An Open Letter About Pin on Glass

by David Roberts 0

pin on glass

To whom it may concern,

I have serious concerns regarding the new payment standard, known by a variety of names: PIN on Glass, PIN on Mobile, or Software-Based PIN Entry on Commercial Off-The-Shelf (COTS) Devices.

Whatever name it is given, it seriously contravenes the European Accessibility Act for blind and contravene the human rights of partially sighted people.

A similar system, as used by the Commonwealth Bank in Australia, is currently in the courts there. As it basically prevents partially sighted and blind users from conducting transactions safely when using their credit and debit cards.

I’ve become increasingly concerned over recent months and reported the new standard to RNIB and euroblind. Both of whom have promised to investigate.

The new payment standard enables a smart phone or tablet to be used as a credit card payment device. It replaces the standard payment device, which has raised ‘pip’ over the central button to guide a blind person, with a ‘software only’ app that runs directly on a mobile phone or tablet. The new system requires the user to enter their PIN directly on to the glass.

It’s a technology-led initiative, supported and backed by Visa and Mastercard and the payments standards organisation called PCISSC, with little regard for accessibility laws.

Since encountering these devices (they’re currently on trial in the UK by this company Square and soon to be by this company myPINpad), I have investigated further, and am even more concerned that the new standard has some deep security flaws that disproportionality discriminate against blind people.

PIN on Glass leaves the customer’s fingerprints on the glass – leaving a trail of where their fingers have been and exposing the 4 digits used for their PIN. This is of concern to ALL consumers but especially blind or partially sighted people that will find it difficult to see that they may have left an imprint of their PIN.

My understanding is that it’s currently the responsibility of the customer to prove that they haven’t disclosed their PIN to a third party (such as the retailer). So, in this situation, the consumer would be liable for any fraudulent use of their card.

Also, as the payment device can be anyone’s mobile phone or tablet, it could easily be fitted with spying software, or even a case that has a PIN bugging device implanted. This would be a problem for all consumers but particularly difficult to see for disable-sighted people. It’s currently not clear how the new standard protects the consumer from such an event! For example, if fraud occurs via this method of PIN capture, who would pay out?

The new standard must be stopped as it discriminates against the blind and partially sighted. It will be the consumer’s responsibility to argue with their bank not with the organisations responsible for setting the new standard, but I guess they’re quite happy to allow this to go along and to deploy as long as it has the support of Mastercard and Visa – as they can claim to be ‘cutting edge’ and ‘technically progressive’.

Yours sincerely,