PCI Security Standard Council calls for comments on new standard for contactless payments on commercial off-the-shelf NFC devices

From 22 July to 20 August 2019, PCI SSC stakeholders can participate in a Request for Comments (RFC) on the draft PCI Contactless Payments on COTS (CPoC) Standard. RFC periods are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards. This feedback plays a critical role in the ongoing maintenance and development of these resources for the payment card industry.

PCI SSC is developing a new standard for contactless payments on commercial off-the-shelf (COTS) devices, which is planned for publication by the end of 2019. As part of the development process, PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Contactless Payments on COTS (CPoC) Standard during a 30-day request for comments (RFC) period from 22 July to 20 August. 

The RFC is available through the PCI SSC portal, including instructions on how to access the document and submit feedback. PCI SSC will review all feedback received, and the name of the organization, its comments and how PCI SSC is addressing the feedback will be posted in the PCI SSC portal for all RFC participants to view. For additional information on how this process works, refer to the RFC Process Guide.  

Background on the PCI Contactless Payments on COTS(CPoC)Standard 

With a growing number of merchants now using smartphones and other commercial off-the-shelf (COTS) mobile devices, PCI SSC is expanding its support for  mobile payment acceptance to develop new standards that leverage security techniques to provide proactive controls for managing threats and protecting data.  

The PCI Contactless Payments on COTS (CPoC) Standard provides security requirements for solutions that enable contactless, or “tap and go”, transactions on merchant COTS devices.  

The CPoC Standard includes: 

. Specific criteria for solution providers on how to protect payment data within their solutions;

. Test requirements for PCI-recognized Laboratories to assess solutions for validation and listing on the PCI SSC website through the supporting CPoC Program. 

The CPoC Standard is being developed with input from payment card industry stakeholders via the RFC process. This includes a dedicated RFC with the Mobile Task Force that took place in April 2019 and the current RFC with Participating Organizations, Qualified Security Assessors and PCI-recognized Laboratories. PCI SSC is targeting publication of the CPoC Standard by the end of 2019, with the CPoC Program to follow in 2020.