Crossbow Labs

PIN on Glass Vs PIN on COTS – Breaking the Hype

pin-on-glass-vs-pin-on-cots-breaking-the-hype

We find a lot of our customers having difficulty in differentiating between PIN on Glass and PIN on COTS. We want to clear the air around this confusion. First of all, it isn’t an apple to apple comparison and we explain why.

#1 Lets Understand what they mean:

PIN on Glass is entering the PIN on a touch screen terminal.

While PIN on COTS is entering the PIN on a Commercial Off The Shelf (COTS) product. As the name suggests this could be any smartphone or tablet available in the market.

#2 PIN on Glass is not a category by itself

PIN on Glass is simply entering the PIN on a touch screen which does not make it a category. The touch screen terminal can either be a dedicated card data capturing device (EDC) or a COTS device.

The categories actually are PIN entry on EDC and PIN entry on COTS.

#3 Requirements for PIN entry on EDC

The device itself has to be PCI PTS verified. The device is dedicated for payment acceptance and does not have much functionality beyond that. It accepts all 3 types of card interactions – swiping, dipped-in and NFC based.

#4 Requirements for PIN entry on COTS

A COTS device is not a dedicated payment device and therefore has several other functionalities (like a regular smart phone or tablet). PIN entry on COTS requires adherence to Software based PIN entry standard – PCI SPoC. A secure card reader for PIN (SCRP) which is PCI PTS verified should be integrated with the COTS device.

#5 So why does this come up while discussing PCI CPoC?

PCI CPoC deals exclusively with contactless payments on COTS devices. A contactless payment is basically a “Tap-n-Go” solution requiring no PIN entry. However, there are scenarios wherein there are limitations on the amount that can be swiped in a contactless method or inclusion of an additional PIN authentication when the payment amount is beyond a certain limit, but this usually happens on the NFC enabled EDC terminals and not on COTS. These limitations are country specific and are often regulated by the central bank or similar regulatory authority.

PCI CPoC does not deal with PIN entry.

So if the COTS device supports both contactless payment and PIN entry –

  • For the contactless payment, the payment should be processed by a verified PCI CPoC application installed on the COTS device.
  • For PIN entry, the COTS device must be
    • integrated with a EMV card reading device which is PCI PTS SCRP compliant, and
    • PIN entry should be accepted only on a verified PCI SPoC application installed on the COTS device.

For the standards mentioned in the article, head to https://www.pcisecuritystandards.org/

For assistance in understanding the nuances of the standards and implementation guides, reach us at [email protected].