PCI Council Releases New CPoC Standard for Contactless Payments

To support a growing number of consumers and businesses making mobile transactions, the Payment Card Industry Security Standards Council (PCI SSC) released a new standard called CPoC. Published on December 4th, CPoC introduces a new payment method that will make mobile commerce more convenient and efficient.  

Contactless Payments on COTS (commercial off-the-shelf devices), or CPoC, allows merchants to accept payments using their COTS without any additional hardware, such as a mobile card reader.

For example, a transaction could occur between two smart phones, a tablet and a FitBit, and so on, thanks to CPoC-approved payment apps that don’t require any specialized equipment.

CPoC spells out security requirements for payment apps and includes a validation program to qualify them. The app must be evaluated in a PCI-recognized lab and, if approved, the PCI SCC will list it on its website as a trustworthy option for CPoC transactions.

Before CPoC was released, merchants needed a contactless credit card terminal to accept payments customers made with a smart phone (e.g. Apple Pay, Samsung Pay, etc.), smart device (e.g. wearables like a Fitbit watch), or contactless credit card. In each case, the transaction took place through near field communication (NFC) between the customer’s NFC-enabled device and the merchant’s NFC-enabled credit card terminal.

CPoC essentially cuts out the “middleman” by allowing merchants to accept contactless payments solely using their commercial mobile device instead of a terminal or dongle. NFC is still at play to enable the safe transfer of transaction data between the two COTS, along with leading-edge security defenses the PCI publishes and upholds.

As long as the customer’s COTS has an embedded NFC interface (commonly referred to as an NFC “chip”), and the merchant has a PCI-approved mobile payment app to initiate and accept the transaction, along with a merchant account through a CPoC-supportive payment processor, merchants and customers can have confidence using the new solution.

The CPoC standard doesn’t permit software-based PIN entry—another difference from its mobile app predecessors. COTS applications that require a card-reading dongle (such as a Clover Go) allow customers to enter their PIN on the merchant’s mobile device. The seamless CPoC process is taking the “tap and go” payment to the next level of efficiency—the transaction occurs in one move, without PIN entry, using only two mobile devices which the merchant and customer already have on hand.

The PCI SCC is the governing body responsible for creating and managing global security requirements for any entity that accepts, processes, stores or transmits cardholder data and/or authentication data.

Formed by the major card networks (Visa, MasterCard, Discover, American Express, and JCB), the Council has had CPoC in the works since June 2018, working to create criteria for solution providers to ensure the highest level of data protection, with the goal of enhancing mobile commerce for all parties involved.

You can find more details about PCI standards here.

Speaking of PCI compliance, is yours up to date? If you are a business that accepts credit cards, it’s a requirement to validate your PCI compliance annually and remediate any non-compliance issues if you do not pass. BankCard USA offers complimentary PCI support for our merchant accounts.

If you haven’t completed your annual security requirements, please contact us below for start-to-finish assistance with the process. This includes remediation support and IP scanning, when applicable, through our PCI-approved scanning vendor.

We also provide free, zero-obligation consultations if you have any questions about CPoC or opening a merchant account.

Get Started