- There has been much interest expressed in the farmers market community about applications, add-ons and hardware that support the completion of credit and debit transactions on smartphones, tablets, and other hand-held mobile devices. These devices are not designed to accept Personal Identification Numbers (PIN) as part of the transaction. They only support credit and signature debit transactions. They cannot perform PIN debit transactions, because it’s not allowed by the Payment Card Industry (PCI) rules developed and mandated by MasterCard, VISA and other credit card organizations. To achieve PCI-compliance, PINs may only be entered on tamper-proof, ANSI and ISO-compliant devices. These requirements are in place to protect the customer. If any of the companies supporting credit/debit on these devices attempted to incorporate PIN-entry into their products, they would lose their PCI certification and ability to accept signature transactions.
The PCI Standards Council PIN Security Requirements Document stipulates that:
“All cardholder-entered PINs must be processed in equipment that conforms to the requirements for secure cryptographic devices (SCDs). PINs must never appear in the clear outside of an SCD. SCDs are considered tamper-responsive or physically secure devices i.e., penetration of the device will cause immediate erasure of all PINs, secret and private cryptographic keys and all useful residues of PINs and keys contained within it.”
The PIN is a basic component of every EBT transaction. Without a PIN, the transaction cannot be approved by any EBT processor. It is the only means of identification the SNAP customer has to ensure that they are the authorized user of the card. The only exception is when a retailer uses the manual voucher process.
FNS has worked with at least one company that has developed a secure software-based method for PIN-entry. This has been thoroughly tested by smart phone industry security experts and found to be highly secure, but even that process is not PCI-compliant. FNS is, however, comfortable with its security level and has approved the application for farmers’ markets. We would require similar extensive testing and assurances for any new mobile application proposed for use as a point of sale device for SNAP.