Payment card security group PCI Security Standards Council has a new standard aimed at allowing commercial devices to support multiple payment inputs including contactless cards and methods of cardholder verification.
The standard allows for a single device to process contactless card data and a consumer-entered PIN.
Consumers across the globe increasingly use contactless methods for payment, and Aite-Novarica estimates 37.8% global growth in such payments from 2020 to 2021. Forrester, in an annual study conducted for the National Retail Foundation, concluded that most U.S. merchants already accept Apple Pay and PayPal.
The new standard – its official name is PCI Mobile Payment on COTS, or MPoC – is aimed at payment software vendors and service providers whose solutions range from applications used for accepting users’ account data to software deployed for back-end payment data attestation and monitoring.
”This was done in direct response to the feedback we heard from our community,” said Andrew Jamieson, vice president of solution standards at PCI SSC. “The PCI MPoC standard allows for both contactless card data and PINs to be entered into the same COTS device, for the same transaction, as well as supporting the use of external card readers if those are desired.”
The new standard is quite different than the council’s previous, separate standards for PIN entry devices and contactless payment devices, Jamieson said in an email to Information Security Media Group. “The ‘operational’ aspects have been separated from the ‘development’ aspects, allowing for further flexibility in how solutions are designed and created,” he wrote. The standard supports software development kits to create mobile payment applications and allows a single application to be built from multiple software development kits, he said.
“The market was looking for increased flexibility, the ability to adapt solutions to fit smaller market niches as well as aiming at large deployments.”
Some retailers responded to the increase in consumer demand for contactless payment by using devices not specifically made for payment processing. The standard takes that into account, as well as the different threat models posed by various payment solutions, Jamieson said. Still, the standards will not completely push dedicated payment terminals from the market, he predicted.
General purpose devices can’t provide physical security, meaning “there remains a place for these devices in situations where an MPoC solution may not be the best fit,” he said.
“In the same way that physical payment cards have not been replaced through use of Apple Pay or Android Pay, I expect that the use of phones or tablets to accept payments will coexist alongside dedicated payment terminals.”