Does PIN-on-glass need a more secure screen?

Register now

Even if the use of PIN hasn't garnered much momentum in the U.S. beyond debit, it is an authentication technology that's not going to go away anytime soon.

MagicCube is betting PIN will not only be common for years to come, but also become more of the authentication method of choice as the company strives to make PIN on glass a secure option that will work on any screen to make purchases or assure identity.

Software PIN pads could be compromised by man-in-the-middle attacks that intercept the PIN after it's typed. Santa Clara, Calif.-based MagicCube has technology that basically positions itself "in the middle" to block hacking attempts. Its MC-Screen Shield software cryptographically secures a screen, in part, through use of the virtual chip and cloud-based server it has used for its MC-Token Shield.
"We are not in the merchant business or acquiring business, we are not trying to be the next Ingenico or Verifone," said MagicCube CEO Sam Shawki. "Our aim is to create technology that solves the science problem of converting a piece of hardware into software. It's been done with voice-controlled hardware, so it should be done with touchscreens."

That type of science is of keen interest in the payments industry at the moment, as Square has forged ahead with PIN on glass acceptance in Australia, Visa continues to test the technology and the Payment Card Industry Security Standards Council is preparing to deliver standards for software-based PIN acceptance by the end of the year.

It's unclear whether MagicCube's work regarding mobile PIN acceptance may eventually lead to more PIN use in the U.S. Much of the debate in the U.S continues to center around network preference of PIN vs. signature authorization, a conflict that could shift if PIN is enabled on more devices.

MagicCube is hoping to have an effect on that debate through its technology.

"PIN expansion can occur when merchants can free themselves from the expense of dedicated hardware," Shawki said. "PIN is going to happen in the U.S. and it is going to come to credit, and over time we will get away from the silliness of signature."

Still, MagicCube is not positioning itself as anything more than a software option for retailers to consider adding to their own apps and payment methods. And, most importantly, being a layer of security beneath a screen that a human being may be touching for authentication.

"Our intention is to declare a science victory from a physical standpoint," he said. "Instead of just adhering to PCI, which of course we want to do, we want to say you can take this to any security lab and try to get the PIN off of it (to prove it works)."

Once it is proven as a reliable security method for authentication, it will be a "huge step up for physical devices," Shawki added. In that regard, Shawki envisions M-Screen Shield at work on screens for smartphones, tablets, appliances, automobile dashboards, TVs and any other type of Internet of Things devices needing the identity of a person prior to completing a task or a transaction.

The economics of a move to PIN on glass also makes sense for merchants and the card networks because it would increase the number of potential POS devices dramatically, thus increasing transactions, Shawki said.

Any advancement in PIN on glass also provides momentum behind mobile's ability to deliver card-present transactions remotely, as occurs with Apple Pay, Samsung Pay and others.

"One of the things we don't talk about as much is that once you can secure the PIN physically and get approvals from a remote payment, you can get to card-present rates remotely," Shawki added. "It's a Holy Grail that says you can secure a payment remotely to get it to card present. The effect on the economy would be huge, especially for small merchants."

The economy of PIN on glass already has the attention of merchants and payments companies, said Richard Oglesby, president of AZ Payments Group and a senior analyst at Double Diamond Payments Research.

"PIN on glass is generally a cheaper way to get PIN at the point of sale," Oglesby said. "What you are really doing is enabling PIN at a whole variety of POS options without having to attach an extra PIN device to it," he said of MagicCube's efforts. "That's great for those markets using PIN for debit and credit."

The cost of separate PIN devices in Europe can be as high as $120, Oglesby said. "It's not just the cost, but you have to carry that device around with you, and it can be like carrying around two separate mobile phones."

In addition, the advancement of PIN on glass bodes well for the security of e-commerce.

"We have to increase security with new systems and new approaches, obviously, in the wake of Equifax and other breaches," Oglesby said. "Is PIN on glass going to be a solution long-term? Probably not, but it is the most common solution today and it can get into market fairly short term."

MagicCube may have to wait on PCI and the card networks to establish the guidance for PIN on glass before going full tilt in making its software available to merchants, but it wants businesses and retailers to be aware that the technology exists.

"Partner with us now," Shawki said. "Build what you envision and take it with us to the labs and work with the card networks to determine what it would take for them to allow you to do this."

Waiting for PCI or any other specific standards could create a delay of a year or more in technology development within a company, Shawki estimated.

"The networks have actually been doing a great job with everyone in sharing specs, so the onus is on the actual builders of these screen devices," he added. "If you wait too long, the technology is suddenly all behind you and passed you by."

For reprint and licensing requests for this article, click here.
Digital payments Mobile payments Hacking Retailers