The Farmers’ Market community has expressed interest in hardware and software (apps) that support credit and debit transactions on smartphones, tablets, and other hand-held mobile devices. Typically, such devices are not designed to accept Personal Identification Numbers (PIN) as part of a transaction.
To achieve Payment Card Industry (PCI)-compliance, PINs may only be entered on tamper-proof, ANSI and ISO-compliant devices. These requirements are in place to protect the customer. If any of the companies supporting credit/debit on these devices attempted to incorporate PIN-entry into their products, they would lose their PCI certification and ability to accept signature transactions.
The PCI Standards Council PIN Security Requirements Document stipulates:
- "All cardholder-entered PINs must be processed in equipment that conforms to the requirements for secure cryptographic devices (SCDs.) PINs must never appear in the clear outside of an SCD. SCDs are considered tamper-responsive or physically secure devices i.e., penetration of the device will cause immediate erasure of all PINs, secret and private cryptographic keys and all useful residues of PINs and keys contained within it."
In contrast, PINs are a basic component of every Electronic Benefits Transfer (EBT) transaction. Without a PIN, the transaction cannot be approved. A PIN is the only means of identification to ensure that a SNAP customer is the authorized user of the card. The only exception is under restricted circumstances when a retailer is allowed to use the manual voucher process.
FNS has worked with Novo Dia to develop a secure software-based method for PIN-entry. This has been thoroughly tested by smart phone industry security experts and found to be highly secure, but even that process is not PCI-compliant. FNS is comfortable with its security level and has approved the application for farmers markets. Similar extensive testing and assurances would be required for any new mobile application proposed for use as a point of sale device for SNAP.