What is Pin on Glass – Background & PCI regulations
The PCI Security Standards Council (PCI SSC) recently announced a new security standard for consumer PIN entry on commercial off-the-shelf devices (COTS). The new software based PIN Entry (SPoC) Standard provides a software-based approach (vs. entering a PIN on a hardware keypad) for securing PIN data entry on a diverse array of touchscreen COTS devices in the market today, such as a smartphones or tablets.
Specifically, the new standard details requirements for developing secure solutions that enable Eurocard / Mastercard / Visa Chip (EMV) contact and contactless transactions with PIN entry on the merchant provided consumer-grade device using a secure PIN entry application in combination with a Secure Card Reader (plug-in hardware module for smartphones / tablets) for PIN (SCRP).
Credit Card transaction validation method history:
- Buyer signature on paper
- Buyer signature on proprietary hardware
- PIN entry on dedicated Hardware device
- Software PIN entry on dedicated payment device
- Software PIN entry onto merchant provided & widely available COTS devices such as smartphones or tablets
Why Software PIN standard is needed – Who benefits:
Consumers / Cardholders
- Greater Convenience — More merchants to accept credit cards to process purchase transactions vs. cash or checks
- Improved Security — Using a PIN is more secure than verifying cardholders identify via signature
- Reduce cost of (card) acceptance by not forcing businesses to purchase expensive specialized ID verification terminals
- Greater merchant adoption expands payment volumes and resultant fees revenue
- Lower Point-of-Sale (POS) fraud potential and costs given greater security afforded by PIN use (vs. signature)
From an overall perspective, the United States lags behind Europe in moving away from accepting checks. More businesses in the U.S. are going cashless — accepting only credit card payments. The payment industry has identified a goal to achieve 90 million payment card acceptance devices by 2020. This broad industry transformation will be made possible via migration away from specialized payment verification hardware towards flexible, scalable, and lower cost software solutions.
Core security challenge:
Expanding the payment validation device ecosystem to allow in consumer grade touchscreen devices also expands the potential for malicious manipulation of devices not singularly designed with payment security in mind. The software on the devices must be hardened to repel unauthorized remote access and fraud and prevent infiltration of malware.
PCI SSC security requirements for software PIN entry on COTS devices :
- Monitor: The device must have monitoring capabilities, also allowing remote security upgrades and patches
- Remote Disable: The device will need to be taken offline remotely as needed by security staff
- Isolate: PIN data transmission must be kept separate from customers account data / payment credentials
- Secure: Ensure software security and integrity of PIN application on COTS device
- Protect: Merchant must use PCI approved Secure Card Reader for PIN (SCRP)
Still to come: The PCI SSC will release testing processes for labs that details how solutions will be tested against this new standard. The Council will then follow up with approved solutions that merchants can adopt to start accepting software PIN entry on COTS devices.