Remittance Use Seen for Online PIN Debit Device
Thursday, April 9, 2009
By Will Hernandez
HomeATM ePayment Solutions, which offers a system that lets people make online purchases with PIN debit cards, is now promoting its technology for remittances and online banking.
(Editor's Note: That's not to say that we're NOT promoting it for use with eCommerce transactions. We most certainly are. In fact, our device provides the ONLY "TRUE PIN Debit" application...as it enables a "card present" transaction. By definition, a software-based application is and always will be, a "card not present" transaction... therefore it would not qualify for "card present" Interchange rates...let alone card present PIN Debit Interchange.)
The Montreal company said last month that its SafeTPIN device meets the Payment Card Industry data security standard, and Ken Mages, HomeATM's chairman and chief executive, said last week that his company had signed a deal with a foreign remittance company that plans to distribute 250,000 of the devices to U.S. consumers, who could use them to send money to their home countries. He would not name the remittance company or say where it is based.
"Once those units are out there, they do us a lot of good because they can be used for any merchant who wants to use our payment method," Mages said.
The SafeTPIN devices incorporate both a card reader and PIN pad; it plug(s) into a computer's USB port. Participating Web sites prompt users to swipe their debit cards and enter their PIN to complete the transaction.
John B. Frank, HomeATM's executive adviser, said the PCI certification could make online merchants more willing to accept the device since HomeATM would be liable for any breach linked to a SafeTPIN.
Editor's Note: That's fine, what's printed above, however, my actual quote was this: "One of the major benefits to merchant's who would choose to utilize HomeATM's PCI 2.0 PED certified device is that it would effectively remove them from the scope of PCI DSS compliance, and that fact alone could save them hundreds of thousands, if not millions of dollars." But I'll go with American Banker's quote...Here's why:The device is also easy to use in sending remittances, Frank said.
HomeATM's solution Triple DES encrypts the "entire" transaction in our PCI 2.0 PED certified device (including the Track 2 data) AND utilizes DUKPT key management. So we not only have TRUE PIN Debit, but we have TRUE end-to-end encryption (E2EE) Even in the unlikely event a hacker was to intercept a transaction, (and unencrypt it, and get lucky and guess the PIN) they would have ONE card. That's it. DUKPT key management assigns an individual key to each transaction. Since hackers, like water, find the path of least resistance, I don't think they'd exhaust the time and effort necessary to enable them to try and "guess" the PIN ...in order to obtain the information for just ONE card. I think it's much more likely that they'd go after a software application as software is 92 million times easier to breach...which is why 92% of all breaches are software related. Continuing on with the American Banker article:
A dedicated Web site prompts the sender to enter his name and e-mail address, the recipient's name and e-mail address and the amount. The sender also selects a security question, the answer to which is known by both parties.The sender then swipes his or her card and enters the PIN to complete the transaction. (Senders can also use credit cards by using the same PIN that they already use for automated teller machine withdrawals.) Both the sender and recipient receive a confirmation by e-mail. To claim the money, the recipient visits the Web site, answers the security question and swipes his or her debit card through a SafeTPIN device and enters a PIN. The funds are instantly transferred to the recipient's checking account.
"It's user-friendly," Frank said. "Consumers (have been swiping their cards at retail locations for years) already know how to go to a retailer, swipe their card and enter a PIN."
Mages said his company has not yet set a price for the SafeTPIN devices; he expects merchants and banks to take the lead in distributing them to consumers.
HomeATM will also offer the device to banks as a tool to authenticate online banking customers.
SafeTPIN is more secure than the user name-password combination widely used today, Mages said. "If someone puts malware on your computer and they are keylogging the strokes or they phished you to a third party, they are going to be able to read your bank account."
Paul Turgeon, a senior consultant at the research firm Payments and Processing Consultants, in Chicago, said that consumers' online banking passwords can be hacked but that a hardware device offers strong security.
Turgeon formerly worked at Metavante Technologies Inc.'s NYCE Payments Network LLC debit unit, where he helped develop a similar card reader for consumers, SafeDebit.
He said HomeATM's device is a "reasonably affordable and very good" product but that the technology is not an issue. Merchants and banks that would consider offering the devices to consumers need to believe it is worth the investment.
Merchants will wonder "how many consumers is it going to get for me," he said, and banks will ask "what is the interchange rate." (The answer is TRUE card present, PIN Debit published rates) Any kind of Internet PIN-debit product will face challenges until something can "get enough mass to get both parties interested." Editor's Note: Challenges are fun.
Turgeon also said the Federal Financial Institutions Examination Council has required two-factor authorization for online banking for some time "and no one I know is doing it very well."