Tuesday, March 24, 2009

BSMS - Both Sides of the Mouth Syndrome


I bring you this story from IT World because it demonstrates the direction the payments industry is going with data at the point of sale.

Interestingly, the opposite direction (You're doing it Wrong) is being taken by EFT Networks who will be piloting a software vs. hardware Internet PIN Debit initiative. 

While the brick and mortar world is looking for ways to improve security, the Internet Payments Space is apparently is looking for ways to improve convenience "at the expense" of security. 

In the following article, VISA  talks about new initiatives to reduce payment card fraud.  Visa wants to "utilize" the "magnetic stripe" to improve security!  

Meanwhile, Accel/Exchange and Pulse is rolling out a pilot that completely ignores the security the magnetic stripe provides

Utilizing the Acculynk "convenience over security approach" a consumer can simply type in their PAN (primary account number) for all to see but...ironically, they then lock your keyboard, saying "don't type in your PIN" (because typing is not secure)  



Okay, so which is it?  If we're supposed to trust you when you say it's okay to "type, not swipe" your PAN, but then tell us "We have to lock your keyboard," in order to ensure you "DON'T TYPE in the PIN", (because it's NOT SAFE)  why should I believe you when you say it's safe to click?  I may be dumbfounded, but I'm not dumb.  It's just not "clicking" for me...   

I call that BSMS... "Both Sides of the Mouth Syndrome".  It's safe to TYPE in your PAN,  but whatever you do... DON"T TYPE  in your PIN.   That TICS (Tongue in Cheek Syndrome) me off! 



Whereas Visa is talking about "enhancing" the magnetic stripe with a digital fingerprint, Acuulynk, Pulse and Accel are piloting a program whereby NO MAGNETIC STRIPE data is even captured, and because the card is NOT SWIPED...your PAN and PIN probably will be)... 

I guess that qualifies merchants for that elusive and infamous Interchange Rate known as "Card Not Present -  PIN." 

Here's excerpts from the story...demonstrating, in no uncertain terms, that not only is the magnetic stripe essential for security, but needs to be further enhanced.  Meanwhile, on the web, certain players don't think they need it at all.  Amusing to say the least:

Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior Visa Inc. executive Thursday described two new initiatives to reduce payment card fraud being tested by the company.

One of the pilots involves Fifth Third Bank, which is testing the use of magnetic stripe technology to create unique digital fingerprints for cards, said Ellen Richey, Visa's chief enterprise risk officer. Each stripe contains unique characteristics that can be captured and used to verify the digital identity of the card, Richey said during at a security event being hosted by Visa today. 


Dan Roeber, vice president and manager of merchant PCI compliance at Fifth Third, said the bank had rolled out about 1,000 card readers to retailers who have not been informed about the pilot effort. The terminals (Editor's Note:  HARDWARE) are capable of reading the magnetic stripe information and creating a "DNA picture" of the card which is then matched during the authorization process, against baseline information for that card stored by the card issuer, he said during a panel discussion at the event Thursday.

During the pilot process, baseline images or fingerprints for a card are created when it is first swiped through one of the new readers (HARDWARE), Roeber said. But going forward, if the approach works, baseline images for each card could be created and stored during the card issuing process itself, Roeber said. "Even if somebody gets into a database and makes fraudulent cards, the DNS fingerprints are not going to match," Roeber said. "The thing I really like about this technology is that there are no key management issues," as is the case with the use of end to end encryption for protecting cardholder data.

"We are very excited about this technology," he said.

Richey said that while these projects were not quite ready for broad roll-out yet, they were indicative of the kind of approaches that could be used to make stolen data useless at the point of sale.


Richey said Visa was not opposed in the future to the idea of using chip and PIN technologies that are used widely in Europe. They require consumers to enter PIN numbers, instead of signing, when making credit card transactions. The approach is widely considered to be safer than purely signature-based transaction, but it would require considerable investments on the part of card issuers to make the change. Richey said today that Visa "fully" supports the technology and said it was not a matter of "if" but "when" and "how" the technology would be adopted in the U.S.

Editor's Note:  Translation:  If  it's not a matter of "if" but a matter of "when" then BY DEFINITION, Acculynks solution is short-lived, because without hardware, you cannot do an EMV transaction.  HomeATM's hardware is EMV ready.


Dave Weick, CIO at McDonalds Corp., discussed during a panel a new plan to minimize threats against payment card data. He described how the fast-food giant was exploring how to completely segregate all payment card data and transactions from the rest of its internal network. Weick said McDonalds had developed a way to accept payment card transactions without letting any of that data touch any of its own internal systems, including its point-of-sale devices.

Editor's Note: Hmmmm....sounds like something HomeATM already DOES...for web based merchants, including the following:

No one in the company's internal system would have access to any cardholder data, and even the portion of the network that deals with card transactions would be handled by an outside vendor, Weick said. "We are very early on in this," he said, adding that the plan was to first roll out the approach to company-owned restaurants before deploying it across all franchises.

Click To Read the Entire Story at IT World








Reblog this post [with Zemanta]

Disqus for ePayment News