The PCI Security Standards Council (PCI SSC) has released a new optional software-based PIN entry for COTS (SPoC) ™ Annex (“Unsupported OS Annex”) version 1.0 for unsupported operating systems. .. The purpose of this appendix is to provide additional security and testing requirements to enable solution providers to develop commercial off-the-shelf (COTS) devices with unsupported operating systems. Unsupported OS Annex incorporates stakeholder feedback and comments received throughout the formal Request for Comment (RFC) period.
In this post, we will talk about PCI SSC SPV and standards officer Emma Sutcliffe about the new Annex.
Why did you develop OS Annex, which does not support PCI SSC?
Emma Satcliffe: Some merchants do not have access to the latest COTS devices or upgrade existing COTS devices. Adding support for this option to COTS devices with unsupported operating systems enables merchants to use the security of the SPoC solution. The goal is to provide an additional layer of strict security control to mitigate the security impact of sensitive assets as a result of using COTS devices on unsupported operating systems.
How does Annex add support for COTS devices with unsupported operating systems?
Emma Satcliffe: The security and testing requirements listed in the unsupported OS Annex are designed to protect the confidentiality and integrity of PINs captured on COTS devices with unsupported operating systems. These requirements have proven knowledge and expertise in addressing threats and vulnerabilities associated with unsupported operating systems and implement robust risk management techniques as an integral part of solution management. Intended for SPoC solution providers.
It is also important to note that the option to use a COTS device with an unsupported operating system is only offered to the SPoC solution, as account data is captured by an external card reader (such as SCRP) rather than the COTS device itself. .. COTS devices with unsupported operating systems cannot be used for contactless payments in COTS (CPoC ™) solutions.
Who needs to comply with unsupported OS Annex security and testing requirements?
Emma Satcliffe: The security goals outlined in SPoC Unsupported OS Annex are only required for solutions that include operating systems that are not supported by the COTS system baseline.
What do SPoC solution providers and SPoC labs need to know about unsupported OS Annex?
Emma Satcliffe: Similar to the approach adopted by the software security framework and the 3DS core standard, OS Annex, which does not support SPoC, is responsible for defining security requirements to mitigate the risks associated with using unsupported operating systems. We take a purpose-based approach. This industry-acclaimed approach acknowledges that there is no one-size-fits-all way to deal with unsupported COTS operating system issues, and SPoC solution providers are the most appropriate way to deal with them. You need the flexibility to decide. risk.
SPoC solution providers who want to support COTS devices with unsupported operating systems are expected to have robust risk management techniques as an integral part of their “normal business” operational process. SPoC solution providers continually identify security vulnerabilities in unsupported COTS platforms supported by the solution and address these vulnerabilities that may affect the security of the SPoC solution or its components. You need to have the necessary knowledge, skill sets, and processes to take steps to do so. ..
SPoC Unsupported OS Annex and support documentation such as technical FAQs, program guides, and updated report templates PCI SSC document library..
Appendix for operating systems not supported by SPoC