Monday, February 1, 2010

Feature Story: Is Online PIN Debit More Secure?



The GreenSheet asks:  "Is online PIN debit more secure?"   The Answer is a hearty Yes...and a blatant "No".

 

Yes... "IF"  online shoppers swipe their card and enter thier PIN on a PCI 2.0 Certified PIN Entry Device which instantly encrypts the cardholder data including the PVKI  and PVI, both of which are required to conduct a genuine PIN Debit transaction. 



However, it's "NO" if  consumers are asked to "TYPE" their card numbers into a box on a website and "mouse click" their PINs into a GUI. 



I'm not picking on Acculynk.  I love what they've done to heighten the realization of merchants to want PIN Debit on the Web.   I'm just saying there's two ways to go about it, and a software based PIN Debit solution simply won't cut it in the real world (wide web)  It's too fraught with insecurity. 



Let me ask you a serious question:  "How long do you really think it would take the bad guys to put together a malware program designed to capture mouse clicks as you enter them on into a graphical user interface?"   The short answer, is NOT LONG.   In fact, the Limbo 2 trojan can already intercept mouse clicks and Acculynk is only accepted at 7 online sites (out of millions)  Wait until they have a significant amount of merchants.  Then you'll see the bad guys come out of the wood work.



Do you really believe that if Acculynk was available at thousands of internet retail checkouts, hackers wouldn't "target" them?   (for those who answered "no" let me ask again after pointing out that a consumers "PIN" is the Holy Grail for hackers.)   The bad guys would "scramble" to compete with each other in order to be the first to create a trojan that intercepts each "mouse click" in order to obtain that "Holy Grail."



Bottom Line: If you can see the GUI on your screen, so can the bad guys.  Don't believe me?   Doesn't matter...in time you will.  




As a debate unfolds about the competing merits of PIN versus signature debit, (there's no debate...Genuine PIN Debit is 15 times more secure than signature debit) a company called Acculynk has emerged as a pioneer in the use of PIN debit online.  Acculynk's product, called PaySecure, gives consumers the option of using PIN debit when they make online purchases.  (Editor's Note:  No...it gives consumers the option of mouse-clicking their PIN into a floating PIN pad...it doesn't give them the option of using PIN Debit because genuine PIN Debit "requires" that the card is swiped and Acculynk doesn't capture the magnetic stripe data.  Therefore, PaySecure is simply an alternative payment that allows consumers to mouseclick their PIN into a browser window.  Make sure your javascript is enabled, or the pop up PIN Pad won't pop up)





Consumers who enter (Stop with the "enter" B.S....  "Consumers who TYPE" ) their debit information on a Web site using PaySecure are (subject to the dangerous insecurity of web browsers)  shown a graphical PIN pad following the entry of their card information, and are given the option to have their transaction processed as (a hybrid) PIN debit. Those who opt against it have their transaction processed as a signature debit and go directly to a purchase confirmation page; those who choose the PIN option enter their PIN by clicking their mouse on the graphical PIN pad.





PaySecure includes a feature that scrambles the PIN pad numbers following each numerical entry, to avoid interception of that information by a keystroke reader. (Editor's Note:  And how do they do what nobody else has been able to do...make the browser safe from keystroke/mouse click loggers) The information is masked on the monitor (then how does the consumer see it?  They do...and so can the bad guys) and encoded (when is it encoded and why isn't it "encrypted" instead?)  within the network (browser) over which it's transmitted. 





Plane rides and jelly beans



According to Acculynk, seven merchants are currently processing with PaySecure, which hit the market in March 2009. 



Editor's Admittedly Sarcastic Note:  According to my calculations, it's been 11 months since March of 2009 and they already have SEVEN merchants.  That equivocates to .636 participating merchants per month.  So...at the current pace, Acculynk will reach the 1000 merchant plateau in only 1572 more months.  (A mere 131 years for those who were curious)


Among them are AirTran Airways and the Jelly Belly candy company. Two merchant vendors are currently selling the product: Merchant e-Solutions Inc. and Elavon Inc.



According to Kevin Gallagher, General Manager, E-Commerce, for Merchant e-Solutions, trends giving rise to the use of PIN debit include both the increased use of debit cards generally, as well as heightened security concerns among both merchants and consumers.



"The shift over the last few years from credit to debit is really driving this to be potentially a gangbuster product," Gallagher said. He added that PIN offerings can "open up a channel for incremental business because there are about 80 million debit holders that are only PIN-enabled for debit."







PaySecure uses the electronic funds transfer (EFT) network operated by providers like Discover Financial Services' Pulse, NYCE Payments Network LLC and Shazam. Interchange rates for online PIN debit transactions on these networks are substantially lower than those for online signature debit.



"What Acculynk does is become the stand-in for every issuer that agrees to [offer online PIN debit], and most issuers would because it's a transaction they don't get today," said Steve Mott, founder and Principal of BetterBuyDesign, a payments industry consulting company.



"The Acculynk rate is significantly less than what the signature debit rate is and what the standard STAR or NYCE rate would be if it goes directly through the issuer," Mott said. "Acculynk is doing a separate deal through the EFT network with the issuers. It's like a separate payment service, the same way PayPal does it. Most of these alternative payment forms usually give you a 20 to 25 basis point reduction from the signature debit rate." 



(Editor's Note:  The Acculynk rate is significantly "higher" than genuine PIN Debit.  In fact it's higher than "card present" interchange because...the card is NOT present.  It is "typed" into a box in a browser.)



According to Acculynk Chief Executive Officer Ashish Bahl, transaction fees for merchants are 20 to 40 percent lower with PaySecure than with online signature transactions. He added that about half of all PaySecure customers, given the option of signature or PIN debit online, choose PIN debit.



Mott said PIN debit transactions benefit consumers because they tend to clear faster than signature ones. He said most banks clear PIN debit transactions within a day of purchase, whereas signature debit transactions (which tend to run on the Visa Inc./MasterCard Worldwide rails) generally take two to three days to clear. Within that extended timeframe, consumers are more likely to overdraw their bank accounts, he said.



Fraud fighter?



Both Gallagher and Mott touted the fraud-fighting benefits of online PIN debit as well, although the capacity of a program like PaySecure to reduce fraud in today's e-commerce environment is questionable.







For one, Gallagher said merchants who adopt the program invariably maintain a non-PIN payment option; given that they do, the PIN feature would seem to do very little to protect against traditional fraudsters, who can simply choose the non-PIN payment option when committing fraud with stolen debit card numbers.



Despite that danger, Gallagher said the benefits to merchants of using multiple payment channels outweigh fraud concerns. "As a merchant, you probably don't want to turn away anyone that wouldn't want to use the PIN debit option," he said. "Lost sales are worse than whatever extra basis points you would have to pay [for a signature or non-authenticated transaction]."



However, both Gallagher and Mott said even just having the option of PIN debit helps guard against one type of fraud in particular: "friendly fraud," or the practice of making an authorized purchase and then disavowing it.



Consumers who use the PIN option, they said, will have a harder time committing friendly fraud because they've entered a password theoretically known only to the card's real owner, making it much more difficult to credibly disavow a purchase.



"What you're really trying to do with the PIN debit is get the purchaser to own the transaction and not be able to repudiate it," Mott said. "When you're [entering PIN information], unless somebody's holding a gun to your head and making you enter it, you pretty much own the transaction." 





Editor's Insert:  "Users are more at risk from malicious websites that steal credit cards than ever before, according to the latest
IBM X-Force 2009 Mid-Year Trend and Risk reportThe report's findings show an unprecedented state of insecurity as web client, server and content threats converge to create an untenable risk landscape.  (click here to read the story at ComputerWeekly)



Mott conceded that more rational friendly fraudsters could circumvent trouble by using the non-PIN payment option, but said that not everyone would. He said sometimes friendly fraud isn't planned, and that charges are often refuted out of embarrassment or some unforeseen circumstance.





Mott added that PaySecure could set the stage for a shift to the exclusive use of PIN debit online.


"With this, somebody like Acculynk and somebody like NYCE or PULSE can go to the issuer and say, 'All the bad guys are using signature debit, and you think you're getting more money on interchange [with signature] … but after you deduct all the chargebacks and charge-offs from the signature debit, you're really better off doing a PIN transaction," Mott said.



Fraud's hidden costs



Mott noted that "PIN debit is significantly the most popular form of payment for both consumers and merchants," and that issuers that favor signature for its higher interchange aren't always correctly calculating the total costs of additional fraud.



"It's not just the direct losses, but it causes all this noise – the customer service and all this stuff – and now you have a bigger problem on the consumer side," he said.










Disqus for ePayment News