<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Pci-Pin on Corebaseit — POS · EMV · Payments · AI · Telecommunications</title><link>https://corebaseit.com/tags/pci-pin/</link><description>Recent content in Pci-Pin on Corebaseit — POS · EMV · Payments · AI · Telecommunications</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><managingEditor>contact@corebaseit.com (Vincent Bevia)</managingEditor><webMaster>contact@corebaseit.com (Vincent Bevia)</webMaster><lastBuildDate>Wed, 15 Jul 2026 10:00:00 +0200</lastBuildDate><atom:link href="https://corebaseit.com/tags/pci-pin/index.xml" rel="self" type="application/rss+xml"/><item><title>PCI Is Not Just PCI DSS: A Layered Map of Payment Security Standards</title><link>https://corebaseit.com/corebaseit_posts/pci-flavors/</link><pubDate>Wed, 15 Jul 2026 10:00:00 +0200</pubDate><author>contact@corebaseit.com (Vincent Bevia)</author><guid>https://corebaseit.com/corebaseit_posts/pci-flavors/</guid><description>&lt;img src="https://corebaseit.com/diagrams/PCI-Family-corebaseit.png" alt="Featured image of post PCI Is Not Just PCI DSS: A Layered Map of Payment Security Standards" />&lt;p>Payment security conversations often collapse into a single acronym: PCI DSS. That shorthand is understandable — merchants, gateways, and cloud backends live under DSS scope — but it is incomplete. The PCI Security Standards Council (PCI SSC) maintains a family of standards, each scoped to a different layer of the payment stack: cardholder data in transit and at rest, PIN blocks from keypad to issuer, device hardware at the point of interaction, software on commercial phones, and end-to-end encryption from capture to decryption.&lt;/p>
&lt;p>This post maps that family. The goal is architectural clarity: knowing which standard applies at each boundary, so you do not audit a backend against DSS when the gap is device trust, or certify a terminal path against DSS when the real question is PCI PTS or PCI MPoC.&lt;/p>
&lt;h2 id="the-pci-standards-family-at-a-glance">The PCI standards family at a glance
&lt;/h2>&lt;p>At the highest level, three standards cover most card-present and backend work:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Standard&lt;/th>
&lt;th>Full name&lt;/th>
&lt;th>Primary scope&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;strong>PCI DSS&lt;/strong>&lt;/td>
&lt;td>Payment Card Industry Data Security Standard&lt;/td>
&lt;td>Cardholder data wherever it is stored, processed, or transmitted&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI PIN&lt;/strong>&lt;/td>
&lt;td>PCI PIN Security Requirements&lt;/td>
&lt;td>PIN blocks from entry through acquirer HSM to issuer&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI PTS&lt;/strong>&lt;/td>
&lt;td>PIN Transaction Security&lt;/td>
&lt;td>Payment devices — POI hardware, secure keypads, HSMs&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Around and beneath DSS sit program-specific standards for software assurance, COTS mobile acceptance, and encrypted terminal pipes:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Standard&lt;/th>
&lt;th>Role&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;strong>PCI Secure Software&lt;/strong>&lt;/td>
&lt;td>Validates payment software (successor to PA-DSS)&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI Secure SLC&lt;/strong>&lt;/td>
&lt;td>Validates the vendor&amp;rsquo;s secure software development lifecycle&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI CPoC&lt;/strong>&lt;/td>
&lt;td>Legacy: contactless-only acceptance on COTS (no PIN)&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI SPoC&lt;/strong>&lt;/td>
&lt;td>Legacy: software PIN entry on COTS with external reader&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI MPoC&lt;/strong>&lt;/td>
&lt;td>Current: mobile payments on COTS — NFC, PIN on glass, attestation&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>PCI P2PE&lt;/strong>&lt;/td>
&lt;td>Point-to-point encryption from capture to secure decryption&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>These are not interchangeable checkboxes. Each standard answers a different threat model.&lt;/p>
&lt;h2 id="pci-dss--cardholder-data-environments">PCI DSS — cardholder data environments
&lt;/h2>&lt;p>PCI DSS is the standard almost everyone has heard of. Its purpose is direct: protect cardholder data everywhere it is stored, processed, or transmitted.&lt;/p>
&lt;p>Typical entities in scope include merchants, acquirers, payment gateways, payment service providers, data centers, e-commerce sites, and the cloud infrastructure behind them. DSS covers network security, encryption, key management, logging, monitoring, access control, vulnerability management, secure SDLC, and incident response.&lt;/p>
&lt;p>What DSS does &lt;strong>not&lt;/strong> do is certify payment terminals. A merchant can be DSS-compliant while the terminal path is governed separately by PCI PTS, PCI PIN, or PCI MPoC depending on form factor. Backend architects still need DSS — authorization APIs, token vaults, and reconciliation stores all handle cardholder data — but terminal security is a different standard set.&lt;/p>
&lt;p>For e-commerce, DSS concerns concentrate on the browser-to-gateway path: TLS, hosted payment pages, iframe isolation, tokenization, PAN storage boundaries, JavaScript skimming (Magecart-class attacks), content security policy, 3-D Secure, API authentication, secrets management, and cloud configuration. I cover tokenization mechanics separately in &lt;a class="link" href="https://corebaseit.com/corebaseit_posts/payment-tokenization/" >payment tokenization&lt;/a>.&lt;/p>
&lt;p>For card-present backends, DSS still applies to any system that stores, processes, or routes cardholder data — but the terminal layer adds PTS, PIN, and EMV concerns on top. &lt;em>Point-of-Sale Systems Architecture&lt;/em>, Ch. 15 (Backend Architecture for POS) and Ch. 18 (Deployment and Ongoing Compliance) treat DSS storage boundaries and operational controls in production POS estates.&lt;/p>
&lt;h2 id="pci-pin--the-pin-path">PCI PIN — the PIN path
&lt;/h2>&lt;p>PCI PIN is a separate standard with a separate audit path. Its scope is PIN protection from the instant the cardholder enters a PIN until the encrypted PIN block reaches the issuer.&lt;/p>
&lt;p>The typical flow:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-text" data-lang="text">&lt;span style="display:flex;">&lt;span>Cardholder → PIN entry → encrypted PIN block → acquirer → HSM → issuer
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Everything in that chain — PIN block formats (ISO 9564), DUKPT or zone-key encryption, TR-31 and TR-34 key blocks, HSM requirements, key ceremonies — falls under PCI PIN Security Requirements, not DSS.&lt;/p>
&lt;p>PCI PIN mandates that PIN processing occur inside PCI-approved secure cryptographic devices (SCDs): POI devices evaluated under PCI PTS (PED, EPP, SCRP, UPT families) and HSMs meeting PCI PTS HSM or FIPS 140-2/3 Level 3 or higher. EMV defines when Online PIN is required; PCI PIN defines how the PIN block is formed, transported, and translated between key domains. The mechanics of PIN translation and HSM custody are covered in &lt;a class="link" href="https://corebaseit.com/corebaseit_posts/pin-translation/" >PIN translation&lt;/a> and &lt;em>Point-of-Sale Systems Architecture&lt;/em>, Ch. 11 (HSMs and PIN Blocks).&lt;/p>
&lt;h2 id="pci-pts--device-trust-at-the-point-of-interaction">PCI PTS — device trust at the point of interaction
&lt;/h2>&lt;p>PCI PTS — PIN Transaction Security — certifies &lt;strong>devices&lt;/strong>, not merchant environments. Traditional SmartPOS terminals from vendors such as Ingenico, Verifone, PAX, Sunmi, and Castles are evaluated under PCI PTS POI requirements.&lt;/p>
&lt;p>PTS covers tamper detection, secure boot, secure firmware, secure PIN entry hardware, side-channel resistance, and the physical security model that SmartPOS relies on. If you manufacture or integrate dedicated payment hardware, PTS is the device standard.&lt;/p>
&lt;p>External card readers used with COTS devices — Secure Card Readers (SCR) and Secure Card Reader-PIN (SCRP) units — may also carry PTS evaluation. A phone running Tap to Pay, however, is not a PTS device. It is governed by MPoC software and service requirements instead. That distinction matters whenever someone lists &amp;ldquo;SoftPOS&amp;rdquo; under PTS without separating hardware readers from COTS phone acceptance.&lt;/p>
&lt;p>I develop the SmartPOS trust model in depth in &lt;a class="link" href="https://corebaseit.com/corebaseit_posts/what-makes-a-payment-terminal-secure/" >what makes a payment terminal secure&lt;/a> and &lt;em>Point-of-Sale Systems Architecture&lt;/em>, Ch. 5 (Trusted POS Architectures in the COTS Era).&lt;/p>
&lt;h2 id="pci-p2pe--encrypt-at-capture">PCI P2PE — encrypt at capture
&lt;/h2>&lt;p>PCI P2PE (Point-to-Point Encryption) encrypts account data immediately after capture and keeps it encrypted until it reaches a secure decryption environment. The merchant environment never sees clear PAN.&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-text" data-lang="text">&lt;span style="display:flex;">&lt;span>Card → encrypted at POI → merchant network → gateway/processor → decrypt in SCD
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>P2PE is common in retail environments where scope reduction matters. A validated P2PE solution can reduce merchant PCI DSS scope, but only when approved devices, controlled key management, and no clear cardholder data in the merchant environment are all demonstrably true. PTS POI with SRED (Secure Reading and Exchange of Data) is often a component in P2PE-validated terminal solutions, especially for unattended deployments — a topic I cover in &lt;em>Point-of-Sale Systems Architecture&lt;/em>, Ch. 17 (Testing and Certification).&lt;/p>
&lt;p>P2PE protects &lt;strong>account data in transit from the POI&lt;/strong>. It does not certify a COTS phone as an acceptance device. That is MPoC&amp;rsquo;s job.&lt;/p>
&lt;h2 id="pci-secure-software-and-pci-secure-slc">PCI Secure Software and PCI Secure SLC
&lt;/h2>&lt;p>&lt;strong>PCI Secure Software&lt;/strong> replaced PA-DSS as the program for validating payment applications themselves. Instead of certifying a named payment application product, it certifies that the software meets secure coding, code review, dependency management, threat modeling, penetration testing, and secure update requirements.&lt;/p>
&lt;p>&lt;strong>PCI Secure SLC&lt;/strong> (Secure Software Lifecycle) steps up one level: it validates the &lt;strong>vendor&amp;rsquo;s&lt;/strong> engineering process — CI/CD governance, security reviews, testing discipline, developer training, and security governance across the organization. Think of Secure Software as &amp;ldquo;this build is sound&amp;rdquo; and Secure SLC as &amp;ldquo;this company builds sound software reliably.&amp;rdquo;&lt;/p>
&lt;p>MPoC&amp;rsquo;s Secure SLC appendix (Domain 4A) ties these concepts directly to SoftPOS release management. &lt;em>Point-of-Sale Systems Architecture&lt;/em>, Ch. 18 (Deployment and Ongoing Compliance) maps CI/CD gates, change management, and evidence retention to MPoC ongoing compliance.&lt;/p>
&lt;h2 id="cpoc-spoc-and-mpoc--the-cots-acceptance-line">CPoC, SPoC, and MPoC — the COTS acceptance line
&lt;/h2>&lt;p>SoftPOS introduced a branch of PCI standards aimed at commercial off-the-shelf phones and tablets:&lt;/p>
&lt;p>&lt;strong>PCI CPoC&lt;/strong> (Contactless Payments on COTS) was the first SoftPOS certification path: NFC card acceptance on a phone, contactless only, no PIN on the device.&lt;/p>
&lt;p>&lt;strong>PCI SPoC&lt;/strong> (Software PIN on COTS) added software-based PIN entry on a COTS screen, typically with an external card reader handling the card interaction while the phone captures the PIN.&lt;/p>
&lt;p>&lt;strong>PCI MPoC&lt;/strong> (Mobile Payments on COTS) is the current framework. It consolidates CPoC and SPoC use cases and supports NFC acceptance, PIN on glass, remote monitoring, runtime attestation, white-box cryptography, and optional TEE or secure element backing on the same COTS device.&lt;/p>
&lt;p>You will still see CPoC or SPoC on older certification sheets. PCI SSC has published sunset direction for those programs toward MPoC during 2026 — confirm exact dates against the current PCI SSC announcement before planning migrations. For new Tap-to-Pay work, MPoC is the practical target unless an acquirer explicitly requires a legacy listing during transition.&lt;/p>
&lt;p>MPoC defines three deployable elements: &lt;strong>MPoC Software&lt;/strong> (merchant app plus isolating SDK), &lt;strong>MPoC Service&lt;/strong> (attestation and monitoring backend), and &lt;strong>MPoC Solution&lt;/strong> (the approved combination listed on the PCI SSC site). Certification focuses on proving that sensitive operations stay inside the SDK boundary and that the host application does not circumvent it. I cover L3 integration and MPoC Domain 2A controls in &lt;a class="link" href="https://corebaseit.com/corebaseit_posts/l3-certification-paths-ctap-smartpos-softpos/" >L3 certification paths&lt;/a> and &lt;em>Point-of-Sale Systems Architecture&lt;/em>, Ch. 17.&lt;/p>
&lt;h2 id="p2pe-vs-mpoc--a-common-confusion">P2PE vs MPoC — a common confusion
&lt;/h2>&lt;p>These two standards are often conflated because both involve encryption on a terminal path. They solve different problems:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>&lt;/th>
&lt;th>&lt;strong>PCI P2PE&lt;/strong>&lt;/th>
&lt;th>&lt;strong>PCI MPoC&lt;/strong>&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;strong>Goal&lt;/strong>&lt;/td>
&lt;td>Protect PAN from POI to decryption zone&lt;/td>
&lt;td>Secure COTS phones as acceptance devices&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Threat model&lt;/strong>&lt;/td>
&lt;td>Merchant should not see clear card data&lt;/td>
&lt;td>Hostile or compromised consumer device&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Typical device&lt;/strong>&lt;/td>
&lt;td>PTS-certified terminal or SCR with encryption&lt;/td>
&lt;td>Android/iOS phone with certified SDK&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Key controls&lt;/strong>&lt;/td>
&lt;td>Encryption, key management, scope reduction&lt;/td>
&lt;td>Attestation, runtime monitoring, SDK isolation, PIN on glass&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>P2PE answers: &amp;ldquo;Can the merchant environment stay out of PAN scope?&amp;rdquo; MPoC answers: &amp;ldquo;Can this ordinary phone safely accept a card-present payment right now?&amp;rdquo;&lt;/p>
&lt;h2 id="pci-dss-at-the-pos-boundary">PCI DSS at the POS boundary
&lt;/h2>&lt;p>Card-present architectures add concerns beyond backend DSS:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-text" data-lang="text">&lt;span style="display:flex;">&lt;span>Card → terminal → acquirer → network → issuer
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>At this layer, architects need PTS or MPoC for device trust, PCI PIN for Online PIN paths, EMV correctness for cryptograms and CVM, DUKPT for transaction keys, device certificates, attestation, remote key injection, and settlement/reconciliation discipline. Terminal tampering, offline approval policy, and store-and-forward behavior sit alongside cryptography — not instead of it.&lt;/p>
&lt;p>DUKPT key derivation and the terminal-side key lifecycle are covered in &lt;a class="link" href="https://corebaseit.com/corebaseit_posts/dukpt-key-derivation/" >DUKPT key derivation&lt;/a>. Why PIN still matters in card-present flows — even as contactless grows — is in &lt;a class="link" href="https://corebaseit.com/corebaseit_posts/pin_still_matters_in_card_present_payments/" >PIN still matters in card-present payments&lt;/a>.&lt;/p>
&lt;h2 id="which-standard-applies-where">Which standard applies where?
&lt;/h2>&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Area&lt;/th>
&lt;th>Standard&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>Merchant website / cloud backend&lt;/td>
&lt;td>PCI DSS&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>POS terminal hardware (SmartPOS)&lt;/td>
&lt;td>PCI PTS&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>PIN encryption path&lt;/td>
&lt;td>PCI PIN&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Tap-to-Pay on COTS (current)&lt;/td>
&lt;td>PCI MPoC&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>NFC-only SoftPOS (legacy)&lt;/td>
&lt;td>PCI CPoC&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>PIN-on-glass SoftPOS (legacy)&lt;/td>
&lt;td>PCI SPoC&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Payment application software&lt;/td>
&lt;td>PCI Secure Software&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Vendor development process&lt;/td>
&lt;td>PCI Secure SLC&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>Encrypted terminal data pipe&lt;/td>
&lt;td>PCI P2PE&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>One row worth stressing: &lt;strong>EMV L1/L2/L3 certification is not a PCI standard&lt;/strong>. EMVCo testing proves specification conformance for devices, kernels, and integrations. PCI standards prove security controls for data, PINs, and devices. A solution needs both where applicable, but they answer different questions. EMV approval is not a substitute for PCI PTS or MPoC listing.&lt;/p>
&lt;h2 id="a-practical-learning-order">A practical learning order
&lt;/h2>&lt;p>If you are building depth in payment architecture — especially coming from EMV, SoftPOS, or acquirer integration work — this sequence connects standards to systems:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>PCI DSS v4.x&lt;/strong> — foundation for any environment that touches cardholder data.&lt;/li>
&lt;li>&lt;strong>PCI PIN Security&lt;/strong> — natural follow-on if you already work with DUKPT, PIN blocks, and HSM translation.&lt;/li>
&lt;li>&lt;strong>PCI PTS&lt;/strong> — device security, tamper resistance, and hardware trust for SmartPOS.&lt;/li>
&lt;li>&lt;strong>PCI MPoC&lt;/strong> — attestation, runtime monitoring, SDK boundaries, and PIN on glass for Tap-to-Pay.&lt;/li>
&lt;li>&lt;strong>PCI Secure Software and Secure SLC&lt;/strong> — software assurance and organizational governance.&lt;/li>
&lt;li>&lt;strong>PCI P2PE&lt;/strong> — end-to-end encryption architecture and scope reduction.&lt;/li>
&lt;li>&lt;strong>PCI CPoC and SPoC&lt;/strong> — historical context for legacy listings and migration planning.&lt;/li>
&lt;/ol>
&lt;p>The payoff is architectural, not checklist-driven. Being able to explain why an e-commerce backend falls under DSS, why a SmartPOS terminal requires PTS, why Online PIN paths require PCI PIN, and why modern Tap to Pay on Android relies on MPoC is what separates layer-aware design from isolated implementation knowledge.&lt;/p>
&lt;h2 id="confirmed-facts-vs-interpretation">Confirmed facts vs interpretation
&lt;/h2>&lt;p>&lt;strong>Confirmed&lt;/strong> (per PCI SSC and EMVCo documentation):&lt;/p>
&lt;ul>
&lt;li>PCI DSS protects cardholder data in storage, processing, and transmission; it does not certify payment terminals.&lt;/li>
&lt;li>PCI PIN governs PIN block formation, transport, and HSM requirements from POI to issuer.&lt;/li>
&lt;li>PCI PTS evaluates payment devices and HSMs at the POI layer.&lt;/li>
&lt;li>PCI MPoC is the current PCI SSC framework for mobile payments on COTS, consolidating CPoC and SPoC use cases.&lt;/li>
&lt;li>PCI SSC has published sunset direction for SPoC and CPoC toward MPoC during 2026. Verify exact dates against the current PCI SSC announcement.&lt;/li>
&lt;li>PCI P2PE validates encryption from capture to secure decryption and can reduce merchant DSS scope when implemented as a listed solution.&lt;/li>
&lt;li>PA-DSS has been succeeded by the PCI Secure Software Standard.&lt;/li>
&lt;li>EMV L1/L2/L3 testing assesses EMV specification conformance; it is separate from PCI device and software listings.&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>Interpretation&lt;/strong> (mine):&lt;/p>
&lt;ul>
&lt;li>Treating &amp;ldquo;PCI&amp;rdquo; as synonymous with DSS is the most common source of scope errors in architecture reviews.&lt;/li>
&lt;li>For new SoftPOS programs, MPoC is the practical compliance target unless a specific acquirer requires otherwise during transition.&lt;/li>
&lt;li>P2PE and MPoC are complementary in some estates (encrypted backend pipes plus COTS acceptance) but not substitutes for each other.&lt;/li>
&lt;li>Knowing which standard applies at each layer is a prerequisite for Staff-level payment architecture work — not because interviews demand it, but because wrong-scope designs fail in certification and production.&lt;/li>
&lt;/ul>
&lt;h2 id="references">References
&lt;/h2>&lt;p>Primary reference (this post is built on it):&lt;/p>
&lt;ul>
&lt;li>Bevia, V. &lt;em>Point-of-Sale Systems Architecture: A Practical Guide to Secure, Certifiable POS Systems&lt;/em>. &lt;a class="link" href="https://corebaseit.com/books/point-of-sale-systems-architecture/" >Book page&lt;/a>. Chapters most relevant here:
&lt;ul>
&lt;li>Ch. 3 — EMV Principles (PIN processing, TR-31, PCI PIN layering on EMV)&lt;/li>
&lt;li>Ch. 5 — Trusted POS Architectures in the COTS Era (SmartPOS vs SoftPOS, MPoC elements)&lt;/li>
&lt;li>Ch. 11 — HSMs and PIN Blocks&lt;/li>
&lt;li>Ch. 15 — Backend Architecture for POS (DSS storage boundaries)&lt;/li>
&lt;li>Ch. 17 — Testing and Certification (PTS, MPoC, P2PE/SRED, EMV L3)&lt;/li>
&lt;li>Ch. 18 — Deployment and Ongoing Compliance (MPoC lifecycle, Secure SLC)&lt;/li>
&lt;/ul>
&lt;/li>
&lt;/ul>
&lt;p>Related Corebaseit posts:&lt;/p>
&lt;ul>
&lt;li>&lt;a class="link" href="https://corebaseit.com/corebaseit_posts/what-makes-a-payment-terminal-secure/" >What Makes a Payment Terminal Secure: SmartPOS vs SoftPOS&lt;/a>&lt;/li>
&lt;li>&lt;a class="link" href="https://corebaseit.com/corebaseit_posts/l3-certification-paths-ctap-smartpos-softpos/" >L3 Certification Paths: CTAP, SmartPOS, and SoftPOS&lt;/a>&lt;/li>
&lt;li>&lt;a class="link" href="https://corebaseit.com/corebaseit_posts/pin-translation/" >PIN Translation&lt;/a>&lt;/li>
&lt;li>&lt;a class="link" href="https://corebaseit.com/corebaseit_posts/dukpt-key-derivation/" >DUKPT Key Derivation&lt;/a>&lt;/li>
&lt;li>&lt;a class="link" href="https://corebaseit.com/corebaseit_posts/pin_still_matters_in_card_present_payments/" >PIN Still Matters in Card-Present Payments&lt;/a>&lt;/li>
&lt;li>&lt;a class="link" href="https://corebaseit.com/corebaseit_posts/payment-tokenization/" >Payment Tokenization&lt;/a>&lt;/li>
&lt;/ul>
&lt;p>External standards:&lt;/p>
&lt;ul>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>PCI DSS&lt;/a>&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>PCI PIN Security Requirements&lt;/a>&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>PCI PTS&lt;/a>&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/standards/mobile-payments-on-cots-mpoc/" target="_blank" rel="noopener"
>Mobile Payments on COTS (MPoC)&lt;/a>&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>Contactless Payments on COTS (CPoC)&lt;/a> — legacy program&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>Software PIN on COTS (SPoC)&lt;/a> — legacy program&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>PCI Point-to-Point Encryption (P2PE)&lt;/a>&lt;/li>
&lt;li>PCI SSC, &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>PCI Secure Software Standard&lt;/a> and &lt;a class="link" href="https://www.pcisecuritystandards.org/document_library/" target="_blank" rel="noopener"
>PCI Secure SLC&lt;/a>&lt;/li>
&lt;li>EMVCo, &lt;a class="link" href="https://www.emvco.com/" target="_blank" rel="noopener"
>EMV Level 1 and Level 2 Testing&lt;/a>&lt;/li>
&lt;/ul></description></item></channel></rss>