.

So, what is SPoC?

The SPoC standard outlines the use case where a customer can perform PIN entry directly onto a merchant's Commercial-Off-The-Shelf touch screen smartphone or tablet. This could provide merchants with a more cost-effective way to accept EMV Chip & PIN payments while offering SPoC solution providers another path to expand on their secure payment offerings.

How will SPoC Protect My Data?

The SPoC standard is a departure from the traditional PCI PIN Terminal Security (PTS) program in that qualified SPoC test laboratories will be testing a holistic solution rather than an individual hardware-based component. SPoC brings together PCI SSC's key standards such as the Data Security Standard (DSS), PTS, and PCI PIN to ensure that all cardholder data is protected throughout the whole transaction lifecycle. A SPoC solution must include the following parts:

  • A PTS approved Secure Card Reader for PIN (SCRP) device
    • This device must include either or both a contactless/contact ICC interface and optionally an MSR interface
    • As of May 2019, Magnetic Stripe Reader (MSR) interfaces will be allows are part of a SPoC solution as governed by the SPoC MSR Annex
  • A PIN Cardholder Verification Method (CVM) Application
    • This application will reside on the merchant COTS device and will be used for PIN entry
  • A PCI DSS compliant and PCI PIN compliant back-end processing environment hosting the SPoC back-end
  • A back-end monitoring system that provides device status and attestations capabilities and real-time response

A Trusted Partner

Intertek EWA-Canada is part of Intertek's Connected World Cyber Security Services division and is one of only 3 PCI-recognized SPoC test labs. Intertek EWA-Canada is recognized as Canada's premiere provider of information and communications technology (ICT) security and assurance services and a global centre of excellence in security engineering, test and evaluation innovation. Intertek EWA-Canada has been conducting compliance testing for Payment Terminals since 2003. 

Intertek EWA-Canada provides experienced, qualified resources, and company expertise in all facets of security program development and assessments, product test, evaluation and certification, security architecture design and development, identification token and credential issuance, security incident response, computer forensics and training. Learn more about all our comprehensive services here.

To learn more about regarding SPoC or other PCI topics, check out our information page.

 

Steve Jia,
Payment Assurance Lab Manager

 

Steve is the Payment Assurance Lab Manager at Intertek EWA-Canada, focusing on certification testing and consulting services for a wide range of international standards including PCI, Interac, FIPS-140-2, and Common Criteria.  During his 11 years with EWA-Canada, Steve has become an expert in many areas of cyber security and now manages a team of security specialists focused on securing digital payments through security evaluations of electrical hardware, network infrastructure, mobile and web applications, and connected products.