Editor's Note: First off, let me be perfectly clear. This is good news in terms of bringing PIN Debit to the web and I don't want to appear biased in any way when I publish my analysis of this announcement tomorrow.
For the record, I've spoken with Acculynk's co-founder and President, Nandan Sheth, several times over the past year and frankly, I've got nothing but good things to say about him. He's an excellent marketer and an excellent sales professional. He has taken a company (ATMDirect) which started in Dallas several years ago, (and was subsequently acquired by Pay By Touch, with whom I was a founding shareholder) and has done more with it, in a very short time, than either Pay By Touch or it's founder, Mr Zeiglar had done over the last decade. A magnificent job on Mr. Sheth's part. I look forward to meeting with him at FinovateStartup'09 in April where both HomeATM and Acculynk will be demonstrating their wares...our's hard...his soft...er simple I think it says on the graphic to your left.
With that said, tomorrow I shall Type, Not (take a) Swipe at my understanding of why the methodology behind Acculynk's software based solution could put users at risk. I will use recently published examples, and ask questions as to whether those same recent exploits could apply to any software-based (I'm not picking on Acculynk) Internet PIN Debit solution. And I'm not alone...Avivah Litan, Gartner's Distinguished Analyst predicted that processors would be next to be hacked. She's even recently implied she thinks Visa's Next. I think she presents her opinion in very simple terms. In a recent ATM&Debit News article entitled "HomeATM Wants to Change the E-Commerce Experience (click here to download article in PDF) she says:
"I would highly recommend (to any consumer) not entering their PIN anywhere on the Internet unless it were hardware-based - Avivah Litan
Talk about a transmitting in clear text! That's about as clear as it gets. Any questions? Do ask.
As regular readers of this blog are most certainly aware, I have pointed out many times that in today's fraud-ridden payments space, it is clear there is a distinct need for end-to-end encryption. E2EE has been getting a lot of coverage lately on the heels of the "massive" Heartland Payment Systems (HPY) breach. Whereas, HPY co-founder and CEO Robert (Bob) O. Carr is calling for it to position his company's defense in impending class-action lawsuits, HomeATM has incorporated it into it payment schemata since January 2007, well before any processor had been breached. Note: I have my opinion that it's the Heartland call for E2EE is a legal maneuver designed to PIN the blame on V/MC...otherwise he'd have called for it prior to the breach. It's part of their strategy to "meritoriously defend" themselves. V/MC leaves a window open when they receive the unencrypted data, and that window may be the only window of opportunity Bob O. Carr has to keep his company alive. But that's a post for another day...getting back to true end-to-end-encryption, security and how it relates to Acculynk...
I understand that with Acculynk's approach, the keyboard is locked (preventing keylogging) when the floating PIN Pad comes up, but if a consumer/user can see the Graphical User Interface, (GUI) then so can the hackers. That's not only my contention but one that is shared by many respected authorities in the payments industry.
Keylogging is but only one method of attack. Screen scraping is another oldie, but goodie. The floating PIN Pad can float all it wants and it can scramble and shuffle the numbers all it wants, but at the end of the day...if a hacker has control over the user's PC, via malware, bots, etc, they can watch the consumer move the mouse arrow as it approaches the GUI (and screen save) each entry of each number of the PIN. Holy Grail Batman!
I understand that there's encryption, I'm not quite sure how this method would lower interchange fees, since the transaction would still technically be a "card not present" (CNP) transaction" because it requires the consumer to "type" in their Personal Account Number {PAN} and therefore, it's a CNP transaction. I've never seen published Interchange rates on a CNP PIN transaction. Of course, that's the least of the worries that many people I've talked to have.
Their concerns are more or less (pun intended) security related. "Simple and Secure" are not usually two words that go hand in hand. One of my biggest worries is that some journalists will read thepress release issued today by Acculynk think it's the greatest thingsince sliced bread. Maybe it is...maybe it isn't, but that determination should be made by doing research. So, I implore anyone who reads this blog that may bein the field of journalism to do some common sense research in order todetermine how safe you think this process really is. If E2EE, 3DES or DUKPT seems to technical, call AvivahLitan and ask her yourself. She's usually pretty good about taking thetime to speak with journalists in layman's terms...and whereas my rants could be mistakenfor competitive jealously (I assure you they're not)...her take is both authoritative and legit.
That said...I want to be sure to take the time to extend kind regards and "Kudos" to both Mr. Sheth and Acculynk for providing PIN Debit on the Web with some major momentum! Online Debit for Online Shoppers is long overdue and there's no doubt he is a pioneer. By the way...Acculynk also has a demo of their application in Flash, which can be viewed by clicking the following link: Acculynk Flash Demo of PaySecure(TM)
Here's Acculynk's press release...
Acculynk Announces Issuer Participation in Pin Debit Pilot Program
Wednesday March 4th
Estimated Card Base of Several Million to Be Enabled During the Pilot
ATLANTA--(BUSINESS WIRE)--Acculynk’s Internet PIN debit pilot program is scheduled to go live in early March with several issuers that will bring several million cards to the pilot. The first pilot issuers to participate are from the ACCEL/Exchange EFT network, owned by Fiserv, Inc., the leading global provider of financial services technology solutions. A second EFT network will be announced in a few weeks.
“We’ve had very strong interest from our issuing community, including some of our council members, because this is a value-add service that provides greater security for a consumer’s online transaction,” said Michael Kelly, (pictured on left) general manager of the ACCEL/Exchange Network, from Fiserv. “We are very excited that some of the first transactions for this payment type will be driven through ACCEL/Exchange issuers.”
PaySecureTM utilizes a consumer’s debit card and the PIN for online payments, requires no redirection or enrollment, and offers consumers a simple and familiar checkout experience.
“With security a top priority for all consumers, we strongly feel that adding a second factor of authentication for online payments will increase the security of our customer’s data. Many of our cardholders prefer to use PIN debit at the point of sale. We are excited to give them this payment choice online with a service that adds an extra layer of fraud protection,” said Jeff Gegen, Vice President of Bank Operations at Baker Boyer Bank, an ACCEL/Exchange issuer. “This is a historic pilot program where the promise of PIN debit on the Internet is finally being realized, and we are thrilled to be one of the initial issuers participating.”
As one of North America’s premier ATM/POS networks, ACCEL/Exchange from Fiserv provides financial institutions with the infrastructure for cardholders to access their funds anytime, anywhere. The network is currently enabled at more than 200,000 ATMS in North America and most major merchant locations throughout the United States.
Acculynk is the first company in the U.S. to bring PIN debit to the Internet with a software-only service that has been certified by several major EFT networks. PaySecureTM provides an extra layer of security for online card transactions and reduces fraud and charge-backs by as much as 75% for issuers, while offering attractive margins and no-cost adoption.
“Our value proposition to issuers is very strong, and we’ve managed to secure an impressive line-up of institutions for this pilot,” said Ashish Bahl, CEO of Acculynk. “But what’s most exciting is the enormous merchant demand for this product. Such demand will benefit all of our issuers with increased volume and brand awareness.”
Acculynk brings the strength of PIN-based authentication to a domestic online market that has recently been impacted by increased fraud associated with data breaches.
About Acculynk
Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. For more information, visit www.acculynk.com.
About Fiserv
Fiserv, Inc. (NASDAQ: FISV - News) is the leading global provider of information management and electronic commerce systems for the financial services industry, driving innovation that transforms experiences for financial institutions and their customers. Ranked No. 1 on the FinTech 100 survey of top technology partners to the financial services industry, Fiserv celebrates its 25th year in 2009. For more information, visit www.fiserv.com.
Contact:
Acculynk
Corporate Contact:
Danielle Duclos, Director of Marketing, 678-894-7013
dduclos@acculynk.com
Source: Acculynk