PIN on Glass for Kiosks: PCI Rules, MPoC, SoftPOS and Security

By | May 27, 2026
0 Comment
Looking for Accessible Kiosks?

Pin-On-Glass Example

Last Updated on May 27, 2026 by Craig Allen Keefner

PIN on Glass, PCI, and the Day Your Kiosk Screen Becomes the PIN Pad

If you’ve been around kiosks long enough, you’ve watched payment go from mag‑stripe and metal PIN pads to contactless, wallets, and phones that do everything but make coffee. Now we’re in the next chapter: PIN on Glass—letting customers enter their PIN directly on a touchscreen instead of a chunky plastic keypad.

So the obvious kiosk question is: “When can I let people enter their PIN right on my 22‑inch kiosk screen?” Let’s unpack where the rules are today, who’s in charge, and how likely it is that your giant piece of glass will officially become the PIN pad.

What “PIN on Glass” Actually Means

  • PIN on Glass is the umbrella term for entering the cardholder’s PIN on a glass touchscreen rather than on physical buttons.

  • In practice this shows up in two main flavors:

    • PCI PTS “PIN on Glass” devices: Purpose‑built payment terminals where the touchscreen is part of a PCI PTS‑approved point of interaction (POI).

    • Software PIN on COTS devices: Phones or tablets running a payment app that meets PCI’s Software‑based PIN Entry on COTS (SPoC) and now MPoC rules.

Both look similar to the user (“tap card, enter PIN on screen”), but under the hood the security story is very different—and PCI cares a lot about that difference.

The Current Rulebook: Who Governs What

Think of the payment rule universe as a messy family tree:

  • PCI DSS (4.0 / 4.0.1) – The big, general “data security” standard for any environment that stores, processes, or transmits cardholder data (including kiosk back ends and networks).

  • PCI PTS POI – Device‑level rules for hardware payment terminals, including terminals that use PIN on Glass.

  • PCI SPoC (Software‑based PIN Entry on COTS) – Rules for PIN entry on merchant‑owned smartphones/tablets with a Secure Card Reader for PIN (SCRP).

  • PCI MPoC (Mobile Payments on COTS) – The modern SoftPOS standard that combines contactless payments and optional PIN entry on COTS devices in a single framework.

Where kiosks fit:

  • traditional kiosk with a separate card reader and PIN pad lives under PCI DSS + PTS POI (for the terminal).

  • SoftPOS‑style kiosk using a tablet or mobile device for tap + PIN would need to be built around a PCI‑listed MPoC or SPoC solutionif the use case is allowed.

Right now, those “if”s matter a lot.

What PCI Explicitly Says About Kiosks

PCI SSC has been pretty clear on one big point: not every touchscreen can be a PIN pad just because you can draw a keypad on it.

Key points from PCI’s own FAQ on SPoC and “PIN on Glass”:

  • SPoC is written for merchant‑owned COTS devices in attended environments (think retail associate with a phone, not a lonely airport kiosk).

  • The FAQ warns that the generic phrase “PIN on Glass” covers a lot of things, and that a PTS‑approved POI with PIN on Glass is not the same as just slapping a software keypad on a touchscreen.

  • There are already PTS‑approved hardware devices that use PoG, and these are the “safe zone” for unattended or kiosk‑like deployments.

The Kiosk Manufacturer Association has summarized it this way: PIN on Glass is acceptable for kiosks in the U.S., provided you’re using PCI‑approved hardware or a PCI‑approved software solution that actually fits the standard.

Translation:

  • Good: A certified PIN‑on‑Glass payment terminal bolted onto your kiosk, or a fully validated SoftPOS/MPoC device.

  • Not good: A Windows PC with a 27‑inch touch monitor and a nice‑looking on‑screen PIN pad you designed in Figma.

So Can I Use My Big Kiosk Screen for PIN Today?

Short answer: only if that screen is part of a certified payment device or MPoC solution. For most current kiosks, the big screen is still “UI only,” and PIN entry happens on something else.

Today’s practical options:

  • Use a PTS‑approved terminal with PoG

    • Mount a PCI PTS‑certified payment device (which may itself use PIN on Glass) next to or into the kiosk.

    • The kiosk screen handles browsing, carts, ADA prompts, etc.; the certified device handles card + PIN.

  • Use a SoftPOS / MPoC device

    • Integrate a tablet or phone that is part of a PCI‑listed MPoC solution and let that handle tap + PIN.

    • Your kiosk app talks to it over USB, Bluetooth, or network but doesn’t capture the PIN itself.

  • What you can’t (safely) assume

    • That a generic 22″ or 32″ touch monitor in an unattended kiosk is automatically allowed as a PIN capture surface just because it’s “glass like a tablet.”

    • PCI currently treats those very differently from merchant‑held COTS devices in attended use, and SPoC explicitly does not cover unattended kiosks.

Why PCI Is So Cautious About Kiosk Glass

From a security perspective, kiosks are kind of a worst‑case scenario:

  • They sit in public with no staff watching.

  • They’re big enough that shoulder‑surfing is practically a sport.

  • Attackers get plenty of time to poke at them, add overlays, or slip in rogue hardware.

  • Easy to mount a camera

That’s why PCI piles on requirements for PoG and SPoC/MPoC, like:

  • Isolating the PIN from the rest of the card data.

  • Ensuring the PIN app can’t be tampered with or overlaid.

  • Using certified secure card readers (SCRP) in software PIN models.

  • Monitoring devices remotely and being able to kill them quickly if something looks off.

Kiosks can absolutely meet this bar—but only if the payment component is built and certified that way, not if the screen is treated as “just another PC display.”

The Crystal Ball: Will Big Kiosk Screens Ever Be the PIN Pad?

This is the fun part. Let’s talk probabilities, not promises.

1. Direction of travel: PIN on Glass and SoftPOS are growing.

  • SoftPOS, MPoC, and PIN on Glass are gaining momentum worldwide, especially for micro‑merchants and mobile use cases.

  • As the tech and threat monitoring mature, pressure grows to reuse that model in more form factors, including kiosks.

2. Hardware and certification are getting more flexible.

  • Device makers are already building PTS‑approved terminals that look a lot like small tablets, and those can be integrated into kiosks today.

  • It’s not a huge leap to imagine “kiosk class” devices (large‑format touchscreens with secure modules) being designed and evaluated under updated PTS/MPoC rules.

3. Business reality favors fewer parts.

  • Kiosk folks would love to stop cutting odd little holes for pin pads and just use the big screen for everything—better UX, fewer parts to mount, fewer failure points.

  • That economic pressure tends to push standards along over time, once security controls catch up.

4. The constraints that will slow it down.

  • Unattended and semi‑attended use is always going to be scrutinized harder than a barista’s phone, especially for PIN.

  • Accessibility (think EAA in Europe and similar requirements) will also shape how on‑screen PIN must look and behave on large public screens.

Our directional bet for the kiosk world:

  • Short term (0–3 years):

    • Most deployments will still use separate certified payment hardware—either a traditional payment terminal or a SoftPOS/MPoC device bolted on.

    • Your big kiosk screen remains the “nice UI,” not the official PIN pad.

  • Medium term (3–7+ years):

    • We’re likely to see more integrated kiosk/payment form factors where the “screen” and “payment module” blur together, but under the hood they are still treated as secure payment devices for certification purposes.

    • For operators, it will feel like the kiosk screen is the PIN pad, even if, on paper, there is a secure payment subsystem doing the heavy lifting.

Will PCI ever bless “just any PC + touchscreen” as a PIN capture device? Very unlikely. But will kiosk‑class devices evolve to be both kiosk and certified payment terminal with PIN‑on‑Glass? That’s a much safer “yes, eventually.”

What Kiosk People Should Do Right Now

If you’re designing or buying kiosks today and want to be ready for this future:

  • Separate UI from payment in your architecture.

    • Treat the payment function as a plug‑in module (today a PTS terminal, tomorrow maybe an MPoC device, later something more integrated).

  • Stick to PCI‑listed devices and solutions.

    • Use PTS‑approved PoG terminals or MPoC/SPoC solutions rather than rolling your own PIN keypad on glass.

  • Watch standards and scheme bulletins.

    • Keep an eye on PCI SSC communications (PTS, SPoC, MPoC) and card‑brand bulletins about unattended / kiosk use cases.

  • Plan your kiosk hardware so you can evolve.

    • Design in tolerance and modularity for different size and shape payment devices by using a mounting plates and subassemblies. Plan for different communication protocols (USB, serial, TCP/IP) and power requirements (AC/DC).
      There’s no silver bullet device that works in every region with every processor. Your end customers will likely all need a different device to work with their chosen bank/merchant service provider. In short, you cannot standardize on a single payment device and expect for all your customers to use it.

In other words: keep using your big screens for what they’re great at—telling the story, guiding the user, upselling the coffee—and let certified payment tech handle the PIN until the standards finally catch up with what kiosk people have wanted for years.

Europe and Asia: Same Glass, Different Headaches

If you wander outside the U.S., the story doesn’t suddenly become “no PCI, no rules, do whatever you want on glass.” Europe and most of Asia still live and die by card‑scheme rules, and those rules, in turn, lean heavily on PCI for anything involving PIN and card data.

Europe: PCI Meets the Accessibility Police

  • In Europe, PIN on Glass and SoftPOS are rolling out fast, but almost always on certified payment devices or SoftPOS/MPoC platforms, not home‑grown kiosk keypads on a big PC monitor.

  • The European wrinkle is the European Accessibility Act (EAA) and related standards (like EN 301 549), which treat payment terminals as self‑service devices that must be usable by people with disabilities.

  • Smooth glass with a flat, pretty PIN keypad is great for industrial designers, not so great for a blind customer trying to find the “5” key. Expect European regulators and disability advocates to keep pressure on:

    • Tactile or alternative PIN options (separate keypads, overlays, audio flows, speech guidance).

    • Stronger design rules for large public touchscreens used for authentication, not just browsing.

  • Net effect: in the EU, the security bar is PCI/PTS/MPoC, and the usability bar is EAA + EN 301 549. Kiosks that want PIN on Glass will end up playing in both leagues at once.

Asia: Scheme‑Led, Regulator‑Flavored

  • In Asia, the main driver is the card brands and big PSPs rolling out SoftPOS and PIN‑on‑Glass programs across a patchwork of markets—Singapore, Hong Kong, Australia, various GCC/Asia hubs, and beyond.

  • Local regulators typically say, “If it’s compliant with the schemes and their security standards, we’re interested,” then add their own seasoning:

    • Data residency and local processing rules.

    • Extra authentication requirements in certain sectors.

    • Sometimes national accessibility guidelines, but not a single, region‑wide equivalent of the EAA (yet).

  • For kiosks, that means the architecture looks familiar:

    • Big screen for the experience.

    • Certified PoG terminal or SoftPOS/MPoC device doing the card and PIN work.

  • Some Asian markets may move faster toward “screen‑as‑PIN‑pad” on kiosk‑style devices simply because there’s less harmonized accessibility pressure, but they’ll still need to tick the same security boxes the schemes expect.

The Global Takeaway for Kiosk People

  • Everywhere that runs mainstream card schemes, PCI‑style security is the anchor, even if it isn’t written into local law word‑for‑word.

  • Europe adds a heavy accessibility overlay, which will shape how large screens can be used for PIN long term.

  • Asia is more of a “scheme + local regulator” patchwork, but the pattern is similar: if you want PIN on Glass, you use certified payment tech, not a DIY keypad on your 27‑inch menu board.

If you design your kiosks assuming “PCI device for PIN now, maybe more integrated glass later,” you’ll be in a good place whether the unit ships to Denver, Düsseldorf, or Dubai.

PIN on Glass – Quick FAQ

Q1: Is PIN on Glass actually allowed on kiosks today?

  • Yes, but only when it’s implemented on certified payment hardware or a certified software solution, not just any old touchscreen.

  • In practice that means using PCI PTS‑approved terminals with PoG or PCI SPoC/MPoC‑based SoftPOS solutions, bolted onto or integrated into the kiosk.

Q2: Why can’t I just draw a PIN keypad on my 22″ PC touchscreen?

  • Because PCI (and the card brands) treat that as an uncontrolled, high‑risk environment—too easy to tamper with, overlay, or shoulder surf.

  • Certified PoG and SoftPOS solutions have a whole stack of extra protections: secure card readers, isolated PIN entry, active monitoring, and strict certification.

Q3: What’s the difference between PIN on Glass and PIN on Mobile?

  • PIN on Glass usually means PIN entry on the touchscreen of a PCI‑certified payment device (a terminal that happens to have glass instead of buttons).

  • PIN on Mobile / PIN on COTS means PIN entry on a merchant’s phone or tablet running a SoftPOS‑type app, governed by PCI’s SPoC/MPoC standards.

Q4: How does Europe change the picture?

  • Europe still uses PCI/PTS/MPoC for security, but adds the European Accessibility Act and EN 301 549, which push payment interfaces (including kiosks) to be usable for people with disabilities.

  • That makes “all‑glass, no tactile cues” more controversial, so expect hybrid approaches: PoG plus audio, haptics, or separate tactile options.

Q5: Is PIN on Glass more or less secure than a classic PIN pad?

  • It’s different, not automatically weaker: certified PoG and SoftPOS solutions rely on device‑level security, encryption, and remote monitoring instead of a simple metal keypad.

  • The risk comes when people skip the certification and roll their own on a generic touchscreen—that’s where PCI and the schemes draw the line.

Q6: When will I be able to use the main kiosk screen for PIN entry?

  • Technically, pieces of that future are already here: some “tablet‑style” payment devices can be embedded so tightly that they feel like part of the kiosk screen.

  • Broad approval for “any big screen as PIN pad” is unlikely, but kiosk‑class devices that are also certified payment terminals are very likely over the next few years as SoftPOS and MPoC mature.

Q7: Where is the list of validated MPoC applications (which changes all the time etc)

Posts 2026: 46
PIN On Glass Security Kiosk
Author: Craig Allen Keefner

With over 40 years in the industry, Craig is considered to be one of the top experts in the field. Kiosk projects include Verizon Bill Pay kiosk and thousands of others. Craig was co-founder of kioskmarketplace and formed the KMA. Note the point of view here is not necessarily the stance of the Kiosk Association or kma.global -- Currently he manages The Industry Group

Need a rugged touchscreen with thick glass and an air gap?

Related Posts