When the PCI Council, the group that needs to sign off on all payments from Visa, Mastercard, American Express, and Discover, approved last week (Jan. 24) allowing PINs to be entered into smartphones and tablets, it was a huge game changer for both payments and mobile.
Before we delve into the payments implications, let's be candid about what PCI has done. It is allowing the most sensitive part of a payment card transaction — the PIN authentication — to happen on a device that even the council's own new regulation acknowledges is highly dangerous and unstable.
Consider this comment from the standard itself:
"There are individual components of a software solution where there is limited control — for example, the underlying mobile device hardware platform and operating system. Given that these are COTS [mobile] devices, there is an assumption that these components — e.g., COTS operating system, configuration of hardware components of a phone, etc. — are unknown or untrusted. It must be assumed that an attacker has full access to the software that executes on any unknown or untrusted platform, where that software may be a binary executable, interpreted bytecode, etc., as it is loaded onto the platform."
In other words, on the Apple side, there are many different handsets out there, with a far larger number of operating system versions. And on the Android side, you have the same OS variables with an order of magnitude more handset options from lots of different handset manufacturers. So, yes, from a security standpoint, that's a pretty untamed jungle of potential security holes.
Even with all of that, PCI had little option but to accept the realities of today, which is that mobile is dominating everything.
Change will have a big impact on merchants
On the payments side, this seemingly minor change will have a huge impact on merchants because of how it rips up payments cost structures, especially outside the U.S.. In the U.S., this change — for now — is overwhelmingly limited to debit card transactions, which use a PIN. Most other places in the world have chip and PIN rather than the American chip and signature.
Even the U.S. is giving up on signatures as of April. No word yet if we'll close that loop and make the move to PIN authentication for credit card transactions, as does much of the rest of the world. The ultimate security move is to accept biometrics (finger or facial scan, most likely), but given that biometric mobile payments such as Apple Pay still have a tiny sliver of the payments in the U.S., the rational move is to opt for PINs for the next decade or so. But given that logic and payments rarely agree, we'll have to wait and see what happens.
The big change is that merchants — especially smaller merchants — will no longer need to pay for a typical hardware-based POS system and card dip mechanism. That can now all be handled by a mobile device with a chip-reading dongle. For some merchants that have held off accepting payment cards because of the hardware costs, this could make a huge difference.
"Many PIN standards today are more for the traditional POS terminals," said Troy Leach, the PCI Council's chief technology officer, in a phone interview with Computerworld. "This is the first time ever [that PCI has] promoted a secure software PIN entry."
"This will open up MPOS worldwide in a way we've never seen. It's absolutely groundbreaking for micromerchants" who process "less than [the equivalent of] $50,000 U.S. a year," said Todd Ablowitz, CEO of the Double Diamond Group.
Ablowitz argued that the costs and fees involved in payments make adding a PIN pad — along with its PCI certification — unacceptable for many non-U.S. micromerchants, which have always struggled with chip and PIN. "In a place where PIN is mandatory, micromerchants have been left out," he said.
Details about the PCI Council's decision
Let's drill into what the PCI Council has done. Merchants that have already made the move to EMV — and EMV full acceptance is a prerequisite for mobile PIN under the new PCI rules — are now permitted to move the PIN acceptance mechanism to a merchant's mobile POS offering. (To hear these details in the council's own words, we'll start with few details — the council's news release — to more details [the council's surprisingly helpful Q&A] to full details with the actual requirements.)
The council has put in place some security to try to maintain the anti-fraud mechanisms of existing systems. For example, it has "introduced the requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies" the council said.
It is also adding "a requirement of software-based PIN entry [which] is that the account data is received and encrypted by a Secure Card Reader for PIN (SCRP) attached to the COTS [mobile] device. That is a new form factor that will be introduced within PCI PTS POI v5.1, which will be released soon."
Part of the magic here is the separation of the primary account number (PAN) from the PIN, at least initially.
"This isolation happens as the PAN is never entered on the COTS device with the PIN. Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction," the council said. "The standard requires that the PIN is further protected by the continuous monitoring of the environment to confirm the integrity of the PIN CVM Application that receives the PIN as well as for anomalies in the COTS environment."
Leach said in a statement on the PCI site that this separation effort is critical.
"A key security objective is to isolate the PIN within the COTS device from the account identifying information, which might be used in a correlation attack," Leach said in the statement. "A correlation attack occurs when a fraudster can obtain some payment data elements, such as magnetic stripe track 2 data, from one part of the payment ecosystem (e.g. skimming of payment card), and another data element such as a PIN from a separate attack, and then manages to link these data elements to enable a fraudulent transaction."
To address the untamed jungle aspects of mobile authentication, the council said, "It is considered important for the software to provide inherent protections that complicate reverse engineering and tampering of the code execution flow. This may include, but is not limited to, protections using 'obfuscation' of the code, internal integrity checks for code and processing flows and encryption of code segments, etc."
In the interview, Leach said that there are already 70 to 80 mobile dongles with encrypted PIN pads approved for general use, but he added that they will have to be recertified. Although the new PCI standard was announced in January, Leach said testing requirements won’t be announced until February, and the exact qualifications and certifications for those testing labs won't be released until April. In short, no software or devices will have any shot of being certified for the new standard for many months.
Unlike the certification process for EMV, which has been a fiasco, with huge delays and backlogs in getting certified, Troy said, "I don't anticipate a backlog" with the new mobile PIN certification process, with a "growing number of labs" in the approval process for testing.
Leach said that he considers "the most daunting part" of the new mobile PIN requirements to be the part that requires constant monitoring of the mobile environment. For that, Leach said that he is hoping for technological creativity from vendors. "They need to rethink how they go about this" and should leverage both machine learning and other forms of artificial intelligence to deliver "proactive monitoring."
This is a well-thought-out move by the PCI Council, one that will have payment and mobile ramifications for years.