各位小伙伴，PCI即将推出手机POS认证啦。再联想下最近银联发布的手机POS，是不是有了合理的解释了？

我们先来看下PCI官方发布的新闻。

PCI SSC is in the beginning stages of developing a security standard for accepting contactless payments on a merchant’s commercial off-the-shelf(COTS)phone or tablet.

Here we talk with PCI SSC Chief Technology Officer Troy Leach to learn more about this new initiative.

Why is PCI SSC developing a standard for accepting contactless payments on a merchant’s COTS device?

Troy Leach:The role of PCI SSC is to evaluate all forms of payment transactions and identify security measures to protect the transaction.This includes identifying whether existing requirements within our standards are applicable to address the security and integrity of emerging technologies or whether more specific testing criteria are required.Based on industry feedback,we have determined that there would be benefit in developing a new standard specifically for use of securing solutions that enable a merchant’s COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader.

What will the standard address and who is it intended for?

Troy Leach:The aim is to develop security requirements for solutions that enable a merchant’s COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader by leveraging the native NFC capabilities inherent to a COTS phone or tablet.This includes specific criteria for how solution providers protect payment data within their offerings,as well as the test requirements for laboratories to demonstrate the effectiveness of that security.

We are still in the very early stages of the process,so the details of the standard are yet to be developed.We will be working with the industry over the next several months to determine the areas the standard needs to address and to build out the specific requirements accordingly.

What is the anticipated timeline for the development of the standard?

Troy Leach:PCI SSC has begun development of this standard in 2018.Timing of the standard’s publication will depend on the type of input and feedback we receive from the industry during the anticipated request for comments periods(RFC).As this initiative progresses we will keep stakeholders informed on the development process and these opportunities for providing feedback.

一直以来，PCI对POS终端的安全要求都很严格，但是随着近些年来移动支付的快速发展，传统的银行卡交易方式改变很大，PCI也意识到了这一点，为此也推出了SPOC这种允许手机输入银行卡密码的方案，但是应该说SPOC还是和现实交易场景有些脱节。因此，有了上面手机POS这个新闻。

这个即将发布的手机POS安全要求和先前发布的SPOC安全要求最大的区别就是不再需要外部读卡器SCRP的参与。这就为手机POS的推出扫清了最大的障碍。

其次，手机POS处理的交易是类似于银行卡闪付交易，采用手机自带的NFC来完成交易数据的通信。虽然目前的高端手机都具备NFC，但是在国内的使用一直不如二维码广，相信如果PCI发布要求后，各大手机厂家都会跟进支持。

不过各家手机厂商也别高兴的太早，手机POS肯定不会只是一个简单的应用程序就能搞定的，小Wa相信TEE和SE是必不可少的。

早在几年前，国内开始应用TEE的时候，就有厂商希望基于TEE实现POS机，但是一直受限于国内外行业监管要求，TEE的保护强度远远达不到POS机的安全要求，相信这次PCI的举措，会为POS机产业带来一场革命。