Security Standard Released for Contactless Payments on Off-the-Shelf Mobile Devices

A new standard unveiled Wednesday by the PCI Security Standards Council could pave the way for more acceptance of contactless payments with no more hardware needed than a merchant’s off-the-shelf mobile phone or tablet.

The standard is dubbed Contactless Payments on COTS (commercial off-the shelf devices), or CPoC. It spells out security requirements governing applications that enable a mobile device to accept contactless payments from customers using EMV chip cards, smart phones, or wearables. Under development since June 2018, CPoC includes a program for vendors to get their payment applications tested and validated.

CPoC applies to near-field communication-based contactless payments in which the off-the-shelf card-accepting phone or tablet does not use hardware such as a dongle. The Wakefield, Mass.-based PCI Council, which sets rules for secure acceptance of general-purpose credit and debit cards, years ago introduced a set of rules for contactless payments with purpose-built mobile-payment devices called the PCI PIN Transaction Security Point of Interaction (PCI PTS POI) Standard. 

In addition, the Council’s Web site already lists secure software-based PIN entry on COTS (SPoC) applications that require a card-reading dongle and enable customers to enter a PIN on a merchant’s mobile device. The new CPoC standard does not permit software-based PIN entry and is meant for tap-and-go payments.

“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance,” Emma Sutcliffe, standards officer at the PCI Council, said in a news release. “Specifically, the PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader.”

The primary elements of a CPoC solution include a COTS device with an embedded NFC interface to read the payment card or payment device; a validated payment-acceptance software application that runs on the merchant COTS device initiating a contactless transaction; and back-end systems that are independent from the COTS device and support monitoring, integrity checks and payment processing.

Validated CPoC systems will be listed on the PCI Council’s Web site.

“The PCI CPoC initiative is part of the Council’s mission to enhance global payment-account data security by developing standards and programs that support secure payment acceptance in new and emerging payment channels,” the Council said in a blog post. “Ultimately, the PCI CPoC standard and program will lead to more options for merchants to accept contactless payments in a secure manner.”

Ron van Wezel, a Netherlands-based senior analyst for Boston-based research firm Aite Group LLC, says Visa Inc. and Mastercard Inc. have tested NFC payments on COTS devices in the United Kingdom and Poland.

“This is the next step in the evolution to what I call ‘SoftPOS’—payment-acceptance solutions at the point of sale that are entirely software-based,” van Wezel tells Digital Transactions News by email. “Merchants would simply download an application to start accepting card payments.”

That end point, however, has not yet been reached, according to van Wezel. “The new PCI standard does not allow for PIN entry on the COTS,” he says. “This means that contactless card acceptance on such devices is only possible for low-value payments under the contactless limit.” 

In Europe, that limit currently is €25 ($27.73). But Apple Pay or Google Pay mobile payments can be used for any value because they use biometric cardholder verification, he notes.