For decades, merchants have had to install specially designed and built devices to allow customers to enter their personal identification numbers for debit card payments. And lately, that has been the case for EMV cards, as well. But on Wednesday, that changed as the PCI Security Standards Council published a standard that lays out rules for software to allow PIN entry directly on the screen of a mobile device, a method the payments industry has dubbed “PIN on glass.”
The shift from hardware to software for PIN entry comes as the use of smart phones and tablets has grown at the point of sale and in the field. Also, the advent of EMV in the United States in 2015 has lent new urgency to the matter as chip cards proliferate.
The announcement from the Wakefield, Mass.-based Council, whose standards govern security across a wide range of card-based payment configurations, drew praise from companies that have worked for years on technology to enable PIN on glass and have lent technical advice to the Council’s work. “We are impressed with the effort that the Council went through, especially when taking all of our feedback and comments and working with us,” says Sam Shawki, chief executive and cofounder of MagicCube, a Santa Clara, Calif.-based company.
MagicCube and other providers argue the new standard, officially called the PCI Software-Based PIN Entry Standard, will lower costs for small merchants, since they will no longer need to buy specialized PIN pads or similar devices. While many countries in Europe and other parts of the world use PINs with EMV credit and debit cards, the national card networks in the U.S. market have not required PINs on credit. Debit EMV, however, requires a PIN in some scenarios. The new PCI standard will work with both contact and contactless transactions.
Still, while allowing software-based PIN entry, the standard calls for a hardened chip reader, a so-called “secure card reader for PIN,” as well as special software for PIN entry on a mobile device. “Existing PCI PIN standards require hardware-based security protection of the PIN,” said PCI SSC chief technology officer Troy Leach, in a statement. “We are now building on this foundation with a new standard that allows for an alternative approach to secure PIN entry.”
Leach says the standard’s requirements are meant to allow vendors to create the needed software and equipment. “The PCI Software-Based PIN Entry Standard gives solution providers and application developers a baseline of security requirements specifically for accepting EMV contact and contactless transactions using software-based PIN entry,” he says.
A key feature of the new standard, Leach says, is separation of the PIN from other cardholder data during the transaction. The chip reader captures the primary account number while the PIN is entered on the mobile device. “A key security objective is to isolate the PIN within the [mobile] device from the account-identifying information,” Leach says.
The standard’s security requirements are available now. Its test requirements, aimed at validation of a given solution, will be released next month.