Wednesday, March 11, 2009

Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012

Merchant Risk Councils Platinum Day - Afternoon Sessions
by Allen Weinberg - Glenbrook Partners Payments Views

Allen Weinburg, from Glenbrook Partners, who is blogging about the Merchant Risk Council's Las Vegas conference, wrote an article in Payment Views entitled: "Is Now the Time For Online PIN Debit?"

Mike Strada, from Chase Paymentech predicts that PIN Debit on the Internet will be the most widely used payment mechanism on the web by 2012.  I agree
.

Allen also talks about 4 solutions, and whether 3D Secure might be just as good, if not a better solution. I took a moment out of my morning to leave a comment ascertaining that the answer is probably yes...for all but one.

Allen WeinbergIs Now the Time for Online PIN Debit?

This session was presented by MikeStrada from Chase Paymentech. Mike is a fan of online PIN debit,especially the notion of giving merchants more choices. His discussionfocused on the different options the 12 North American debit networksare exploring.

Several of the debit networks are exploring PIN debit, some aren’t.ACCEL, NYCE, PULSE and STAR are doing PINless debit for utility andother low risk payments. Mike explained that these are the 4 networksthat are exploring PIN debit on the Internet. Three of these four (allexcept STAR) have recently announced PIN debit pilots.


Mike maintains that PIN debit forecommerce transactions could provide some incremental sales lift formerchants, especially since 14% of debit cards are “ATM only” – i.e.,they don’t have a MasterCard or Visa logo on them and thus can’t beused for general ecommerce transactions.
Mike explored the pros and cons of the four alternatives:
  • Acculynk (formerly ATM Direct, previously owned bynow-defunct Pay By Touch). ACCEL, NYCE and PULSE have all signed LOIsto do pilots with Acculynk. Mike thinks two more debit networks willannounce pilots within the next 90 days.
  • Safe-Debit (the same name of the program NYCE wentto market years ago using a CD ROM token). This iteration is usingVerient’s platform to redirect the user to the customer’s home bankingsite for authentication. In this case, the cardholder is sent a onetime PAN for use at the merchant site. Hoping to do a pilot in firsthalf of 2009. This, of course, requires a redirect which scares a lotof merchants due to the increased risk of abandoned shopping carts.
  • Claerity – technology allows consumer to registercell phone number with their DDA FI. The bank, via the network, sendsone time password back to cell phone which the shopper enters onmerchant checkout page. Network compares the onetime password sent tocell phone with the one issued to the consumer. Not clear who will bearthe cost of the SMS message. Hoping for a 2009 pilot, but unclear if ontrack.
  • Home ATM – Canadian firm distributes USB PIN padthat has a mag-stripe card reader and encrypts data. Has a distributionagreement with Microsoft, but no announced pilots.
Mike acknowledged one of the big issues that Glenbrook encounterswith our merchant clients – critical mass and the challenge of gettingonline merchants adopting two or three (forget four or more) differentprocesses. Our clients tell us they’ll consider it when the networksadopting a particular approach/technology bring critical mass ofcardholders in aggregate. My sense is that STAR has critical mass untoitself. The next 3 largest networks (assuming Interlink and Maestrowon’t play) would need to converge on a solution to bring critical massto market. Just my opinion, but Mike doesn’t think standardization willhappen in the foreseeable future, and Paymentech has decided to moveforward anyway.

Mike/Chase Paymentech is predicting that be the end of 2010, most ofthe major networks will implement online debit products (excluding, ofcourse, Interlink and Maestro), with transaction pricing somewhere inbetween physical POS interchange and online Visa/MasterCardinterchange.

Mike also predicted that by 2012, online PIN debit could be the mostwidely used payment mechanism on the Internet.


The operating rules forhandling online PIN debit transactions haven’t been worked out, butthey’re working on it. He acknowledges that the rules really should be,and probably will be standardized across networks.

ChasePaymentech has agreed to do a pilot with Acculynk (and is looking for merchants to participate).

Of course there’s the fraud risk associated with these new products(Mike acknowledged it, but didn’t spend much time on this area).


Mike feels the consumer proposition is one of safety, security, and identity theft protection.

One question I have is whether 3D Secure technology could do just aswell as the above four products/technologies mentioned above. Mikethought that it probably could, but he wasn’t aware that any of thedebit networks had considered that path (could mitigate merchantadoption problem).

The merchants in the audience were somewhat skeptical on a number offronts. For example, how to deal with split shipments that span theauthorization time frames. They worried about consumer valueproposition and recalled all the issues they encountered with 3DSecure, particularly how the banks/issuers didn’t do as good a job asthey needed to educating their cardholders.

{ 1 comment… read it below or add one }


John B. Frank 03.11.09 at 5:50 am

Your comment is awaiting moderation.

You questioned whether 3D Secure Technology could do just as well asthe four products/technologies mentioned above. You pose an interestingquestion, but I want to point out that you cannot lump those fourtogether, as there is one key distinction. 1 uses a hardware device.The other 3 are software-based.

Which leads me to ask a pertinent question… How is it even“possible” to “securely” process a PIN Debit transaction WITHOUTHardware? (a magnetic stripe reader and PED) If a software applicationis utilized, then, by definition, it is a Card Not Present transaction.Thus a software based approach “cannot ” be a pure PIN Debit play…asthe card “must” be present in order to process the track data locatedon the magnetic stripe.

Remember…all PIN-based transactions “require” the submission ofvalid track data in order for the PIN to be properly decrypted. Withouttrack data, PIN submission becomes unnecessary and the transaction isbetter submitted as a manually-entered credit card transaction (withouta PIN), therefore 3D Secure would be just, if not more, effective.

For a true PIN Debit transaction to occur, a developer mustimplement PIN support as part of the submission process. Without trackdata, it becomes impossible to encrypt or decrypt PIN numbers (becausethe magnetic stripe data is used as part of PIN encryption/decryption).If track data is not submitted, a debit card transaction becomesimpossible and the transaction becomes a manually-entered credit cardtransaction.

That said, I would have to agree with Allen when he says there’s afraud risk associated with these new products (the lone exception beingthe one who utilizes a hardware “SwipePIN” device capable of not onlyproviding: E2EE, 3DES DUKPT, but also encrypting the Track 2 data aswell.) Track2 = PAN+Separator+Expiry Date+ServiceCode +Pvk Index+ PVV +CVV

Is it a coincidence that the event is called “The Merchant RiskCouncil” and although Mike Strada “acknowledged the risk of fraud… “hedidn’t spend much time on it?”

PN Debit card transactions require the availability of two (unlessyou combine them into one) hardware device(s): a PIN pad and a magneticstripe reader. Unless both a PIN pad (which is configurable with aworking key) and a magnetic stripe reader are both available andoperational, these debit card transaction examples cannot be applied asa PIN Debit card transaction requires both track data and an encryptedPIN to proceed.

Therefore, the only logical conclusion is that a Hardware device isrequired, not optional. What’s the big deal with a hardware deviceanyway? Did you ever have to charge your cell-phone…sometimes ahardware accessory is necessary to protect the Holy Grail. (PIN’s)

Otherwise the Heartland Breach will pale in comparison to what willhappen if people start putting their PIN’s into a software-basedapplication. The writing has never so clearly been written on any wall.

Where am I wrong here? Where is Avivah Litan wrong? Where are theSociety of Payment Security Professionals wrong? I’m dying to know,because I was a founding shareholder in Pay By Touch and could havebought ATMDirect out of the PBT bankruptcy “cheap.”.

You mean to tellme that PayPal will fork out nearly $1 BILLION for Bill Me Later butsaid “later” when it came to forking out $600K for ATMDirect?  If so,and PIN Debit is the most widely used payment mechanism on the internetby 2012, (as Mike Strada/ChasePaymentech predicts) then not evenbidding on ATMDirect will go down as one of the biggest mistakes inPayPal/Ebay history. (and mine)  But I think we're both fine...

TAGS: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,







Reblog this post [with Zemanta]

Disqus for ePayment News