Software-based PIN Entry on COTS (SPoC)


Software-based PIN Entry on COTS (SPoC)

This standard offers security requirements for secure mobile payment acceptance solutions that enable transactions with PIN entry on a merchant commercial off-the-shelf (COTS) device (e.g., smartphone or tablet). These solutions use a secure PIN consumer verification method application (PIN CVM application) in combination with a Secure Card Reader – PIN (SCRP) or non-PTS approved magnetic stripe reader.

Software-based cardholder authentication uses a software application interface on a merchant’s COTS device to capture and encrypt a cardholder’s PIN. These solutions rely on a combination of mechanisms and security controls including but not limited to device hardware, application software, and remote attestation and monitoring systems to ensure the security of the transaction and PIN data.

Entities interested in the PCI CPoC standard may also consider the more recent PCI MPoC standard.

Important Information


Intended Audience

For entities developing, deploying, or managing solutions which accept PINs on COTS devices.


SPoC Documents

Find all of the related documents in the PCI SSC Document Library.


Listings & Professionals

PCI SSC encourages merchants and their acquirers to use the PCI SSC listing in selecting a PCI-listed SPoC Solution that meets their needs.

Independent PCI-Recognized SPoC Laboratories evaluate SPoC solutions and related SPoC applications against the requirements of the PCI SPoC Standard and in accordance with the PCI SPoC Program Guide.


Training Information

The Payment Card Industry Professional is an individual, entry-level certification in payment security information and provides you with the understanding to help your organization build a secure payment environment. Becoming a PCIP demonstrates a level of understanding that can provide a strong foundation for a career in the payments security industry.

Compliance programs for all PCI SSC standards are managed by the payment brands. Questions about which entities need to validate compliance to any PCI SSC standard, or whether use of a PCI-listed product is required and for which entities, should be referred to the payment brands. Contact information for the payment brands is in FAQ #1142.