Get Ready for Mobile PINs

After decades of requiring specialized hardware, the payments industry is moving toward PIN entry on off-the-shelf mobile devices. What’s not to like?

The payments industry is, if anything, ultra-conservative when it comes to new technology and transaction security. Take PIN pads, for example. For decades, the industry has required that consumers enter a PIN on either a terminal or specialized PIN-entry device. Either way, the PIN was masked and fenced by rules and routines built into the guts of those devices.

No wonder. For all this time, the PIN has been the key to the cardholder’s kingdom, to the cash he holds in his account. It’s his little Fort Knox, with the secret PIN standing guard.

But now the industry has taken a step some see as anything but ultra-conservative. It’s not sweeping away all those specialized PIN pads. Instead, for the first time, it’s allowing merchants without those devices to take PINs on the same mobile phones and tablets anyone can buy at Walmart.

That opens up card acceptance for a whole universe of merchants, from craft-fair sellers to bodegas to pop-up stores and brick-and-mortar establishments. “Now, all of a sudden, all those food trucks get carded,” says Michael Moeser, director of payments at Javelin Strategy & Research, Pleasanton, Calif.

The new dispensation goes by several names. The most common are “PIN on glass,” “software-based PIN,” and “PIN on mobile.” Whatever you call the concept, it has stirred up quite a bit of excitement, as you would expect, among companies that specialize in mobile point-of-sale offerings, or mPOS.

Square Inc., for example, started doing PIN on mobile in March 2016 in Australia and then brought the technique to the United Kingdom a year later. “It doesn’t make sense to develop solutions with expensive hardware PIN pads, which are cost-prohibitive to serving smaller sellers, when the same goals can be accomplished with software and connected services,” says Mary Kay Bowman, head of payments at the San Francisco-based company, in an e-mail message.

But not everyone shares her enthusiasm. Some payments veterans see in mobile PINs a security threat that overshadows any potential benefit from expanded merchant acceptance. “I think this has an unintended consequence of catastrophic impact,” warns Dave Keenan, senior vice president for product management in card services at Fiserv Inc.

‘It’s an App’

Square is not alone in its enthusiasm for software-based PIN entry. The potential to reach perhaps hundreds of thousands of new merchants has attracted technology startups like MagicCube Inc., a Santa Clara, Calif.-based company founded in 2014 by Sam Shawki, a former Visa Inc. executive.

Shawki says he spotted the opportunity while still at the card network, and left to pursue it. “I thought these [PIN] attachments should disappear. It’s an app,” he recalls. Indeed, talking about traditional, hardware-based PIN entry, he says, “is like discussing whether the Walkman is going to continue.”

Estimates of the size of the potential market vary. One way to look at it lies in the explosive growth of mobile points of sale. In the United States alone, the number more than doubled between 2014 and 2016, and is forecast to triple by 2021, according to figures compiled and estimated in late 2016 by BI Intelligence.

Right now, while these merchants can use their dongles and smart phones or tablets to accept cards, they can’t enter PINs, leaving merchants no alternative but to collect the screen scribbles people call signatures. But the need might be even more acute overseas, in markets like Europe, where EMV transactions—both credit and debit—are routinely secured with PINs.

Another factor that could drive the market is the decision by all of the major card networks to make signature authentication voluntary. These moves, which came late last year and early this year, rocked the industry because they represented an about-face from decades of enforcing a signature requirement.

Now, some observers say the moves could foster software-based PIN entry as merchants look for an alternative. “I think this is a step in prep for PIN,” says Shawki.

‘A Broader Move’

Regardless of the pros and cons, PIN on glass has now been codified in a standard issued in January by the PCI Security Standards Council, the Wakefield, Mass.-based organization that establishes the rules for payment card security.

The new standard applies to EMV credit and debit transactions and outlines rules for entering a PIN directly into a “consumer off-the-shelf,” or COTS, device. It requires a couple of critical components: a secure app on the device for PIN entry, and an approved card reader to glean account details from the card’s chip. This isolation of the PIN from the rest of the cardholder’s details is crucial, according to Troy Leach, chief technology officer at the Council.

“The Primary Account Number (PAN) is never entered on the COTS device with the PIN,” he says in an email message. “Instead, that information is captured by an EMV chip reader that is approved as an SCRP (Secure Card Reader for PIN) that encrypts the contact or contactless transaction.” In this way, he adds, the standard works against so-called correlation attacks, in which criminals can combine PINs with account credentials that belong to the same cardholder.

The rules also require “continuous” monitoring, Leach says, to check the integrity of the software that receives the PIN as well as to detect “anomalies in the COTS environment.”

Early players like Square celebrate the new standard’s blessing on software, which they say could open the door for greater convenience as well as lower cost. “It’s … a broader move from legacy, static, hardware-based defenses to dynamic, responsive, field-upgradable software-based defenses,” says Bowman.

The Council’s test requirements, which detail how testing laboratories can certify devices for software-based PIN entry, were due out in February, about a month after the standard itself.

On to the IoT

With the PCI Council rules in place, some observers argue the market for PIN on glass could expand even more rapidly. For one thing, merchants that have shunned the technology may start using mobile POS now that they don’t have to buy a PIN pad. “A lot of merchants don’t have PIN pads because they don’t want to spend the money,” says Javelin’s Moeser.

Square’s Bowman also cites PIN pads as an impediment for her company’s ambitions for small merchants. “The objective is to accept chip and PIN payments in the most accessible and cost-effective way. We decided to meet that objective with an eye toward innovation. Everything, including payments and commerce, is increasingly becoming mobile,” she says.

Besides hardware costs, collecting PINs could further reduce costs for merchants by allowing them to route transactions over PIN-debit networks. Moeser adds.

Whether the rosy outlook for PIN on glass will actually play out can best be judged by looking at the experience of Square, which has been at it the longest, deploying its own technology. The company plays it close to the vest when it comes to hard details, but Bowman says all Square sellers in both Australia and the U.K. are using its PIN solution.

“We are looking to expand mobile PIN acceptance to other Square international markets,” she adds. Outside the United States, Square is available in Canada and Japan, in addition to Australia and the U.K. Beyond mobile POS, Square looks to applications in markets such as the Internet of Things, which embraces everything from smart watches and other wearables to automobiles.

‘The Long Pole’

Not all payments experts are on board this accelerating train, however. Fiserv’s Keenan, for one, argues the new PCI standard could end up making more trouble than the potential transactions are worth. “There is no evidence [PIN on glass] expands card-based commerce, and it doesn’t add security,” he says.

Indeed, Keenan worries that the technology will undermine PIN security by wiping out years of merchant and consumer training. “For 50 years, we’ve told people, ‘Don’t give out your PIN,’” he says. “PIN on glass encourages you to give your PIN to somebody you don’t know on a device you don’t control.” This, he says, contrasts with the experience of mobile services like Apple Pay, where the mobile device remains in the hands of the consumer.

“Without question, there will be a fraudulent merchant” taking advantage of software-based PIN entry, Keenan insists, adding that the issues surrounding the technology have not been sufficiently aired. “There needs to be robust industry debate. That debate has not taken place,” he says.

Other observers applaud the technology but would have preferred the standard be developed by a body like the American National Standards Institute. The PCI Council was formed by the big card networks and in the eyes of some merchants and other payments executives remains under the influence of those networks.

An ANSI standard, these observers argue, might have reflected the interests of a wider constituency, even if the effort might have taken longer. ANSI “may not be quite as fast as proprietary groups [like the PCI Council], they may be the long pole, but the long pole is usually the sturdiest one in the tent,” argues Terry Dooley, executive vice president and chief information officer for the Shazam Network, a Johnston, Iowa-based national PIN-debit network.

Still, Dooley is a fan. “PIN on glass will be good for a lot of markets. It will drive transactions into markets that don’t have any today,” he says.