PIN on Glass: A New Frontier to Explore in Payments Technology

By Jacqueline Cremos, Manager, Industry Affairs, ETA

In January of this year, the Payment Card Industry Security Standards Council (PCI-SSC) released its much-anticipated standard for software-based PIN entry on commercial off-the-shelf devices – known colloquially as “PIN on Glass.” This new software allows merchants to accept PIN transactions on a mobile device like a smartphone or a tablet, without having to set up a standalone, dedicated PIN pad or other PIN entry device. With PIN on Glass, a merchant can simply download a software application on their mobile device, instead of purchasing and installing a separate device whose sole purpose is to accept payments.

Many in the payments industry expect that this new technology will enable more small and micro-merchants to accept PIN transactions. Authenticating a transaction with a PIN, as opposed to a signature, is widely considered to provide more robust protection against fraud. And so, PIN on Glass will allow smaller merchants – sometimes called “long-tail” merchants because they tend not to adopt new payments technologies as quickly – to reap more of the security protections of the payments ecosystem. Indeed, PIN on Glass may even drive more merchants to accept cards and digital payments, by offering advanced security at a lower cost than before.

However, not everyone views this standard in the same positive light. Software-based PIN entry introduces new vulnerabilities that must be addressed. Commercial off-the-shelf (COTS) devices are not designed to accept payments; furthermore, they are designed to “talk” to other devices – and so are more open to interception. Additionally, the software itself must be secured and thoroughly tested. The PCI standard aims to address some of these issues by emphasizing a few core principles, including isolation of the PIN from the Primary Account Number (PAN) and other cardholder data, ensuring the security and integrity of the PIN entry software application, active monitoring of the software, and requiring a Secure Card Reader for PIN (SCRP) to encrypt and maintain the confidentiality of the account data. Additionally, PIN on Glass transactions are restricted to EMV contact and contactless transactions.

ETA has taken an active role on this issue by bringing industry stakeholders together in a working group to reach consensus, providing input to PCI during the development of the final standard, and educating our members about all aspects of the issue. We published a feature on Next-Gen PIN on Glass in the September/October 2017 issue of Transaction Trends (available here). We hosted a session at TRANSACT 18 on the challenges and opportunities presented by the PIN on Glass standard, looking at the deployment of PIN on Glass in European markets as well as the PCI standard and its implications for the US market.

And on Wednesday, November 14, ETA will host a webinar on “New Frontiers in Secure Commerce: PIN on Glass” featuring speakers from Square, Verifone and Coalfire. Learn more and register by clicking here. Registration is complimentary to ETA members, and $99 for non-members.