Unpacking PIN on Mobile Technology
The world of payments is rapidly changing. Growing demand for merchants, particularly small businesses and micro-merchants, to use their smartphones as payment terminal systems for Point of Sale (POS) payments. This has reshaped the model for payment acceptance, along with the security requirements that go along with it.
Until recently, most Point of Sale card payment terminal systems are facilitated on dedicated payment terminal hardware that is purpose-built for payments. Stationary POS systems can be seen anywhere as it is one of the most common ways to accept debit, credit, and mobile payments. But today, more and more merchants are looking to use their personal off-the-shelf phones to take payments.
This includes conventional mPOS technologies, with external card readers and PIN entry devices, but also new Soft POS applications where both card reading and PIN can be processed on the mobile phone. The current combination of the preinstalled NFC reader and a SoftPOS application creates a secure and frictionless nfc accepting EMV card, and mobile payments.
Specialized security design needs to be implemented to allow support for “PIN on mobile”.
What is PIN on Mobile?
Not to be confused with PIN on Glass, which refers to PIN entry on a payment terminal device’s touchscreen, PIN on Mobile is the term used to describe PIN entry on a consumer-grade smartphone. The main difference between the two is that the card reader has to be PCI-certified, while the commercial off-the-shelf device doesn’t. PIN on mobile is a software-based PIN implementation and has different security protocols associated compared with PIN on glass. As the transaction is conducted on a non PCI certified device, a software-based PIN entry process has to take place to adhere to the PCI regulations and validate the PIN.
What solutions require mobile PIN?
There are two main use cases for PIN on mobile.
The first is a mobile Point of Sale technology, in which a card reader is used to accept the card, and a mobile device is used as the acceptance point for the PIN.
The second model relates to emerging SoftPOS technologies in which a consumer-grade mobile device accepts both the card and the PIN on the same device. Leveraging the NFC reader to read the card chip and the software to securely authenticate, encrypt and conduct the financial transaction. SoftPOS payments are the evolution of mPOS technologies, offering a truly mobile solution without external hardware or dongles.
Software-based PIN entry on Consumer off the Shelf Device
The gold standard PIN on mobile security has been defined by the Payment Card Industry’s (PCI) Software-based PIN Entry on COTS standard, or “SPoC” for short. Central to the requirement is the requirement for the PIN to be isolated and protected immediately.
The SPoC standard helps assure the security of new mobile Point of Sale technologies, enables merchants to lower their costs and provide customers with greater security when entering their personal details.
The growing acceptance of PIN on mobile is a promising development for the payment industry, creating an opening for innovations in card payments on consumer-grade mobile devices.