Friday, July 10, 2009

How HomeATM Creates a "Card Present" Enviro on the Web


HomeATM's Internet Transactions No Different than Pay at Pump Terminals

Some readers have questioned whether HomeATM's PCI 2.0 Certified PIN Entry Device would qualify as a card-present transaction. I say why wouldn't it?  The consumer swipes their card and the consumer swipes their PIN (into a PCI 2.0 Certified PED)  I would argue that it is safer than transactions already classified as "card present,"...such as the one depicted on the left.  Why?  You are swiping your card in the privacy of your own home, so no one can see you enter your PIN and there is no danger of a skimming device having been implanted.

I'd like to set up why the HomeATM transaction is a "card present" transaction by utilizing an excerpt from ATM Marketplace in which they point out how skimming attacks are leading to discussions concerning the USA switching over to "Chip and PIN".

As Canada ramps up its EMV migration, pressure on the U.S. intensifies - By Tracy Kitten editor of ATM Marketplace

Adoption of the Europay, MasterCard, Visa (EMV) Chip and PIN standard is engulfing most of the world.
The movement of Mexico and Canada to the standard is putting pressure on U.S. financial institutions, as more of the world deems magnetic-stripe technology to be outdated and vulnerable to skimming attacks at ATMs and POS devices, including payment-accepting kiosks and pay-at-the-pump terminals.

Many experts suggest that card fraud will migrate to the States, because the mag-stripe is more vulnerable than the chip. Editor's Note: Hackers, like water, will find the path of least resistance and will focus on "card not present" (i.e. "The Web") where they will continue to have a field day.


"I think that onereason the U.S. has not moved to EMV is that the financial institutionsthere might not have a good handle on exactly how much fraud there is,"she said. "Because the country has so many small FIs, and so many FIsoverall, it's hard to really have a handle on what's going oneverywhere."


Editor's Note: I agree that FI's don't have a good handle. When it comes to "card not present" environments I don't think they have a clue.  Therefore, I think it would make a lot of sense, (and be a lot less expensive than implementing EMV) to simply "eliminate signature debit" ... the cause of most "card not present" fraud.

If the US were to simply eliminate "signature debit" and replace it with PIN Debit then the cloned cards made in Europe would not work. (except for the rare circumstances the bad guys had the PIN)

Once signature debit was eliminated, the next step would be to eliminate "card not present" environments. The biggest culprit is the World Wide Web.

There's an easy way to convert the web into a "card present" environment.  HomeATM replicates the brick and mortar electronic transaction to a "T." Consumers would swipe their credit card, and if it were a debit card, would enter their PIN. Same way they do it in a retail location.  Transactions that are swiped and have their PIN entered are not only classified as
"card present"...they are classified as PIN Debit and boast the lowest interchange rates available.

That said, I humbly suggest that there is not one logical argument supporting the fact that a HomeATM transaction is not a true "card present" transaction...and I "implore" ANYONE who can muster one up to leave it in the comment section below.Especially when you consider the fact that the consumer not only swipes, but 2FA's themself by entering their PIN.

What's that? Oh, you are giving me the 17 year-old cashier isn't there to verify that your signature on the receipt matches the one on the back of your card argument?  Yeah...Right!  With all due respect, my response would be...yeah, but the casheir isn't there to "observe/record" your PIN either...so we eliminated a threat, no created one.

Let me ask you this...How do you get money out of an ATM? You have to have your "card present" and you have to know your PIN.

So how is what we do any different than going to an ATM and withdrawing cash? The banks allow you to do that in real time.

In reality, the Credit Card companies have the luxury to be able to "chargeback" a transaction in order to protect themselves. But they don't do it with PIN transactions, because the PIN proves "your are present!"

So...if it's good enough for the banks, how could it not be good enough for Visa or MasterCard?

What HomeATM does is it replicates ATM access for the web, which is why it is ideal for online banking log-in.

In fact, I could make the argument that our transaction is even safer than going to an ATM.  Here's why...you can rest assured there would be no skimming device or camera recording your PIN in the safety of your own home.


Further evidence that we provide a "card present" transaction is as follows:

We replicate a transaction conducted at "pay at the pump terminals. (except for the fact that there are no worries about skimmers having been placed inside the pump itself, AND we encrypt the Track 2 data)   Come to think of it, we also replicate a payment accepting kiosk.  

The beauty of our approach is that neither scenarios involve a 17 year-old "gamer-dude" carefully checking your signature...(yeah right) and our approach doesn't require shutting off store cameras, having anyone cover their eyes or making sure innocent (until proven guilty) bystanders are all on the up and up...as you enter your PIN.  Why?  Because, again, it's done in the safety and privacy of your own home!

Come to think about it, now I'm ready to argue that we create a new, "more secure standard." and therefore should have a "lower" Interchange Rate than regular PIN Debit.

What HomeATM creates is a Skimmer/Camera Free/Nobody Looking over your Shoulder/Safety of Your Own Home "Card Present" transaction!


Speaking of creation, when HomeATM created it's "software-based" PIN Debit solution...there were four issues we identified as problematic.
  • 1. Transactions done within the web browser are subject to myriad intrusions by fraudsters...
  • 2. C-Level Intel Executive laughed us out of the room when we presented it to them...
  • 3. Without the consumer swiping the card, there was absolutely no way to know whether they are "in possession" of it...so a software based PIN Debit application "cannot be" classified as "card present"  (therefore it would be subject to a much higher interchange than if it were swiped)
  • 4. We briefly wondered what would happen when EMV became ubiquitous. We wondered how a software solution could be capable of transacting the data embedded on the chip? (Hint: It wouldn't)

HomeATM is EMV (Chip and PIN) ready because we our engineers had the 20/20 foresight to envision what tomorrow would bring. Since then, tomorrow has already brought skyrocketing internet fraud, skyrocketing "card not present" fraud, and EMV has become ubiquitous most everywhere in the world, sans United States.

But now there is a lot of chatter regarding EMV coming to the states. When it does, it will be interesting to compare the Interchange Rate of a transaction that reads the embedded chip and has the user enter their PIN vs. a software application that instructs you to  "type" in your card number and mouse click you PIN. When put in those terms, you probably have a better understanding as to why our engineering team thought software PIN debit already sounded obsolete to them...

And now you know why "Card Present" Skimmer/Camera Free Transactions can only be conducted by swiping YOUR card, and entering YOUR PIN, in the SAFETY of YOUR home...with SAFE-T-PIN!


To read the rest of the story about EMV Coming to America, click here










Reblog this post [with Zemanta]

Disqus for ePayment News