Card industry mulls payment authentication via smartphones

Merchants may be able to retire their card terminals over the next few years, and allow customers to enter personal identity numbers (PINs) for payments on their smartphones and tablets instead.

The Payment Card Industry Security Standards Council (PCI SSC), which is run by American Express, Visa, Discover, JCB and Mastercard, is considering how to codify PIN acceptance for payments in software.

PCI SSC chief technology officer Troy Leach said the organisation has started work on a new standard for secure PIN entry on consumer-grade mobile pbones and tablets, aiming to publish a final version by the end of the year.

Leach said the PIN on glass standard will provide makers of mobile devices a software-based approach for protecting PIN entry for payments.

He said there are numerous devices already validated against the PCI SSC PIN transaction security point of interaction standard.

These provide a secure capability for PIN entry directly, or through accessories that could be physically or wirelessly attached to the mobile device in question, such as card readers.

PCI SSC is exploring how to isolate the PIN from cardholder data as part of the work on the new standard.

It is also considering dedicated hardware for payment card entry, software security for mobile applications, and robust, remote monitoring of the devices used for transactions, Leach said. 

Moving PIN entry acceptance for payments to software is likely to cause ructions within the point of sale terminal industry and banks, as such devices would be rendered obsolete by the new standard.

The new standard could also pave the way for virtual payment cards incorporated into mobile devices.