DYK: PIN on glass is not yet acceptable for debit payments?

DYK: PIN on glass is not yet acceptable for debit payments?
Posted: Aug 24, 2017
Comments: 0
Author: Lou Grilli

But, that’s all about to change to the delight of smartphone users.

Entering a PIN on a physical pad of numbered buttons has just surpassed being a 50-year old technology, created with the first ATMs. The current security requirements around PIN management and transmission, ISO 9564, dates to 1991.

Today’s smartphone users are accustomed to tapping PINs on their screens, to unlock the phone and access mobile banking. But to make a debit transaction, the consumer still needs to press the buttons on the PIN pad. Security certification of dedicated hardware-based PIN pads assured that the PIN could not be compromised, and could be transmitted securely. “PIN on glass” implies entering PINs on many different phones, tablets, built-in screens on gas pumps, kiosks, etc. This represents a new challenge, because these screens are inherently software devices that potentially can be modified remotely, infiltrated by malware, or hijacked by fraudsters.

There is definitely a market demand for PIN on glass. Self-service kiosks at quick-service restaurants, tablets at the table at casual sit-down restaurants that enable ordering and paying, next generation fuel pumps with touchscreen access, and the proliferation of self-checkout lanes at big box hardware stores and member clubs, all clamor for the ability to enter PIN on glass.

The PCI Security Standards Council has been discussing with stakeholders plans for a new security standard that will enable merchants to accept PIN-based payments with the PIN entered on a commercial off-the-shelf device, such as a consumer-grade mobile phone or tablet. The difference between the current security requirements and the ones being developed is the difference between hardware and software. PIN security on software devices will need to have monitoring capabilities which will facilitate the ability to update the security on the device and issue patches. In addition to being updated, the device needs the option to be disabled remotely by security staff. Network connectivity will have requirements including encryption and keeping PIN transmission separate from payment credentials.

There are already a few instances of PIN on glass devices approved by PCI; these are Android-based tablets dedicated to a POS functions in which the Android operating system has been modified to increase the security of data handling, access to data storage, network access, all to ensure that whenever data is entered there is no possibility for any fraudsters to obtain sensitive data.

A draft of the new standard is expected in the October 2017 timeframe. Feedback from stakeholders including security evaluators will then be taken into consideration, with the goal of having a final document, with testing criteria, by the end of the year. But, instead of being the end, this may just be the beginning. The Internet of Things will introduce many new types of devices where payment can be initiated. Shopping by augmented reality means entering a PIN through goggles. Connected cars will involve tapping the PIN on the vehicle’s entertainment navigation touchscreen. And shopping from Alexa and Google Home means potentially entering a PIN by voice. Keeping payments data, and especially PINs, safe will continue to be a challenge.


Rate this article:
Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories