There’s some confusion around the terms ‘PIN on glass’ and ‘PIN on consumer off-the-shelf (COTS)’ devices. One thing is clear, though: they’re both here to stay.
Since Square Reader arrived, consumers have been faced with entering their PIN on a mobile screen, prompting some to ask if it is just as secure as using a physical PIN pad on a card machine. Certainly, it is secure, and so are the new smart terminals featuring a tablet-like display for all navigation and PINs.
But we should be clear: there’s a distinction between PIN entry on a consumer touchscreen device, such as a smartphone or tablet, and a smart POS terminal on which you enter the PIN code on a touchscreen display. The former is called PIN on COTS, and the latter is PIN on glass.
The two technologies are secure through different methods, both approved by PCI (the Payment Card Industry) who’s in charge of security regulations for card payments. Let us look at the differences.
How does PIN on glass work?
PIN on glass refers to PIN entry on an integrated touchscreen of a PCI-approved smart terminal. In this case, a physical PIN pad is not present on the card machine, so the touchscreen displays a virtual PIN pad when prompted to enter the code.
Some card terminals may have both a physical PIN pad and touchscreen display, in which case the dedicated keypad would be used for PIN entry.
Entering a PIN on a touchscreen is not considered much different than ‘PIN on terminal’ which is the definition for entering PINs on a physical keypad of a terminal. Why? Because whether PIN entry happens on a touchscreen or keypad, as long as it is done on the same PCI-certified terminal that reads the credit or debit card, the payment process happens the same following way:
- The card is read electronically in the terminal via chip, contactless or swipe.
- When relevant, the terminal will prompt the payer to enter their PIN on the keypad or touchscreen.
- Both the electronic card data and PIN are securely transmitted to the payment processor and card issuer for verification.
- When the card issuer has verified this information, the terminal receives this confirmation and completes the transaction.
In this scenario, the secure transmission of all the relevant card data is handled solely by the card terminal.
How does PIN on COTS work?
Given how easy it is to extrapolate the meaning to any touchscreen PIN entry solution, some people also call it PIN on glass if a mobile card reader without a physical keypad (like Square Reader) requires you to enter PINs on a consumer smartphone or tablet that’s synced with the card reader. This is actually called PIN on consumer off-the-shelf devices (COTS) and works very differently from PIN on glass.
This is how PIN on COTS works:
- You use a PCI-certified card reader without a keypad or touchscreen to read the card electronically.
- When relevant, the card reader’s dedicated payment app on the smartphone or tablet that’s synced with the card reader will show a virtual PIN pad on the mobile/tablet screen for PIN entry.
- The card data read by the card reader hardware is encrypted and securely transmitted to the processor and issuer, and the PIN in the app is securely transmitted via the app’s sophisticated software.
- When the card issuer has verified both sources of information, the app and terminal receive a confirmation, completing the transaction.
PIN on COTS is only allowed for chip and contactless transactions.
This process is different from PIN on glass in two key ways:
- While the card reader has to be PCI-approved, the consumer-grade mobile device is not certified by PCI.
- Because PIN entry takes place on non-certified consumer hardware, a stringent, software-based PIN entry process is used to securely authenticate the PIN.
How does the PIN entry software ensure the transaction is secure? It isolates the PIN from other account information like the electronic card data processed in the terminal. Using a COTS device for PINs also requires transactions to be processed by EMV and contactless only (swipe is not as secure) on a Secure Card Reader for PIN (SCRP) in order to maintain complete confidentiality and encryption of account data. Furthermore, the PIN software has to be actively monitored to protect against security threats to the payment process.
In early 2018, PCI released a Software-Based PIN Entry and authentication on Consumer-Off-The-Shelf Devices standard, which details all these requirements.