SGS Brightsight is a PCI-recognized lab performing PTS, CPoC, SPoC, MPoC and 3DS SDK security evaluations and delivering results that are accepted by the Payment Card Industry Security Standards Council (PCI SSC) for solution or product certification. Our laboratory has been recognized since the establishment of the PCI program and we have a proven track record in hardware- and software-based security evaluations.
SGS Brightsight offers comprehensive evaluation related services, supporting developers during all phases of solution development and related certification. All PCI-related services are offered from our PCI certified laboratory located in Delft (the Netherlands).
PCI SSC published their newest security standard for software-based payment acceptance solutions in November 2022. Called PCI Mobile Payments on COTS (commercial off-the-shelf) (MPoC), the new standard combines three standards into one – PCI SPoC, PCI CPoC and ‘Tap To Phone’ pilot standards for payment networks.
PCI MPoC solution approval allows limitless world-wide deployment, while the PCI MPoC standard offers modularity and choice for supported functionality. Solutions can be tailored to market demands for EMV card types (contact, contactless, MSR), with/without PIN, etc.
The PCI MPoC is the natural successor of the different ‘Tap to Phone with PIN’ pilot programs of payment networks. These have been very successful but will be discontinued by mid-2023 and so all pilot-approved and new solutions need to achieve a PCI MPoC approval in the next couple of years.
SGS Brightsight is experienced in the field of software-based payment solution evaluations, with a large number of developers achieving security approval (CPoC, SPoC, TTP) following our completion of a security evaluation. We are also one of the first recognized PCI MPoC laboratories in the world and can provide all the services needed to efficiently develop and certify a solution.
SGS Brightsight is a market leader in the PCI PTS domain, having completed more than 500 PCI-PTS security evaluations that converted into new product approvals. PIN Transaction Security (PTS) devices enable merchants to perform secure EMV-based payment transactions, offering the highest level of protection against unauthorized data compromise. The most recent version of the PCI PTS Point of Interaction (POI) standard is 6.x and was released in January 2023.
The PCI SPoC (Software-based Payment on COTS) program was introduced in 2019 with the objective of bringing cost-effective and attractive solutions to the market that were able to support high-value payments with strong customer authentication (SCA). These solutions were expected to be very attractive to micro and small merchants.
The PCI program Software-based PIN Entry on COTS (SPoC) contains a set of very specific solution-wide requirements aimed at achieving a security level corresponding to the PCI PTS program. A SPoC solution enables merchants to accept true EMV-based transactions, both contact and contactless, with the option of PIN entry on COTS devices such as smartphones and tablets.
A SPoC solution requires a COTS device used in connection with a SRED-approved Secure Card Reader – PIN (SCRP) and a back-end system responsible for overall security. PIN entry security and processing on the COTS device must be secured with a dedicated, sophisticated PIN CVM (cardholder verification method) application, while an inherent monitoring service should ensure functionality is only possible if the authenticity, integrity and security status of the COTS device are confirmed.
Established in 2019, the PCI CPoC (PCI Contactless Payments on COTS) program and standard were introduced to make it possible to accept low-value payments on cost-effective solutions. It provides security and test requirements for payment solutions that enable EMV-based contactless payment acceptance on merchant mobile devices, such as smartphones and tablets, using near-field communication (NFC). PCI CPoC solutions do not support PIN entry functionality and can therefore not be used for high value payment transactions.
PCI 3DS SDK
3D Secure (3DS) prevents fraud in credit and debit card transactions that take place online. 3DS refers to the three domains involved in authorizing a transaction – acquirer, issuer and interoperability domains.
Developed in 1999, when e-commerce was still in its infancy, 3DS had been adopted by Visa under its ‘Verified’ branding (now ‘Visa Secure) by 2001. It is now used by other card issuers, including MasterCard and American Express.
3DS software development kits (3DS SDK) are one of the modules embedded into a merchant's mobile application to facilitate cardholder authentication.
SGS Brightsight can provide demo applications with the SDK for both Android and iOS. Both will communicate with a test server and show how it fits into a mobile application project.