ANALYSIS-5

Next-Gen PIN on Glass: How the New PCI Standard on Software PIN Entry will Evolve Payments

by Christine Umbrell

The day is not far off when U.S. consumers will be able to enter their personal identification numbers (PINs) on a mobile touchscreen, such as a tablet or smartphone, to make PIN-enabled purchases. The technology needed to facilitate “PIN on Glass” transactions is already available, and there will soon be a PCI standard focusing on software PIN entry of commercial off-the-shelf (COTS) devices.

“PIN on Glass technology has been around for a long time,” says Troy Leach, chief technology officer for the PCI Security Standards Council. “The concept is not new.” What is new is the concept of software PIN entry into a COTS device not dedicated exclusively for payment, says Leach.

The Council is preparing to open a request-for-comment period for a new standard in October 2017, when participating organization members will be invited to review and offer feedback on a standard for software PIN entry. Depending on the comments generated, the standard could go public as early as December of this year, according to Leach.

PIN 2.0

While it may seem that transitioning to PIN on touchscreens would be a logical next step at this time, it’s “a 
surprisingly complex topic,” says James Wester, research director of global payments, International Data Corp. Accepting PIN on a mobile device “seems so simple—but if you look at all of the things that go into it, it becomes complex.”

Without software PIN entry, mobile transactions require a secondary PIN-entry device—and it is “both expensive and clunky to have two devices” to facilitate transactions, maintains Wester. “Being able to combine everything in a single package is a more elegant, better design, and it removes friction in the payment process.”

The movement to software PIN entry on COTS devices is “an incremental step in the mobile device becoming more and more a part of payments being mobile,” Wester adds. “The way we pay and the way payments are accepted have changed so much in the past five years.” Several different types of companies are now involved in the payments value scheme, from issuers to networks to acquirers, and both hardware and software vendors, says Wester. Changes in EMV, mobile payments, and new ways to shop and pay have all played a part in the progression of payments—as will software PIN entry, he predicts.

The shift being addressed by the new standard is a movement away from traditional PIN on Glass solutions—which typically require hardware attachments—toward new solutions that may allow for off-the-shelf tablets or smartphones to accept PIN numbers in a secure and “isolated” manner, according to Leach. “Before the PIN is entered via ‘Glass’—or software—the Primary Account Number (PAN) is already encrypted and cannot be decrypted,” he explains. When the new standard is released, it is expected to focus on software requirements for payment applications that manage transactions within COTS devices.

The New Standard

The Council’s software-based PIN entry standard—one of seven new and existing PCI standards being released or updated this year—looks at how to separate the PIN from any other type of account information. Isolating the PIN from any other data may prevent future fraud attacks that would correlate payment data from multiple locations, according to Leach. “We’ve relied on the integrity of PIN authentication for decades,” he says, and the new standard will allow innovators to isolate the PIN data for new uses without compromising that integrity.

There are three central components to the proposed standard, according to Leach:

  • Isolating PAN from PIN. “We are looking at software requirements for payment applications that manage transactions within the COTS device,” says Leach. “To create isolation, you need to be able to enter an account number in such a way that it can’t be decrypted in a COTS device.”
  • Software security. This is key to protecting the integrity of handling applications with PINs in a COTS device. “A COTS environment is inherently insecure,” Leach acknowledges, so security must be augmented to ensure PIN data remains protected.
  • Monitoring. Remote monitoring should be carried out by an independent party to confirm that the software, COTS device, and transaction have integrity and behave as expected, and to look for any types of suspicious activity. “There needs to be ongoing security and monitoring to ensure that the device itself is not compromised,” says Leach.

 

“It’s really about isolating,” Leach says. As dynamic data and dynamic authentication take hold, they diminish the value of account information for future payment considerations. “If you’re using EMV Payment Tokens or multifactor authentication, the importance of PIN security will diminish because it won’t be the only verification for the transaction, which is why PIN security has been so rigorous to date,” Leach explains. “It is the primary verification in an environment that co-hosts with account number and other sensitive data.”

Secure Solutions

As new software PIN entry solutions are developed, protecting cardholders’ PIN numbers is of utmost importance, says Scott Spiker, founder of Cipherithm, principal partner at Rockledge Group, and chair of Working Group X9F6 of the Accredited Standards Committee X9 Inc. (X9), which develops and maintains standards for the financial services industry. PINs offer a gateway to money, rather than simply products, notes Spiker. Cyberthieves who are able to identify a PIN associated with a card could theoretically access cash from an ATM. “There’s real money involved—not just merchandise,” says Spiker.

Currently, the security surrounding the PIN is “quite robust” and in compliance with X9 regulations, says Spiker. ANSI/ISO standards require that PIN handling devices used by processors and acquirers be secure cryptographic devices (SCDs). But those standards apply to hardware, whereas the new PCI standard addresses software.

According to Leach, the ANSI/ISO standards are written for an environment where PIN entry is handled in the same environment as the account data is entered, while the new standard addresses mobile transactions where “the account information will never be used in the same environment as the PIN.” This means that the standard likely will be designed for chip transactions only, and will not allow for magstripe transactions, to ensure the account information remains isolated from the PIN number, Leach says.

Some of the security challenges may be balanced out by the advantages of software PIN entry, according to proponents of the technology. Software is inherently nimble and may be updated quickly, allowing for remote updates that can address the newest cyber attacks as they are introduced. “Merchants want a simple solution,” states Leach. “We need to simplify and eliminate the risk for merchants. One way we do that at the PCI Council is by point-to-point encryption,” he says. Software PIN entry offers a new way to isolate the merchant from the risk of that transaction.

In addition, COTS devices that are enabled with software PIN entry may provide more opportunities in the coming years, contends Leach. Integrating software security and third-party monitoring requirements in the standard offers “an opportunity to provide more payment channels for more merchants” and provides a platform for new ways to authenticate, he says.

What’s Next?

Once the standard is released, it is unclear how soon new solutions will become compliant and introduced to the market.

Current software PIN entry models are being tested and implemented in other countries, via Visa’s mobile chip-and-PIN pilot program in Australia and Britain, and AEVI’s Albert device in Australia (see sidebar). But “none of the current pilots being conducted have any association with the PCI Council,” says Leach. “I would imagine there are several solutions in the marketplace today” that may one day be compliant with the upcoming PCI standard on software PIN entry, but “it’s too early to tell if any solutions available today can meet the standard,” he explains. “As we design requirements for long-term deployment, we should not assume that an existing process today will meet all security controls of the standard.”

The significance of the standard is that it will “introduce new opportunities to think about security and authentication,” says Leach. Building on recent security advances engendered by EMV chip and encryption, isolating the PIN for use on mobile COTS devices offers another way to protect consumers while leveraging new technologies, Leach explains. “Can we create new types of integrity so we can remain confident that cardholders are who they say they are?” he asks. “We’ve had a problem with confidentiality—keeping information from getting into the hands of criminals.” Isolating the PIN can devalue cardholder information and reduce the chance of that data being used for fraud in other payment channels by cyberthieves.

Wester believes that once the standard is released, the technology will have a greater impact on merchant implementation than on consumer behavior. “The idea of entering a PIN to make a purchase is not really something [the consumer] thinks as much about,” he explains. In fact, many consumers already seem comfortable using signature rather than PIN verification when requested by merchants. But if consumers aren’t focusing on security, merchants will need to do so, says Wester.

Spiker notes that “any software-based systems have the possibility of being attacked.” And Wester wonders whether it will be possible for cybercriminals to try to write apps to steal PIN data. But security will continue to be of utmost importance as the new standard is introduced and new products come to market.

“Those companies providing the services” are thinking about all of the security issues, says Wester. Having a PCI standard in place will help ensure companies offer secure solutions. “Certain things are hard to predict, and some bad guys may try to find ways to exploit new technologies. But everyone is paying attention to security.”

An Eye on the Future

The arrival of solutions that allow software PIN entry on COTS devices is imminent, but where this road will lead is yet to be seen. With so much going on in the payments space, “it’s going to be hard to predict whether we’ll start seeing applications” once the standard is released, says Wester.

“Things evolve over time,” says Leach. “This standard is future-looking.” This is a change over how payments have evolved in the past, he says. “Very often, we try to retrofit old security practices with new technology. But we need to be as innovative with security so that our protections can address modern threats and do not become a laggard for the next generation of payments.”

The release of the standard will facilitate the exploration of “new ways we can innovate the technology,” says Leach, “to make payment data more secure for merchants.”  TT

Christine Umbrell is a contributing writer to Transaction Trends. Reach her at [email protected].

 

 

 

 

Categories
TRENDS
Tagged
DISRUPTORSFINTECH

WEEKLY NEWSLETTER

Check out ETA’s weekly recap on innovations and policies shaping payments. Written by industry experts, get insights on payments like nowhere else. View weekly newsletter archives here.

Tags

Back to Top