The card networks' embrace is a welcome boost for 'PIN on glass'
Imagine taking a regular smartphone and turning it into a payment acceptance device with a simple app download.
That’s the utopian dream many companies are chasing today and it could bring huge benefits to the payments ecosystem, merchants and consumers as card and mobile payments continue to grow.
For small transactions, accepting a payment could work in much the same way as traditional terminals do for contactless card or mobile payments; using the RF/NFC rails with no need for an additional PIN pad or external device. For larger transactions, the security of the transaction needs to be strengthened by enabling PIN entry on the mobile device itself. This is commonly known as PIN-on-mobile or PoM, as Visa and Mastercard have referred to it, or as PIN-on-glass.
Historically, if you look at the micromerchant space, where people are doing a few transactions a week or even month, they don’t want to spend a few thousand dollars on a full-blown POS or a few hundred dollars on a payment terminal. But accepting cards is increasingly important to maximize sales.
This makes micromerchants the ideal candidates for turning a regular mobile phone into a payment device. They deal primarily in cash so getting them to accept payments would open a new market to the card issuers. Additionally, micromerchants tend to process low-value purchases which typically have a low amount of fraud. When you also consider that as of April this year there were already 108.4 million contactless cards in circulation in the U.K. alone it’s no wonder the card issuers see this as a significant opportunity.
For further evidence of this opportunity, we can note how Visa and Mastercard have relaxed their stance on PIN standards, which have historically progressed hand in hand with PCI PTS (PIN transaction security) — an onerous, heavyweight, albeit important, security standard. The brands have always deemed PIN security important and there was a time when the notion of accepting a PIN on a consumer mobile phone would have been difficult to talk about, let alone get approved.
It’s possible that some of this willingness to evolve is being driven by the Asian market, where we see alternative and unique payment methods being adopted and becoming very popular. With the wide-scale adoption of mobile phones, and the use of NFC and QR codes for payments, the card brands most likely see a threat to their business model and, in a defensive move against potential disruptors, are wisely embracing the spirit of mobile.
There are obstacles to PIN-on-mobile. Let’s start with the technology. One of the biggest (and most obvious) challenges with mobile devices is that they’re insecure. iPhones and Android phones can be jailbroken/rooted. How can we make these devices secure or be confident enough that a consumer device can accept PIN entry?
Companies are working on a wide range of ideas and the winning formula will likely combine numerous layered security measures to limit the attack surface as much as possible. For instance, scrambling the numbers on a screen’s PIN pad makes it more difficult for malware to understand what tap on the screen corresponds to what number.
This, combined with measures like point-to-point encryption and utilizing the hardware security already present in many devices will also be key. We also see the success to payment tokenization for mobile payments being extended to cards as this would negate the effect of any malware on the device, rendering any data captured useless to fraudsters.
Additionally, the industry is still waiting for data from trials that will reveal how customers perceive this change. We can invent all the technology we like, but if consumers don’t feel safe, don’t know how to use it or it’s too radical, the project will end before it begins.
Finally, such a move can be frightening to the companies involved. Encouraging shoppers to enter sensitive information on standard consumer devices may have huge benefits, but the first time someone compromises it, it’s going to be toxic news that will harm reputations.
Fundamentally, close collaboration is essential to the successful future of this technology. We need to look very closely at the data from the trials in Australia, Poland and the U.K. to identify the best route forward, the potential security challenges and consumer attitudes. Larger trials can then follow. It is important to remember, though, that this technology will be subject to all manner of attacks, both ethical and otherwise.
So, it is important that the industry learns from each of these and adapts quickly. Beyond the business opportunity, though, we’re all consumers ourselves and this shift is just another example of the continuous evolution of the payment technology industry. We can all appreciate improved ease of use and new functionality that enhances our daily lives. PIN-on-mobile is poised to do both, we as an industry just need to get it right.