Card issuers seek to defend territory
For further evidence of this opportunity, we can note how Visa and Mastercard have relaxed their stance on PIN standards, which have historically progressed hand-in-hand with PCI PTS (PIN transaction security) — an onerous, heavy-weight, albeit important, security standard. The brands have always deemed PIN security important and there was a time when the notion of accepting a PIN on a consumer mobile phone would have been difficult to talk about, let alone get approved.
It’s possible that some of this willingness to evolve is being driven by the Asian market, where we see alternative and unique payment methods being adopted and becoming very popular. With the wide scale adoption of mobile phones, and the use of NFC and QR codes for payments, the card brands most likely see a threat to their business model and, in a defensive move against potential disruptors, are wisely embracing the spirit of mobile.
Obstacles to PIN-on-Mobile
Let’s start with the technology, one of the biggest (and most obvious) challenges with mobile devices is that they’re insecure. iPhones and Android phones can be jailbroken/rooted. How can we make these devices secure or be confident enough that a consumer device can accept PIN entry?
Companies are working on a wide range of ideas and the winning formula will likely combine numerous layered security measures to limit the attack surface as much as possible. For instance, scrambling the numbers on a screen’s PIN pad makes it more difficult for malware to understand what tap on the screen corresponds to what number. This, combined with measures like point to point encryption and utilising the hardware security already present in many devices will also be key. We also see the success to payment tokenisation for mobile payments being extended to cards as this would negate the effect of any malware on the device, rendering any data captured useless to fraudsters.