'PIN on glass' won't easily crack the U.S. market
Square Inc.'s addition of mobile chip-and-PIN in the U.K. and Australia markets is setting a precedent that some in the U.S. are loath to follow.
The technology, called mobile PIN or "PIN on glass" because it allows the consumer to enter a PIN on a touchscreen through the Square app that communicates with the card reader, is being deployed and tested in markets in which PIN transactions are common.
The U.S. remains a country in which few consumers favor a PIN for debit transactions, and a PIN is rarely invoked for for credit card transactions. Square says its advancements in mobile PIN have helped restore the company's financial bottom line, laying a foundation for the technology's adoption in the U.S. market.
PIN on glass may appease U.S. merchants that have argued against investing in physical PIN pads at the point of sale. But overall, the card brands don't see as much clamoring for PIN technology because it is not rooted in past payments regulations or mandates. U.S. merchants wonder why the card brands and Payment Card Industry Security Standards Council would support mobile PIN in foreign markets, yet prefer signature authorization in the U.S.
There's some payments industry politics at play here as well, said Steve Mott, principal of the consulting firm BetterBuyDesign.
"The concerns about this development has to do with the broader issue of Visa's obsession with dumping ATM PIN-debit, which continues to unproductively boil on," Mott said. "In the U.S., electronic funds transfer PIN-debit is the only source of competition Visa and Mastercard have, and that source of competition keeps debit pricing low and exists as a long-shot threat to apply to credit cards."
But other countries — including Australia with its EFT-POS service, which passes interchange to the acquirer — also represent unsettling modes of competition for the card brands, Mott added. "So PIN remains a global threat to the network brands."
As a way to get the banks and their merchant POS systems on board with the new technology to counter Square, Visa's mobile PIN pilot program in Australia "aims to test these new applications against Visa's PIN on Mobile Security Requirements, which are a comprehensive set of security controls that participating acquirers and mPOS providers must follow," Visa said in a statement issued to PaymentsSource.
"As new solutions such as mobile chip-and-PIN are developed, Visa works with the local industry to address unique market dynamics, while continuing to drive new ways to pay and be paid. In all cases, the security standards Visa develops globally benefit both consumers and the ecosystem," the card network stated.
Visa expects its testing in those markets to continue through next year.
Mastercard declined to respond directly about the PIN on glass developments, saying it has been consistent in its support of merchant choice, while also predicting future technology will render PIN moot. Mastercard has aggressively moved toward biometrics, including its "Selfie Pay" facial recognition system for online authentication.
In its role as a standards and security guidance body, the PCI council will receive information from Visa about its tests as the council continues to move forward with development of new standards for software-based PIN.
"This is in addition to other PCI security standards that already apply to 'PIN on glass' technology by addressing glass devices like tablets and other touchscreen-based devices that are dedicated for mobile payment acceptance," Troy Leach, chief technology officer at PCI, said in a recent blog post on the topic.
It's a standard that PCI would like to have in place by the end of the year.
All of the movement toward standardizing the technology isn't likely to result in a dramatic change in transaction authorization in the U.S.
"Visa and Mastercard drive PCI policy, and the two-factor authentication makes complete sense in Australia," said Mark Horwedel, CEO of the Merchant Advisory Group and an outspoken advocate of chip-and-PIN in the U.S. "It is far better than the signature we are doing here with our fingers on pads. It is unbelievable to think that is a strong authenticator."
Years before the U.S. migrated to chip cards to eliminate the use of fraud-prone mag stripe cards, Visa generally stated that chip and signature would make for an easier transition for merchants and consumers alike, while Mastercard spoke more often about the support of PIN, but inclined to leave it to merchant choice.
"Visa will never admit to the hypocrisy of chip and choice in the U.S., while really favoring signature, versus fostering the use of PIN somewhere else," Horwedel said. "What it really boils down to is they have a signature debit product in the U.S. they want to push volume to."
Last year, Walmart made that very point in a lawsuit accusing Visa of forcing the retail giant to accept signature debit transactions over its preference of PIN for stronger security.
While PIN on glass represents another technology to help specific markets more easily accept and route PIN transactions, the U.S. remains a bit of stumbling ground in EMV transaction routing, BetterBuyDesign's Mott said.
"In the U.S. we are still struggling to deploy a consistent, effective and efficient common application identifier (AID) that enables compliance with Durbin, as there are more than 140 different POS systems out there implementing that identifier in an individual way," Mott said.
The common AID was established four years ago by the networks to comply with Durbin amendment mandates in the U.S. calling for merchant choice of at least two different networks for routing EMV debit transactions.
The Visa and Mastercard strategy appears to be to "let the U.S. payments system thrash with EMV, while promoting contactless, which gets a free ride from EMV terminalization, as it has in other countries," Mott added.