What is POM? (PIN-on-Mobile or PIN-on-COTS)
Traditionally, PIN Entry for Chip and PIN or PIN Debit has been implemented on special hardware with a physically secure numeric PIN Pad. In January 2018, the PCI Security Standards Council announced a new method for secure PIN entry called PIN on Mobile that allows the use of Consumer-Off-The-Shelf (COTS) devices.
Why was this new PIN-on-Mobile system created?
Merchants, especially small and micro merchants, need a lower cost, more easily available solution than traditional hardware-based PIN entry terminals. This enables these merchants to accept card payments and, therefore, result in increased card payment volumes. In addition, many governments are now advocating for card payments as a way to disburse governments benefits, track and collect taxes as well as fight corruption that can be occur with large amounts of cash.
What is needed to support PIN-On-Mobile?
The secure end-to-end PIN-on-Mobile solution is defined by the Payment Card Industry (PCI) Software-based PIN Entry on COTS Security Requirements. All systems must have the following components to meet the requirements:
• A Secured Application
- For PINned transactions, the secured app will generate PINPAD for PIN Entry
- PIN is encrypted by an AES key which is protected by Whitebox Cryptography. The AES key will be updated once per month
• Backend Security Monitoring Component
- Sends notification and disables the device if abnormality is detected
- A heart beat signal monitors the integrity of device and the secure application running on the device
• A Secure Card Reader
- PCI PTS 5.0 certified EMV card reader without MSR reader
- Acquirer PIN key is injected into the device for Encrypted PIN block generation