PCI® PTS vs. SPoC: What’s best for your environment?
Most retail environments focus on 3 main factors for their payment hardware and infrastructure: time, cost, and future scalability. Having the right security posture quickly becomes a 4th focus as organizations weigh different payment devices and solutions in the market. With the recent introduction of the Software PIN on COTS (SPoC) standard by the PCI Council, retailers and payments facilitators now have more options to ensure that their customer payment point-of-service investments achieve maximum ROI while still maintaining the highest levels of data security standards.
In considering these options, a retail organization needs to ensure that their infrastructure, security posture, and organizational capabilities support the additional requirements that are associated with maintaining a SPoC solution versus a PTS solution.
What is PCI-PTS®?
PCI-PTS® is a standard which was published by the PCI Council around 2010. The PTS standard was developed by PCI to formalize hardware requirements to support secure PIN entry and, later, data encryption standards for different industry use cases in a PCI-DSS environment. A PTS certified device is hardened to meet all PCI security requirements.
PCI-PTS® devices are trusted devices which provide all the data security and encryption mechanisms within the payment terminal device, without an explicit need for external support infrastructure.
What is PCI® SPoC?
PCI-SPoC® is a recent standard which was published by the PCI Council in 2018. The SPoC standard addresses using untrusted commercial hardware combined with external support infrastructure to achieve a secure PIN entry and processing environment, along with a separate Secure Card Reader device and PCI-DSS environment.
Complying with the PCI® SPoC standard requires an organization to have a variety of hardware and software components as well as performing periodic 3rd party (QSA) PCI assessment audits.
How do I choose what’s best for my environment?
A PCI® SPoC approach requires the merchant environment to externalize the hardware and software protections that are already built-in for a PCI-PTS® device right out of the box. What this means is having both local (in the merchant environment) and remote (in the cloud) infrastructure to monitor and digitally attest to the device state and functionality 24/7. This monitoring and attestation infrastructure requires a significant software, hardware, auditor, and personnel investment to enable the device to meet the minimum PCI Data Security Standards (PCI-DSS®) for the merchant to even begin processing payment transactions in their environment. After all of this, merchants must still purchase Secure Card Reader (SCRP) hardware to perform the required payments functionality. And, in addition to the costs, these requirements can add months or even years to an organization’s technology roadmap, once again putting the merchant behind the payments technology curve.
An advanced PCI-PTS® solution, such as the Elo Pay M60 Mobile Computer, is hardened with data security protections which exceed the minimum PCI-DSS® standards, ensuring that merchants always have a best-in-class security posture. And, since the industry standard Android-based tablet computer is combined with the Secure Card Reader functionality in one device, the merchant can focus on their business and less on behind-the-scenes required infrastructure. Providing advanced security standards combined with the next-generation App-based functionality of a tablet computer in one package gives retail merchants the best of all 4 factors – quicker time to market, lower TCO, adaptive app-based scalability, and a top-level payments security posture.