How to Talk with Your Customers About Mobile Payments and PCI Standards

Big changes are on the horizon for merchants and retailers who depend on mobile point-of-sale systems. In January 2018, the Payment Card Industry Security Standards Council (PCI SSC) announced “a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets.”

While this is an important step for addressing the dominant role that mobile now plays in our business environment, this update has raised many questions for consumers about PCI and the Mobile Pin.
Understanding PCI PIN on COTS
To know how to talk about PCI PIN on COTS with your customers, it’s important to first understand a bit of background. In the age of data breaches and identity theft, the PCI SSC has been taking measures to better secure consumers’ sensitive data. This is what prompted the shift from magnetic stripes and signatures towards EMV® (aka chips) and PINs.
In the U.S., we were slower to transition to EMV-based cards but adopted the PIN cardholder verification method (CMV) early on. Since magnetic stripe cards are easy to clone, card security was focused on protecting the PIN. Simply put, the PIN was the only “secret” that secured the transaction, and so, dedicated PINPad devices were designed to protect the PIN and separate it from the card’s information.
The difference for today’s transaction is based in the wide-spread use of EMV cards, which leverages chips to encrypt the account information. This makes the card nearly impossible to clone, and it turns the PIN into a second “secret” for securing the transaction instead of being the only one. This has enabled a shift towards accepting PIN transactions on devices such as smartphones and tablets.
Is It Secure? Talking with Your Customers
Consumers may be hesitant to tap their PINs into your COTS device because they’re concerned that the smartphone or tablet could have an application or virus running in the background trying to steal their PIN. Here’s what they need to understand.
There are four main components to a PIN on COTS system.
1. The PIN CMV Application is the program on the smartphone or tablet that accepts and processes the PIN number.
2. The Secure Card Reader-PIN (SCRP) is the physical device that attaches to the smartphone or tablet to read the EMV card.
3. The payment and PIN processing backends adhere to the same standards as a traditional PIN-based transaction.
4. The Monitor System runs constantly in the background constantly checking for software tampering of both the application and the device itself.

When a customer puts his or her EMV card into the SCRP device, the card is read and encrypted immediately, meaning the card’s sensitive data isn’t able to be read by any potential third parties. When he or she then inputs the PIN into the CMV Application, those numbers are also encrypted. This is important because both the customer’s PIN and the card’s information aren’t able to be deciphered, even if they were to be intercepted.
Additionally, the software security standards for the CMV application and the monitoring system go far above the requirements for the traditional PINPads. This process is specifically designed to battle against fraud.

Terminology Quick Reference:
• COTS Devices – Commercial-off-the-shelf devices (such as smartphones & tablets)
• PCI – Payment Card Industry
• PCI SSC – Payment Card Industry Security Standards Council
• PCI PIN – A Payment Card Industry standard that sets the requirements for the secure management, processing, and transmission of Personal Identification Numbers
• EMV® – A payment standard that implements cryptographic authentication, commonly referenced as a “chip” payment card.
• CMV – Cardholder Verification Method, or the method of authenticating a cardholder during a transaction, such as signature, PIN, or fingerprints
• SCRP – Secure Card Reader-PIN or the PCI-compliant physical card reader