BankThink

PIN on 'glass' and 'mobile' aren't the same. Too many merchants don't know that.

With more point of sale options available to merchants than ever before, it is important to unravel the confusion that has arisen around these new terms, and how each solution may best serve retailers' needs.

PIN on Mobile (PoM) and PIN on Glass (PoG) are two of the most commonly mislabelled emerging technologies. While the two terms are treated as though interchangeable, each has differing benefits and features. They also serve merchants in a different manner, so choosing the right one for a particular business is crucial.

PIN on Glass is the older of the two technologies, the term describing traditional payment terminals that have evolved from larger models that operate using buttons, to a touch screen interface. It is the touch screen, or glass-based capture mechanism, that PoG refers to. Crucially, this new generation of the traditional payment terminals are expensive for merchants and don’t offer much in the way of added functionality to those with buttons.

PIN pad
Credit card payment, buy and sell products & service
ballball14 - stock.adobe.com

Some PoG terminals, occasionally referred to as a smartPOS, are locked-down, purpose-built Android devices that are expensive to manufacture and restricted to one device.

Conversely, PIN on Mobile, one of the rising stars of the new generation of versatile payment solutions, offering merchants and retailers a cost-effective method of accepting card payments. Importantly, the terminals are designed to achieve the same security standards as those offered by traditional POS terminals.

A key advantage for businesses is the low implementation costs associated with PoM. PoM enables merchants to avoid paying expensive set up costs by utilising Consumer-off-the-Shelf (COTS) device, directly as a payment terminal. This is done through the use of a small piece of hardware (Secure Card Reader) connected to the COTS device (a smartphone or tablet), enabling it to read the card chip. As such, a consumer can then input their PIN directly into the device.

With lower overheads for the device, PoM is cost effective. It is therefore more accessible for small or medium sized businesses that are usually priced out of accepting card payments.

In addition to low implementation costs, PoM ensures that users are in safe hands with the recently launched Payment Card Industry Security Standards Council (PCI SSC) standard.

The PCI SSC’s new standard for software-based PIN entry on mobile devices ensure a universal gold standard for secure transactions via the payment technology.

When a consumer enters their PIN into the smartphone or tablet, MPES ensures that the PIN is isolated and protected immediately, as recommended by the latest PCI SSC standard for Software-based PIN Entry on COTS (SPoC). Because of this assurance, merchants can reassure their customers that they are able to pay for the goods or services securely, without worrying about their payment details being compromised.

With such solutions, merchants can benefit from the same high level of security offered by traditional POS equipment, without the same expense.

The Payment Card Industry Security Standards Council (PCI SSC) has a lot to say about the differences between PoG and PoM. When questioned if the two terms are synonymous, the Council gave an emphatic “no” in response.

The organization explained: A SPoC Standard covers a software-based approach for accepting PIN as the cardholder verification method on a merchant owned COTS device. The phrase “PIN on Glass” is often used generically regarding a variety of use cases, with the commonality simply being entering a PIN value on to a touch screen on a variety of device types.”

A SPoC Solution includes many elements that work together to ensure that the PIN is isolated from other sensitive data when accepted by a COTS device. These include a Secure Card Reader – PIN (SCRP), a PIN cardholder verification method (CVM) application, the merchant’s COTS device, as well as back-end monitoring and attestation systems.

It is the back-end monitoring and attestation systems that continuously monitor the entire solution and highlight when anomalous activity is spotted. They also ensure that the device hasn’t deviated from the baseline as a result of tampering, rooting, or a physical attack.

In other words, within a SPoC Solution, the merchant-facing COTS device is only one element of the entire solution, while a Point of Interaction (POI) device is generally a single device.

There are numerous hardware-based POI devices that are PCI PIN Transaction Security (PTS)-approved for PIN acceptance using a touchscreen or, in other words, PIN on Glass.

These POI devices are purposely built for payment acceptance, and, as such, care must be taken when using the generic phrase “PIN on Glass”. For example, a PTS-approved POI device that accepts PIN on Glass is very different from a SPoC Solution that uses a merchant-facing COTS device to accept PIN.

Demand for alternative payment solutions is higher than ever, and with so many new technologies emerging as a result, merchants should be aware of what is on offer. In particular, they should be clear on what services they each provide, and how they may best serve that particular merchant.

For PIN on Glass and PIN on Mobile, the two distinct technologies both offer their own advantages. They can, in their own ways, meet specific merchant needs enabling them to continue to meet their customers’ changing payment requirements.

For reprint and licensing requests for this article, click here.
EMV Retailers ISO and agent
MORE FROM AMERICAN BANKER