Should PIN Pads Be Hardened? This Reader Says They Should Be Dumped

Is it even worth hardening PIN pads against hacking? After last week's story on Verifone's device-breach problems, one StorefrontBacktalk reader commented: "Hardening PIN pads just kicks the can a few feet down the road, the way PCI kicked magstripes down to Chip-and-PIN. But it's still the same can and the same road, so why do we think the same problems won't keep chasing us?" His conclusion: Make payment cards much smarter and eliminate the PIN pad entirely.

That's a great idea for large chains. But smaller merchants will have to buy in, too—and they're the reason every attempt to improve payment cards so far has failed.

But back to our anonymous-by-request reader (who happens to be a senior IT exec at a major chain, someone whose thoughts we have learned over the years to trust): "The unreasonable but secure answer is to stop doing the same thing. We need to stop trying to keep identities and account numbers secret, and stop asking merchants to carry secrets worthy of bank vault protection. Instead, we need 100 percent on-card security, including the user interface, to protect transaction authorizations. This will remove the merchants from ever handling the customer's secrets," he wrote.

"Smart cards are already capable of doing encryption. Add a 10-key pad to each customer's card, and a small screen to display the amount to authorize, and each customer is now carrying their own full PIN pad for about $5 to $10 per card. This is equipment given them by their bank, which they can trust. It's not on a network, not upgradable, [is] sealed hardware and cannot be hacked remotely. The banks then have true end-to-end encryption all the way from their own tiny PIN pads to their own mainframes, and not the hop-to-hop-to-hop that exists today (that is mislabeled E2E by every vendor selling the stuff)," he added.

This type of super-smartcard would make PIN pads unnecessary and remove lots of breach opportunities. Merchants would still have to block man-in-the-middle attacks at the POS, but that would be much easier without a standalone device sitting on the counter that's just begging to be attacked.

"Industry security experts are beginning to agree that zero-trust is the future of security, and that all network endpoints are inherently untrustworthy," this reader concluded. "Let's stop pretending that shared PIN pads on a network are a good idea. If we're going to do something unreasonable, let's at least do something different."

Yes, this does sound like a much more secure POS future. It's a great idea. Better still, the technology is already available. And if it's a little pricey today, that cost would drop dramatically once the number of cards scaled up.

The problem is getting to that future from where we are now. The most obvious barrier: magstripe.The most obvious barrier: magstripe. As long as that strip of metal oxide is still the dominant way of acquiring payment-card information, the PIN pad can't be killed. Chains could abandon PIN pads, but then they'd lose transactions from any customer who only has a magstripe card. Issuing banks might upgrade all their cards, but they haven't even upgraded most cards to contactless or Chip-and-PIN in the U.S. Small merchants aren't willing to swallow the cost of a contactless upgrade without major incentives. And without all those other, smaller merchants on board, chains can't afford to abandon the magstripe (and the PIN pad).

If you think it'll be easy to break that circle, look in your wallet. Chances are, every payment card in there has embossed numbers and letters on it. Why? Visa hasn't required raised characters on credit and debit cards since 2008. In fact, a whole generation of customers and associates have grown up never having heard the kachunkachunk of an imprinting machine. It's a technology that's been used since 1959 and became technologically obsolete in 1980 when Visa and MasterCard adopted magstripe.

And yet almost every payment card still supports it—largely because if the power goes off or there's an equipment malfunction, it's a more reliable way to get card-present transaction information than just copying it out by hand. (It's also cheaper and more portable than most PIN pads.)

No wonder we can't get rid of magstripe. We can't even ditch the kachunkachunk.

This is why chains need to pay attention to small-merchant POS ideas like Square and similar mobile-phone dongles. It's the trailing-edge small merchants that define what can't be abandoned at the POS, even if chains don't have a use for technology aimed at the little guys.

So when a mobile phone can be used as a card reader, and it's as reliable as an imprinter if the power goes out or the PIN pad fails, it may actually be possible to convince small merchants to abandon the imprinter as a fallback and we could finally get rid of raised numbers. (It would help if big chains got rid of the just-in-case imprinters gathering dust under their counters, too.)

Then, once the smartphone is the default small-merchant POS device, it's a small step to replace the dongle with an NFC-equipped phone that can read contactless cards—presuming the issuing banks have finally converted all their cards. (The tiniest merchants could hand-copy card numbers onto receipts, which is what they're doing now—they're so small, they can't even afford imprinters.)

And then we'll finally be in a position to say goodbye to magstripes—and PIN pads.