What is PIN online and why does it change everything ?

In a few words, PIN online is the latest innovation to make contactless card payments à little more seamless.

A short history of payment cards

Writing about the future is always the best time to turn to the past and quickly review the history of payment cards and terminals.

Credit cards were created in the US long before payment terminals. Initially, for each payment, the merchant would call the customers’ bank who would approve the transaction over the phone. This was a long and cumbersome process that became automated with the spread of magnetic stripe, and payment terminal. This innovation, which coincided with the first plastic cards, allowed to reduce the transaction time to approximately 1 minute. The magnetic stripe would be read by the payment terminal, which connected to the phone network to confirm the authorisation. The response would then be sent back to the payment terminal which would print the card receipt. Much better than a phone call, but still a long wait.

Later in Europe, where the focus on anti-fraud risk was much higher, the regulation pushed for the use of chip cards which introduced the PIN code. Contrary to the magstripe that contains static data such as the card number, the chip contains a very small computer powered by the payment terminal that could validate the PIN offline, without the need to connect to the bank authorisation server. If you entered a wrong PIN too many times, the card would block itself, protecting the customer and the bank from theft. This innovation allowed a much faster checkout process as it could be done purely offline for credit cards. Only debit and prepaid cards or transaction with an amount above the credit limit would require a call to the authorisation server. Today, this is what we call the PIN offline, because the PIN number is verified locally, on the terminal, without the need for internet access.

The rise of contactless

As payment cards became ubiquitous in developed countries, another great innovation was added : NFC. NFC stands for Near Field Communication and is also known as contactless payment. Instead of powering the chip on the card through the physical contact with the payment terminal, the chip is powered through an electromagnetic field sent by the payment terminal. This technology is better than the magstripe as it allows data such as the amount of the transaction to be transferred to the card, and the chip can in turn approve or decline the transaction based on a set of rules. This innovation is great because it’s much simpler to tap your card on the terminal and the card response is dynamic.

The downside with NFC is that it’s worse than chip and PIN in terms of fraud risk as it doesn’t require the card holder to verify his PIN code. Issuing banks added safeguard rules to mitigate this risk. The first and most well known rule is the 50€ limit (that depends per country). Another less known risk is the number of offline transactions or offline amount allowed. This is the reason why your contactless payment fails once in a while. Not because the terminal misreads your card or because your bank account is empty. This little awkward moment happens because your card issuer wants extra security before approving the payment.

Here comes the PIN online

The PIN online was developed to make contactless payment seamless again. After a failed contactless payment, instead of asking the customer to enter his card in the terminal + to validate the PIN code offline (on the card’s chip) as it’s currently done, the payment terminal asks for the PIN right away. After entry, the PIN is encrypted and sent to the bank authorization server to be validated online, hence the term PIN online, and the response is returned to the POS. This is great because it will take the best of both worlds : the seamless contactless gesture coupled with the extra security only when needed. This innovation will fully come into force in a couple of years, as at the writing of this article, still only a portion of the cards in circulation and issuing banks are able to handle PIN online.

How does it affect SoftPOS?

The other interesting positive externality of the rollout of PIN online is the enablement of real SoftPOS. As a quick reminder, SoftPOS is all about running a payment terminal on any COTS device (Customer Off The Shelf) in other words, your own smartphone. SoftPOS stands for Software Point Of Sale as it doesn’t require a secure PCI PTS hardware, but only an Android 8+ device, or soon an iOS device. By design, the SoftPOS doesn’t have a chip reader which means that the only way to validate a PIN code with SoftPOS will be through PIN online. The corollary is that if a card or issuing bank isn’t able to handle PIN online, the cardholder will not be able to pay on the COTS device.

You noticed I wrote ‘real’ SoftPOS. That’s because as a merchant, you cannot take the risk of losing a sale. This means that while more than a few percentage points of the population still have cards unable to handle PIN online, even micro merchants will only use SoftPOS as a backup solution and not as their main payment method. This is the reason why at Yavin we decided to move slowly on SoftPOS. Instead, we decided to invest massively on Android SmartPOS because 98% of our code will be portable on COTS devices whenever it makes sense to switch to SoftPOS. We’re also investing massively in partnerships and integrations as these relationships need time to build and will continue and become more and more fruitful over time.

To finish this article on a fun prediction, in a few years when all payment cards and issuing banks can handle PIN online, the payment terminals won’t need the chip reader nor the magnetic stripe reader. Just like waterproof phones, merchants will be able to use waterproof payment terminals to take in water payments. On this final thought, I wish you all readers very happy summer holidays :)

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store