A world without PINs?

Written by: Roney Castro

October 4, 2017 - Are we driving big changes in the POS market for a future without PINs?

In a previous post from my colleague Andrew Jamieson, he mentioned that "PINs are dead" presenting some interesting insights and reasoning about the problems with PIN that are actually causing this. Well, not "dead" dead, but with a "nasty chest infection that was not getting any better". Truth be told, if we take a look on recent announcements and market developments, it would be nice if PINs started to put their affairs in order.

In some recent announcements Visa seems to make clear that it's strategy is to move away from PINs, searching for authentication mechanisms that can provide more fluid and seamless commerce authentication experiences, while providing the same or even higher security levels. For that purpose, Visa sees biometrics as a way of achieving this objective (see reference). 

Biometrics is no longer a revolution in mobile consumer devices, but actually a solid reality. Furthermore, it is no longer a privilege of flagship devices, increasing its ubiquity also on entry point models. I believe this “ubiquity” deserves some clarifications since biometrical authentication can be implemented in quite a wide range of modalities/ways. I'm talking here about fingerprint readers and other dedicated hardware for biometric capture, like iris scanners. Mobile biometrics could be implemented through facial recognition using only the device camera for a long time now, does not requiring any additional hardware.

To explore further the benefits and convenience of biometrics in authentication, Visa envisions its usage regardless of the channel, from remote payments to in-store payments. For in-store payments more specifically, Visa recently launched an announcement with immediate effect, enabling the prioritization of CDCVM over PIN entry on POS for mobile payment transactions.

First things first, what is CDCVM?

CDCVM stands for Consumer Device Cardholder Verification Method, and it's a term that was introduced with the development of mobile payments. By using the mobile device as a payment instrument, you gain the possibility of exploring the interaction capabilities between device and consumer for a lot of activities, including authentication. The benefits for using on device authentication are quite broad, but I'd like to highlight two:

  1. The consumer is already used to the authentication mechanisms provided by his device and how to interact with them, making the entire authentication process less disruptive.
  2. The mobile provides to the consumer a better impression of “control” on the overall authentication process. By the way, I'm not saying here that mobile devices are secure or not or that consumers trust the security of their devices. What I’m saying is that this perception of control makes consumer more inclined to prefer these authentication mechanisms in their journey.

Once successfully performed at the consumer device, the option for CDCVM and its associated results are communicated to the terminal which in return will not ask for further cardholder verification (in case the terminal supports CDCVM). Similar to online PIN, CDCVM objective is to prevent lost and stolen fraud and unauthorized usage of a payment instrument, and that's why in general, it has similar chargeback rights to PINs (check the respective scheme rules for applicability/exceptions).

So CDCVM is like, mobile biometrics, fingerprints etc.?

Not really, CDCVM is actually broader than mobile biometrics. It encapsulates a set of all cardholder verification mechanisms that can take place at the device the consumer is using to perform the payment. The schemes have outlined which authentication mechanisms are applicable and their respective requirements and best practices.

The authentication mechanisms that are considered for CDCVM range from passcodes, to patterns, PINs and also, biometrics.

How this announcement will impact me? I am...

...an Acquirer, a merchant, or a processor:

If your role in the payment chain is one of the above, in order to enable cardholders to perform payments with CDCVM, you need to make sure that your terminal kernels support this type of CVM in the contactless payment flow (as an example, in the case of Visa is VCPS 2.1.x or above and Mastercard kernel v3.0 and above). CDCVM results are sent from the mobile device to the terminals as chip data, and should be passed unaltered at the authorization request.

For ATMs and cashback transactions some specific requirements are applicable.

...a card issuer:

As a card issuer, if you decide to accept CDCVM, one important thing is to communicate to your customer that new possibilities and authentication experience during the payment process will (co)exist, given that there's still a wide base of legacy terminals in the market. Next to that, your authorization process and rules should be adjusted to process a new possibility CVM method beyond the ones that you probably already supported (like Online PIN for instance). The usage of CDCVM and its associated results will be indicated from data received at the authorization message.

Nevertheless, like any new technology for consumer authentication, it may incur in some risks, which need to be properly assessed. We will dedicate a blog post about this in the coming weeks.  

... a Wallet service provider

In your case, you'll now be able to prioritize CDCVM over other CVM mechanisms. Depending on how you are implementing your mobile wallet/payment application, this reprioritization may be done in a facilitated manner. It is always recommended to do this based on the best practices indicated by the respective scheme.

In case you are a Card Issuer AND a wallet service provider, in general the CVM order is up to you to define. With this recent announcement from Visa, you're now able to prioritize CDCVM over other CVM options.

...a Consumer

If you are a consumer, you are probably not so concerned about CDCVM, authorization messages, best practices or CVM list order. In fact, you just want to pay, preferably as seamless and convenient as possible. And security... well, security should be the foundation of your payment instrument, not something you want to worry about.

This announcement is then positive news for you. It indicates that the payment industry is actively looking for better ways to make your payment experience easier, less disruptive, more secure and more personal, using technologies like biometrics which intrinsically related to you as an individual.

Is that it? Where do we go from here?

This announcement from Visa could be interpreted as just a CVM reprioritization. But actually is slightly broader than that. If we combine this initiative with...

  • The fact that other schemes are also prioritizing CDCVM over other CVM modalities for mobile payments
  • The increasing number of pilots that are going on focusing on contactless acceptance on smartphones and tables
  • PCI's initiative to create a new security standard for PIN-based payments on commercial grade consumer devices (such as smartphones/tablets)

... We may be driving towards big changes in the POS market and in the future (or death) of the usage of PIN on POS  in payments (at least in mobile payments).

Disclaimer

These are the personal opinions of UL’s employees and its guests and should not be misunderstood as representing the opinion of UL's clients, suppliers or other relations.