Getting to Grips with “PIN on Mobile” Versus “PIN on Glass”

Card payment acceptance

Consumers are carrying less cash than ever before. This poses a challenge for the five million small merchants in the UK that are still unable to accept card payments. They risk losing sales as cashless consumers often abandon their shopping if the merchant is unable to accept card payments.

This issue has spurred a lot of competition to deliver a new generation of versatile payment technologies. However, with many new solutions coming in to the payments market confusion has crept in regarding terminology and the benefits of different technologies.

Pin on Mobile  and PIN on Glass are not the same:

A case in point is the conflation of the terms “PIN on Glass” (PoG) and “PIN on Mobile” (PoM). I often see the terms incorrectly treated as synonyms, as if the technologies they describe are essentially the same thing – which they are not.

PoG and PoM are distinct technologies, with their own features and benefits. Failure to understand the differences between them could mean merchants may not get the payments solution that is right for their business.

What exactly is the difference between PoG and PoM?

PoG describes the evolution of POS technology and has been around for a long time – traditional payment terminals that have developed from buttons to a glass-based capture mechanism (i.e. a touch screen). These traditional PIN on Glass solutions are expensive and offer no additional functionality when compared to traditional button-based POS devices.

Some PoG terminals, sometimes referred to as a smartPOS, are locked down hardened Andriod purpose-built devices that are expensive to manufacture and restricted to one device.

PIN on Mobile, however, is an innovative technology designed to offer merchants a cost-effective avenue to card payment acceptance, whilst delivering the same security standards of a traditional POS terminal. PoM enables merchants to use a Consumer off-the-Shelf (COTS) device, such as smartphones and tablets, instead of expensive specialist POS terminals. With PoM a consumer inputs their PIN directly in to the merchants COTS device, with just a small additional piece of equipment to read the card chip (Secure Card Reader). This is more cost-effective than a traditional terminal, resulting increased SME adoption. 

How secure is PIN on Mobile?

In addition to low implementation costs, PoM offers fantastic security credentials. The recently launched PCI SSC standard for PoM, ensures a universal gold standard for secure transactions via PoM. MYPINPAD’s PIN Entry solution (MPES) is a great example of a secure, PCI SSC-compliant PoM system. MPES ensures that, when the customer’s PIN is entered in to the phone or tablet it is isolated and protected immediately – as recommended by the latest PCI SSC standard for Software-based PIN Entry on COTS (SPoC). As a result, merchants can ensure that their customers are able to pay for their goods or services securely, without worrying about their payment details being compromised. With such solutions, merchants can benefit from the same high level of security offered by traditional POS equipment, without the same expense.

The PCI SSC point of view

PCI SSC has a lot to say about the differences between PoG and PoM and has responded with an emphatic “no” to questions about whether the two terms are synonymous.

Commenting on the question and referencing its SPoC standard, the organisation stated: “A SPoC Standard covers a software-based approach for accepting PIN as the cardholder verification method on a merchant owned COTS device. The phrase “PIN on Glass” is often used generically regarding a variety of use cases, with the commonality simply being entering a PIN value on to a touch screen on a variety of device types.” 

A SPoC Solution includes an SCRP (Secure Card Reader – PIN), a PIN CVM application, the merchant’s COTS device as well as back-end monitoring and attestation systems. These elements all work together to ensure the PIN, accepted by a software application on the COTS device, is isolated within the COTS device from other sensitive account data. The back-end monitoring and attestation systems continuously monitor the entire solution for anomalous activity and to ensure The solution has not deviated from the baseline through tampering, rooting or physical attacks. In other words, within a SPoC Solution, the merchant-facing COTS device is only one element of the entire Solution, whereas a POI device is generally a single device. 

There are numerous PCI PTS approved hardware-based point of interaction (POI) devices for acceptance of PIN using a touch screen (i.e., “PIN on Glass”). These POI devices are purposely built for payment acceptance. Therefore, care must be taken when using the generic phrase “PIN on Glass”, as, for example, a PTS-approved POI device that accepts PIN on Glass is very different from a SPoC Solution that uses a merchant-facing COTS device to accept PIN.”

Improving understanding

Hopefully, this sheds some light on the key distinguishing features of these two very different pieces of technology. Each offers its own benefits to meet specific merchant needs and enable them to continue to meet their customers’ changing payment requirements.

If you need support determining which is the most appropriate for your business, please don’t hesitate to get in touch – info@mypinpad.com

Click here for the latest on the PCI SSC’s standard, Software-based PIN Entry on COTS (SPoC)

By David Poole, Global Head of Mobile POS Solutions, MYPINPAD