Merchant Risk Council’s Platinum Day – Afternoon Sessions

by Allen Weinberg on March 10, 2009

in Allen Weinberg, Conferences & Meetings, Debit Cards, Ecommerce Payments, Merchant Risk Council, PINless Debit

Allen Weinberg

Is Now the Time for Online PIN Debit?

This session was presented by Mike Strada from Chase Paymentech. Mike is a fan of online PIN debit, especially the notion of giving merchants more choices. His discussion focused on the different options the 12 North American debit networks are exploring.

Several of the debit networks are exploring PIN debit, some aren’t. ACCEL, NYCE, PULSE and STAR are doing PINless debit for utility and other low risk payments. Mike explained that these are the 4 networks that are exploring PIN debit on the Internet. Three of these four (all except STAR) have recently announced PIN debit pilots.

Mike maintains that PIN debit for ecommerce transactions could provide some incremental sales lift for merchants, especially since 14% of debit cards are “ATM only” – i.e., they don’t have a MasterCard or Visa logo on them and thus can’t be used for general ecommerce transactions.

Mike explored the pros and cons of the four alternatives:

  • Acculynk (formerly ATM Direct, previously owned by now-defunct Pay By Touch). ACCEL, NYCE and PULSE have all signed LOIs to do pilots with Acculynk. Mike thinks two more debit networks will announce pilots within the next 90 days.
  • Safe-Debit (the same name of the program NYCE went to market years ago using a CD ROM token). This iteration is using Verient’s platform to redirect the user to the customer’s home banking site for authentication. In this case, the cardholder is sent a one time PAN for use at the merchant site. Hoping to do a pilot in first half of 2009. This, of course, requires a redirect which scares a lot of merchants due to the increased risk of abandoned shopping carts.
  • Claerity – technology allows consumer to register cell phone number with their DDA FI. The bank, via the network, sends one time password back to cell phone which the shopper enters on merchant checkout page. Network compares the onetime password sent to cell phone with the one issued to the consumer. Not clear who will bear the cost of the SMS message. Hoping for a 2009 pilot, but unclear if on track.
  • Home ATM – Canadian firm distributes USB PIN pad that has a mag-stripe card reader and encrypts data. Has a distribution agreement with Microsoft, but no announced pilots.

Mike acknowledged one of the big issues that Glenbrook encounters with our merchant clients – critical mass and the challenge of getting online merchants adopting two or three (forget four or more) different processes. Our clients tell us they’ll consider it when the networks adopting a particular approach/technology bring critical mass of cardholders in aggregate. My sense is that STAR has critical mass unto itself. The next 3 largest networks (assuming Interlink and Maestro won’t play) would need to converge on a solution to bring critical mass to market. Just my opinion, but Mike doesn’t think standardization will happen in the foreseeable future, and Paymentech has decided to move forward anyway.

Mike/Chase Paymentech is predicting that be the end of 2010, most of the major networks will implement online debit products (excluding, of course, Interlink and Maestro), with transaction pricing somewhere in between physical POS interchange and online Visa/MasterCard interchange.

Mike also predicted that by 2012, online PIN debit could be the most widely used payment mechanism on the Internet. The operating rules for handling online PIN debit transactions haven’t been worked out, but they’re working on it. He acknowledges that the rules really should be, and probably will be standardized across networks.

ChasePaymentech has agreed to do a pilot with Acculynk (and is looking for merchants to participate).

Of course there’s the fraud risk associated with these new products (Mike acknowledged it, but didn’t spend much time on this area).

Mike feels the consumer proposition is one of safety, security, and identity theft protection.

One question I have is whether 3D Secure technology could do just as well as the above four products/technologies mentioned above. Mike thought that it probably could, but he wasn’t aware that any of the debit networks had considered that path (could mitigate merchant adoption problem).

The merchants in the audience were somewhat skeptical on a number of fronts. For example, how to deal with split shipments that span the authorization time frames. They worried about consumer value proposition and recalled all the issues they encountered with 3D Secure, particularly how the banks/issuers didn’t do as good a job as they needed to educating their cardholders.

3 Responses to “Merchant Risk Council’s Platinum Day – Afternoon Sessions”

  1. You questioned whether 3D Secure Technology could do just as well as the four products/technologies mentioned above. You pose an interesting question, but I want to point out that you cannot lump those four together, as there is one key distinction. 1 uses a hardware device. The other 3 are software-based.

    Which leads me to ask a pertinent question… How is it even “possible” to “securely” process a PIN Debit transaction WITHOUT Hardware? (a magnetic stripe reader and PED) If a software application is utilized, then, by definition, it is a Card Not Present transaction. Thus a software based approach “cannot ” be a pure PIN Debit play…as the card “must” be present in order to process the track data located on the magnetic stripe.

    Remember…all PIN-based transactions “require” the submission of valid track data in order for the PIN to be properly decrypted. Without track data, PIN submission becomes unnecessary and the transaction is better submitted as a manually-entered credit card transaction (without a PIN), therefore 3D Secure would be just, if not more, effective.

    For a true PIN Debit transaction to occur, a developer must implement PIN support as part of the submission process. Without track data, it becomes impossible to encrypt or decrypt PIN numbers (because the magnetic stripe data is used as part of PIN encryption/decryption). If track data is not submitted, a debit card transaction becomes impossible and the transaction becomes a manually-entered credit card transaction.

    That said, I would have to agree with Allen when he says there’s a fraud risk associated with these new products (the lone exception being the one who utilizes a hardware “SwipePIN” device capable of not only providing: E2EE, 3DES DUKPT, but also encrypting the Track 2 data as well.) Track2 = PAN+Separator+Expiry Date+ServiceCode+Pvk Index+ PVV + CVV

    Is it a coincidence that the event is called “The Merchant Risk Council” and although Mike Strada “acknowledged the risk of fraud… “he didn’t spend much time on it?”

    PN Debit card transactions require the availability of two (unless you combine them into one) hardware device(s): a PIN pad and a magnetic stripe reader. Unless both a PIN pad (which is configurable with a working key) and a magnetic stripe reader are both available and operational, these debit card transaction examples cannot be applied as a PIN Debit card transaction requires both track data and an encrypted PIN to proceed.

    Therefore, the only logical conclusion is that a Hardware device is required, not optional. What’s the big deal with a hardware device anyway? Did you ever have to charge your cell-phone…sometimes a hardware accessory is necessary to protect the Holy Grail. (PIN’s)

    Otherwise the Heartland Breach will pale in comparison to what will happen if people start putting their PIN’s into a software-based application. The writing has never so clearly been written on any wall.

    Where am I wrong here? Where is Avivah Litan wrong? Where are the Society of Payment Security Professionals wrong? I’m dying to know, because I was a founding shareholder in Pay By Touch and could have bought ATMDirect out of the PBT bankruptcy “cheap.”. You mean to tell me that PayPal will fork out nearly $1 BILLION for Bill Me Later but said “later” when it came to forking out $600K for ATMDirect? If so, and PIN Debit is the most widely used payment mechanism on the internet by 2012, (as Mike Strada/ChasePaymentech predicts) then not even bidding on ATMDirect will go down as one of the biggest mistakes in PayPal/Ebay history.

  2. At the end of the day a debit card is a pointer to funds in the customer’s account and the PIN is the security measure to allow the transaction to be processed in real-time. If you have a way to process a real-time payment from a customer’s account with the level of security of a PIN Debit (or better…), you have a solution for Internet PIN Debit without the card and without the PIN. The most efficient alternative, clean of legacy card networks and more cost efficient for financial institutions, would be an e-Debit system interconnecting banks’ customers and payees directly in a secure environment with real-time clearing capabilities. This type of solution offers enough flexibility to allow immediate and deferred payments, simplified refunds and cancellations and keeps the customer’s data safe from breaches.

  3. Manju Murthy says:

    I wonder whether the Chip-and-PIN readers being shipped in UK and in Europe has a better chance of success for online commerce transactions that support multiple factors of authentication, and therefore lower risk and lower interchange.

Leave a Reply

Previous post:

Next post:

Clicky Web Analytics