PCI Council Enables Mobile PIN but Ignores the Biometric Future

by Tim Sloane 0

Security concept with fingerprint touch identification and authe

Merchants and networks are eliminating authentication techniques, including signatures and PIN, while the PCI Council announces a plan to enable PIN on mobile devices, a less convenient solution to a transaction where convenience is everything.  While PCI may be looking backwards, at least they made an attempt. EFT debit networks appear to be frozen into inaction.  Their response has been to eliminate PIN, which solves the convenience issue, but now fraud is increasing rapidly on EFT debit transactions (perfect!):

“Last month the PCI council announced the development of a new standard for software-based PIN entry on commercial off the shelf (COTS) devices. The concept behind this was one of permitting secure PIN-based applications and card readers to work with a mobile device, utilizing a back-end system for transaction monitoring and processing.

This week Infosecurity attended a presentation by MyPinPad featuring speakers from across payment security and retail technology. The theme was based around the fact that its been 12 years since the roll-out of Chip and PIN, and how the development of mobile-enabled payments have enabled more merchants to offer payments in instances where cash or cheques would only have been accepted in the past.

Jeremy King, international director of the Payment Card Industry Security Standards Council (PCI SSC), said that in instances such as local social clubs or outdoor festivals, those vendors offering mobile payments saw the most business. Therefore there was a need to determine a secure and practical solution to enable mobile payments, and the first draft of its new standard was published in January.

While this could take most of 2018 to come to light, as King admitted that the validation program documentation is expected in Q2, and it would be the end of 2018 before any approved solutions are released for merchants to use.

The concept that the PCI SSC have developed works around encrypting data so that it is never in plain text, using an application on the phone where the data is sent to a back end system and then to a processor, which will see it as a standard chip and PIN transaction.”

If the credit networks get 3D Secure upgraded to effectively support biometric data, then the PIN is dead. What will be left is a fight for transactions based purely on pricing, and nobody has ever won a race to the bottom.

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the quoted story here

Featured Content