How PIN-on-COTS May Reshape Mobile Payments in the US

Earlier this month, the PCI Security Standards Council released a new security standard that allows for PIN entry on commercial off-the-shelf devices (COTS) such as a smartphone in your pocket or a tablet on your desk right now. Called Software-Based PIN Entry (SPoC) the standard — which you read for yourself — has some interesting components that are useful to understand.

First, the standard relies on another device to capture the PIN, in this case, the COTS device — the EMV transaction occurs via a secure card reader (i.e. dongle) attached to the COTS device through its audio jack or via Bluetooth. All cardholder data is taken in via the dongle and is encrypted as is the industry norm these days.

In PCI’s words “The security requirements are for solution providers to use in developing secure solutions that enable EMV contact and contactless transactions with PIN entry on the merchant’s consumer device using a secure PIN entry application in combination with a Secure Card Reader for PIN (SCRP).” This level of hardware security is not unlike other payment devices currently which have P2PE built in. The result is a highly secure transaction.

Another important part of the specification has to do with the COTS devices themselves and their integrity. If off-the-shelf devices are going to be used for secure transactions, the standard requires that safety measures are in place to ensure the device hasn’t been tampered with. For example, Jailbroken or rooted devices won’t be allowed because, at that point, there’s less of a guarantee that the device doesn’t have malicious code at work in the background. Externally-based device attestation is an important feature of the standard which brings an extra level of security to the device.

Anything that enables us to create a safer payments environment using EMV is a good thing. Indeed, for the ISVs, ISOs, or merchants who haven’t yet delivered EMV to their customer bases, the concept of a low-cost COTS device should be very appealing and most likely increase EMV adoption. We expect that this new standard could be just what the US market — especially among SME laggards — needs to complete its migration to EMV.

Beyond PIN-on-COTS

Even though this standard was just released, you might be wondering when the PCI Council and industry at large will have enough confidence to side-step a secure card reader/dongle and just use contactless only. Creditcall has a proof-of-concept project whereby we’ve turned an NFC-enabled Android phone into a contactless-only terminal, thus removing the need for a secure dongle. Unfortunately, there are some complexities that must be addressed.

When it comes to EMV certification of such a payment solution, you need: Level 1, which tests the electrical and physical interfaces, and the transmission of data, between the payment terminal and the card; Level 2, which covers the “kernel” software that processes and validates the data exchanged with the card using the Level 1-certified device; and Level 3 which is the certification with the various acquiring processors such as First Data, Elavon or Worldpay for the individual card brands such as Visa, Mastercard, Discover or Union Pay International. The Level 1 and Level 2 certifications ensure that payment device manufacturers have the necessary hardware and software on their payment device to meet the EMV standards.

Level 2 and Level 3 are easy enough to do. The issue is with Level 1, this certification is tied to a particular combination of hardware and antenna. With so many different NFC chipsets, the certification process becomes extremely complicated and would result in a myriad of different certifications. Still, it’s safe to assume that at some point EMVCo and the industry will figure out how to make it work in a manageable way.

For now, PIN-on-COTS is good for the consumer and great for the US payments market still seeking to complete its EMV migration. At Creditcall, we feel we’re well ahead of the curve concerning this standard as we’ve been looking at this for some time now and we’re ready to work with solution providers to deliver these solutions to their customers. 


Jeremy, a payments veteran, has driven Creditcall’s technical development since 1999. He is responsible for all design and implementation of card payment solutions and the portfolio of EMV Kernels and oversees the maintenance of the company’s PCI DSS Level 1 compliance.