When the PCI Council, the group that needs to sign off on all payments from Visa, Mastercard, American Express and Discover, approved last week (Jan. 24) allowing PINs to be entered into smartphones and tablets, it was a huge game changer for both payments and mobile.
Before we delve into the payments implications, let's be candid about what PCI has done. It is allowing the most sensitive part of a payment card transaction — the PIN authentication — to happen on a device that even the council's own new regulation acknowledges is highly dangerous and unstable.
Consider this comment from the standard itself: "There are individual components of a software solution where there is limited control — for example, the underlying mobile device hardware platform and operating system. Given that these are COTS [mobile] devices, there is an assumption that these components — e.g., COTS operating system, configuration of hardware components of a phone, etc. — are unknown or untrusted. It must be assumed that an attacker has full access to the software that executes on any unknown or untrusted platform, where that software may be a binary executable, interpreted bytecode, etc., as it is loaded onto the platform."