PCI's new PIN-on-glass standard targets a small-seller pain point

Register now

Developers of mobile point of sale solutions now have a path to build secure applications to support PIN entry on tablets and smartphones, following the Payment Card Industry Security Standards Council’s latest update.

The move specifies the requirements for allowing PIN entry directly on the mobile screen, so merchants can accept payments with their mobile device with an inexpensive card reader using a secure PIN entry application, the PCI SSC said in a Wednesday press release.

“The new standard allows for an alternative approach to secure PIN entry by isolating the PIN from other data and using a new robust set of security controls that extend beyond the physical hardware device itself,” said Troy Leach, PCI SSC chief technology officer, in the release.

The standard—expected since last year—could provide relief for some smaller merchants in markets that require EMV chip-and-PIN acceptance, who may have found the hardware to support secure mobile point-of-sale solutions too costly, according to industry experts.

The standard enables providers to design complete solutions that actively monitor the service to block potential threats to the phone or tablet and ensure the security and integrity of the software-based PIN entry on the device, the PCI SCC said in the release.

The move benefits a relatively narrow slice of merchants that reply on PIN-based transactions in certain markets.

Square has advanced mobile PIN in markets including the U.K. and Australia, and Santa Clara, Calif.-based MagicCube has developed technology to harden security for screens accepting PINs, called the MC-Token Shield.

“Recognizing that innovation continues to happen at a very rapid pace, particularly in the mobile digital arena, the new standard helps enable our vision of every device as a secure acceptance device,” said Bruce Rutherford, Mastercard’s senior vice president of security standards and solutions, in an interview.

For reprint and licensing requests for this article, click here.
PCI DSS Compliance