Smartphones make it easy for small merchants to accept card payments, but safety can be an issue. If merchants could securely accept PINs via mobile apps, they could replace weak, signature-based verification with more robust PIN-based verification. According to Payment Card Industry Data Security Standard’s CTO Troy Leach, secure PIN on Glass for merchant smartphones is possible — so long as merchants and solution providers follow key principles. In the October mPOS Tracker, Leach explains PCI’s new standard.
Consumers know what they want — and how they want to pay for it. They want to use the payment methods with which they’re accustomed. This puts pressure on small and medium-sized businesses (SMBs) to find ways to accept those methods in a mobile POS format or risk losing a sale.
Businesses must also handle payments securely, without creating a checkout line that deters potential customers. Small operations need to do it all on a budget, too, preferably without requiring expensive or complex mPOS equipment.
These needs are spurring a growing group of SMBs to consider new ways to accept payments, and to seek guidance on best practices for keeping those methods secure. No business can afford to take a gamble on customer safety or trust, after all.
The Payments Card Industry Security Standards Council (PCI SSC) is responding to that problem — and to requests from merchant associations, payment processors, solutions vendors, card networks and others — by developing standards that ensure reasonable security with two options: software-based PIN entry and contactless, both on merchants’ commercial off-the-shelf (COTS) devices.
“These [methods] existed in the industry [but] there were no standards to set any baseline level of security,” Troy Leach, PCI SSC’s chief technology officer, recently told PYMNTS. “So, stakeholders asked the PCI Council to level-set what would be an appropriate level of security criteria.”
Created in 2006 by card schemes, the organization develops, but does not enforce, standards to keep debit and credit card transactions secure through all process stages. In his interview, Leach explained the thinking behind the recently-released standard for software-based PIN entry on COTS devices (SPoC), and the upcoming standard for accepting contactless payments through the same.
Push for New Payment Methods
Weak security can mean big costs for merchants, so some SMBs are hoping to move away from using signature-based identity verification. It’s easy for fraudsters to steal a physical card, present it for in-store payments and sign with a scribble, all without the merchant realizing fraud has been committed — until the chargeback hits, that is.
In contrast, PIN entry verification requires knowledge that can’t be faked. Small and on-the-go merchants need a low-cost way to accept such payments — one that doesn’t require buying expensive and bulky POS systems.
That’s led to interest in PIN on COTS devices, allowing customers to enter PINs on merchants’ general-purpose mobile devices during payment. The average consumer may not be eager to type his or her sensitive payment information into the smartphone of a random food truck vendor on the street, though, meaning security standards are essential to helping put their fears to rest.
Merchants are also demonstrating interest in accepting contactless payments on their devices, allowing customers to speed through checkout lines without having to dip their cards and wait for approval.
PIN on Glass for COTS devices
Payments requiring PIN-based verification have traditionally meant having customers enter their PINs on a physical PIN pad, such as a separate device connected to merchants’ smartphones or tablets. This enables said devices to securely process payment information and remain isolated from the weaknesses on merchants’ smartphones.
Demand for COTS devices and smartphone payments has since upended the model, and smartphone-powered payment acceptance challenges abound. Merchants might install apps that give third parties access to their devices, potentially making them more exposed to attacks than a unit solely dedicated to payments acceptance. Additionally, the wide range of available smartphones makes it difficult to design and implement a one-size-fits-all solution to address the unique characteristics and risks of varying mobile environments.
Still, the PCI SSC couldn’t ignore the need and interest in such a solution. In fact, Leach said it received more than 1,500 responses during its three open comment periods in the SPoC Standard development process — far more than ever before.
“What’s unique about that standard is that, for the first time, we’ve allowed for the PIN to be entered into this type of environment, while, for decades, it has been required to be entered in a dedicated payment environment, typically on an encrypted pin pad,” he noted. “This is a new approach.”
Securing that entry type meant ensuring that PINs and sensitive information are kept separate. A customer who enters his PIN into an app on a merchant’s device wouldn’t also enter his account number under the SPoC Standard. Instead, his account information would be collected and encrypted using an external, secure card reader. The regulation also requires that transactions be made with EMV chip-enabled payment cards, not magstripes.
Additionally, because there’s no guarantee that merchants’ smartphones will remain secure, merchant partners, such as solutions providers, must have a robust monitoring system capable of continual, real-time device environment evaluation to detect suspicious activity.
“A mobile device is inherently not to be trusted, because you have all these different applications and third parties that typically have general access to [them],” Leach said.
Contactless on COTS
The PCI SSC is also evaluating security considerations with contactless payment acceptance on merchants’ COTS devices, with a standard expected to be released in mid- to late-2019. This would likely involve similar backend controls required in the SPoC Standard, according to Leach, as PCI has found strategies for applying security to the wide, ever-changing range of mobile devices.
“Those types of base-level requirements — like isolating information, encrypting the data and having sophisticated monitoring of the environment of the data — are the best mechanisms for protecting an environment that we know is very difficult by itself to secure, simply because there are an exponential number of instances of each mobile device,” he said. “It would be nearly impossible for us to write a standard [because] the standard itself would become obsolete before the ink dried.”
Whether through dedicated electronic PIN pad hardware, PIN entry via smartphone app or any other method, merchants face the same core payments security principles: using encryption, regular monitoring, keeping technology up to date and, of course, carefully following any other steps of the relevant standard.
After all, long lines or limited payment method acceptance can create added costs for merchants, but few things turn customers off like unsafe payments experiences.