Which leads me to ask a pertinent question… How is it even “possible” to “securely” process a PIN Debit transaction WITHOUT Hardware? (a magnetic stripe reader and PED) If a software application is utilized, then, by definition, it is a Card Not Present transaction. Thus a software based approach “cannot ” be a pure PIN Debit play…as the card “must” be present in order to process the track data located on the magnetic stripe.

Remember…all PIN-based transactions “require” the submission of valid track data in order for the PIN to be properly decrypted. Without track data, PIN submission becomes unnecessary and the transaction is better submitted as a manually-entered credit card transaction (without a PIN), therefore 3D Secure would be just, if not more, effective.

For a true PIN Debit transaction to occur, a developer must implement PIN support as part of the submission process. Without track data, it becomes impossible to encrypt or decrypt PIN numbers (because the magnetic stripe data is used as part of PIN encryption/decryption). If track data is not submitted, a debit card transaction becomes impossible and the transaction becomes a manually-entered credit card transaction.

That said, I would have to agree with Allen when he says there’s a fraud risk associated with these new products (the lone exception being the one who utilizes a hardware “SwipePIN” device capable of not only providing: E2EE, 3DES DUKPT, but also encrypting the Track 2 data as well.) Track2 = PAN+Separator+Expiry Date+ServiceCode+Pvk Index+ PVV + CVV

Is it a coincidence that the event is called “The Merchant Risk Council” and although Mike Strada “acknowledged the risk of fraud… “he didn’t spend much time on it?”

PN Debit card transactions require the availability of two (unless you combine them into one) hardware device(s): a PIN pad and a magnetic stripe reader. Unless both a PIN pad (which is configurable with a working key) and a magnetic stripe reader are both available and operational, these debit card transaction examples cannot be applied as a PIN Debit card transaction requires both track data and an encrypted PIN to proceed.

Therefore, the only logical conclusion is that a Hardware device is required, not optional. What’s the big deal with a hardware device anyway? Did you ever have to charge your cell-phone…sometimes a hardware accessory is necessary to protect the Holy Grail. (PIN’s)

Otherwise the Heartland Breach will pale in comparison to what will happen if people start putting their PIN’s into a software-based application. The writing has never so clearly been written on any wall.

Where am I wrong here? Where is Avivah Litan wrong? Where are the Society of Payment Security Professionals wrong? I’m dying to know, because I was a founding shareholder in Pay By Touch and could have bought ATMDirect out of the PBT bankruptcy “cheap.”. You mean to tell me that PayPal will fork out nearly $1 BILLION for Bill Me Later but said “later” when it came to forking out $600K for ATMDirect? If so, and PIN Debit is the most widely used payment mechanism on the internet by 2012, (as Mike Strada/ChasePaymentech predicts) then not even bidding on ATMDirect will go down as one of the biggest mistakes in PayPal/Ebay history.