Want To Finally Move Beyond Magstripes? Fix The PIN Pad
Getting rid of payment cards' aging and insecure magstripe is the real point behind the recent EMV mandates of Visa, MasterCard and Discover. Trouble is, those mandates won't work if they merely require PIN pads that support contactless and contact EMV cards. Such PIN pads are already in many stores, and they give customers three separate ways to use their cards. And yet, customers overwhelmingly use the most familiar approach: the magstripe swipe.
There's an easy way to overcome that customer (and cashier) inertia: a redesigned PIN pad that doesn't feel much different to customers but still makes swipes obsolete.
What Visa says it wants is a POS system that doesn't just accept magstripe, contact and contactless cards, but one that also figures out which approach accepted by the card processor will provide the highest available level of security. To do that, the card has to somehow signal to the PIN pad that it's contactless, or that has an EMV chip, or that it only has a magstripe. That's going to require lots of PIN-pad upgrades for retailers.
Unfortunately, once Visa and MasterCard have their way getting chains to do those upgrades, PIN pads will probably still look to customers much like they do today: The customer can tap a contactless card. The customer can insert a contact EMV card into a slot, typically located at the bottom of the POS device. Or the customer can slide the card through the magstripe reader along the top or side of the POS device.
What's wrong with this picture? If you give customers (and, even more crucially, your associates) three different ways of using a card, they'll choose the one that's most familiar—and that's always going to be a swipe. (Well, except for that tiny minority of customers who prefer a tap or tourists who only know Chip-and-PIN.)
So much for the idea that the POS can figure out which approach is the most secure.
But wait—let's say extra information is embedded in each card's magstripe to indicate what else it supports. Then if customers swipe by habit, the POS can indicate that the card could be used in contact or contactless mode. All that would require is for the cashier to explain that the customer needs to either tap the already-swiped card or put it into another slot. Then the cashier would have to explain why the customer should do that unfamiliar thing, especially when the customer knows the swipe worked.
Considering that a lack of cashier interest has been a big part of the failure of contactless at POS, how likely is that scenario to play out? As long as the three-way choice is there, customers will always pick a swipe.
The obvious solution: Only offer customers a single slot to put the card in.The obvious solution: Only offer customers a single slot to put the card in—say, a highly visible slot on top of the PIN pad, not one hidden underneath. The customer slides the card into the slot. The slot clamps it, so it can't be pulled out immediately. A sensor checks for contactless capability. Electrical contacts touch the spot where an EMV chip would be, to see if anybody's home there. And a moving magstripe reader rolls down to read that data.
Then the POS has all the information it needs to choose among contactless, contact EMV, magstripe, credit, debit, PIN, signature, other authentication and—in the case of PayPal or other alternative payment schemes—even different transaction processors. And once the transaction is done, the PIN pad unclamps the card and the customer gets it back.
How complicated is this for customers? Not very—putting a card into a slot that holds it is how many bank ATMs have worked for years. How hard is it on cashiers? Their biggest problem would be explaining which way the card is supposed to go into the slot, which is already the main thing cashiers have to explain to customers who are swiping. (Right after that on the list is telling customers they have to swipe again, because they swiped too fast, too slowly or held the card the wrong way.)
Actually, adding multiple magstripe readers could make it possible for a single-slot PIN pad to read the card no matter how it's oriented, but that would add cost. And the PIN pad might not even have to double up on NFC sensors if it's designed so the sensor that reads the card inside the PIN pad can also read a card (or phone) that's tapped against the POS device.
There are potential PCI advantages to putting all the readers inside the PIN pad, too. For example, a device with an exposed swipe slot makes it relatively easy for a thief to add and remove a card skimmer. With all-internal readers, compromising a device would be harder. A thief would either have to use an external skimmer that's easier to spot or actually open up the POS device—and if that's possible, any PIN pad is hopelessly compromised anyway.
Chains will have to support magstripes for years, especially because giftcards, PayPal and other alternate payment schemes will keep using them. Meanwhile, Chip-and-PIN and contactless have been pretty complete non-starters in the U.S., thanks largely to the way our PIN pads are designed. If retailers ever want to get beyond the stripe—and if Visa and MasterCard ever want to get them beyond the stripe—customers have to have a painless, reasonably familiar way to insert a payment card, but one that doesn't let them swipe and, in fact, doesn't give them any choice at all.
Otherwise, they'll never change their behavior—and magstripes will live forever.