Update: PCI SSC's Enhanced Contactless Payment StandardCouncil's CTO, Troy Leach, Describes How Smaller Merchants Will Benefit
In December, the PCI Security Standards Council plans to publish a new standard for solutions that enable "tap and go" transactions on merchant smartphones and other commercial off-the shelf, or COTS, mobile devices. In an interview with Information Security Media Group, Troy Leach, the council's CTO, offers insights on the role the new standard will play in enhancing security for smaller merchants.
With a growing number of merchants now relying on smartphones to take payments, the new standard will provide more secure options for contactless acceptance, according to a recent PCI SCC blog. Although existing PCI SCC standards support contactless transactions, the new standard "provides a set of principles and requirements for a mobile contactless payment acceptance solution where the contactless-read functions are performed using the NFC interface that is native to and embedded in a COTS device," the blog notes.
In addition to security requirements, the new contactless standard will include test requirements and offer guidance, including examples of appropriate security controls that can be used.
The new standard is designed so it can eventually accommodate new forms of mobile devices, Leach explains.
"We will also be looking at how we can take this type of mobile standard and continue to explore other forms of emerging technology," he says. "This is a nice continuation of where we were with the SPoC standard (Software PIN entry on COTS devices) and allows us to look for more opportunities for merchants, especially smaller merchants."
In this interview (see audio link below photo), Leach also discusses:
- Why there are no provisions for PINs in the new contactless standard;
- Other pending updates to PCI standards, including those for end-to-end encryption and a software framework;
- PCI standards projects for next year.
Leach is the chief technology officer for the PCI Security Standards Council. He partners with council representatives, participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure.