PULSE to Pilot Secure Internet PIN Debit Technology
Debit Network Partnering with Acculynk, Financial Institutions and Major Merchants to Test Consumer Use of PIN Debit for Web-Based Shopping
Note: Pictured on left is Acculynk President Nandan Sheth along with a graphical depiction of Acculynks floating PIN Pad. Once again...kudos to Acculynk for bringing PIN Debit on the Web to the forefront.
Note: Pictured on left is Acculynk President Nandan Sheth along with a graphical depiction of Acculynks floating PIN Pad. Once again...kudos to Acculynk for bringing PIN Debit on the Web to the forefront.
Editor's Note: Good news for Internet PIN Debit pushers. I will say it's a good thing it's a pilot...in the event of a breach, god forbid, the collateral damage will be relatively contained". Speaking of pilots, HomeATM does not need to be "piloted" because HATM transactions are identical to how they are done at a brick and mortar location. Therefore, everyone "knows" "it will fly" (on it's own...doesn't need a pilot...)
There have been only 16 vendors "worldwide" who have tested positive for PCI 2.0 approval and HATM is the only ONE, whose PED device was designed for the web. We'd love to have the EFT Networks on our side, but at the end of the day, HomeATM utilizes eFunds which handles the majority of PIN Debit transactions for the EFT Networks. So, in effect, they are middlemen. Wouldn't that be ironic if there were to be a "man in the middle attack?"
Before I go any further, it's important to note that I want to preface any more statements I make by stating that this is not a "HomeATM vs. Acculynk" argument. It is however, a PCI 2.0 PED certified hardware solution vs. a software-based approach (which CANNOT capture the PIN Offset or the PVV.) argument. It IS a security vs. convenience argument.
Suffice it to say that It is extremely difficult for many security analysts to conceive of an instance whereby a PIN is transmitted and NOT AUTHENTICATED against the PIN Offset. Payments industry professionals are extremely concerned that a hacker would be able to steal both the account number and the PIN and conduct online transactions.
If you don't believe me, check out next months magazine from "The Society of Secure Payment Professionals." I might be going out on a limb here, but my guess that an organization called "The Society of Secure Payment Professionals" might know a little bit about payments security. Then again, maybe it's them who are "off-base" instead of a software PIN Debit application.
At the end of the day, when the smoke clears, there is no doubt that the publicity PIN Debit for the Internet is getting these days is a good thing. Internet PIN Debit is long overdue. That said, it's overdue because it's more secure. So, once again, it becomes a security vs. convenience argument. Most everyone would agree that processing a PIN Transaction via hardware is the more secure. Nonetheless, when EFT Networks, such as Accel/Exchange and PULSE agree to pilot PIN Debit for the Web, it is a step forward towards making PIN based transactions on the Internet a reality. Or as John Stewart from Digital Transactions says, in announcing Pulse's decision to run an Acculynk pilot:
"Lendingfurther impetus to the trend is the development of a hardware-basedproduct by Acculynk rival HomeATM ePayment Solutions, a Montreal-basedengineering company. HomeATM’s PIN pad, which consumers hook up totheir PCs via a USB link, on Friday became the first such device toachieve certification under Payment Card Industry PIN Entry Device (PCIPED) 2.0 rules.
Interestingly...(and I invite you to read between the lines here) his article goes on to say: "Pulseremains open to both hardware- and software-based solutions for PINdebit on the Internet, the spokesperson says. “We are interested inunderstanding more about any solution that would be viable in themarket,” she says. “
Such a solution would need to be consumer-friendlyand provide value for both merchants and issuers.” Editor's Note: If viable means "most closely resembles a consumer checkout experience at a grocery store" then HomeATM is certainly a "viable" solution.
Here's the press release (PDF) announcing Pulse's decision to Pilot Acculynk's PIN Debit Technology along with some comments. (in grey)
HOUSTON--(BUSINESS WIRE)--PULSE, one of the nation’s leading ATM/debit networks, has signed an agreement with Acculynk under which PULSE will test Acculynk’s PaySecure® Internet PIN debit technology in a pilot program. The pilot will involve selected PULSE merchant and financial institution participants and is slated to begin in the second quarter of 2009.
The goal of the pilot test is to assess consumer acceptance of Internet-based PIN debit transactions. Acculynk’s technology enables consumers to use their debit cards with a personal identification number (PIN) to pay for online purchases.
“Internet-based PIN debit has tremendous potential value for consumers, who enjoy the convenience of debit cards,” said Judith McGuire, PULSE senior vice president, product management. “Of debit users who have a preference, 56 percent prefer PIN authentication over signature,” McGuire added, referring to the findings of the Hitachi Consulting/BAI 2008 Consumer Payment Preferences Study. “We also believe this new payment option could provide significant value to both card issuers and merchants, driven in part by reductions in fraud and cardholder disputes.”
“In addition to reducing fraud losses and chargebacks associated with online purchases, Internet PIN debit is predicted to increase online debit purchase transactions,” said Acculynk President Nandan Sheth. “These incremental transactions will come from three sources: consumers who have PIN-only debit cards, individuals who are currently hesitant to use their signature-enabled debit cards online without the PIN authentication, and consumers who are inclined now, or in the future, to use alternative Internet payment methods.”
How it Works
Acculynk’s PIN-pad technology integrates directly into the merchant checkout process, providing a seamless experience for online shoppers. The consumer will be aware of the PIN entry option only if his or her card is enabled for PIN debit. The consumer will have the choice of entering their PIN or completing the purchase as a signature debit transaction.
Acculynk’s Internet PIN debit service utilizes many advanced security features, including a graphical, scrambling PIN pad for the secure entry of PIN data. The PIN pad numbers appear on the purchaser’s computer monitor in random order, and the numbers re-scramble each time the cardholder clicks on a digit of his or her PIN using the mouse.(Editor's Note: if it appears on a screen, even for a nanosecond, it can be argued that it can be screen scraped.)
The PIN itself is not captured on the consumer’s PC (Editor's Note: that statement "might" be true, but only due to a technicality. The real truth is if it appears on the screen, it can be seen...and if the consumer can see it, so can a hacker. i.e. nor is it transmitted over the Internet. (Editor's Question: Then how does Acculynk get it?)
Instead, Acculynk captures and encrypts data associated with the PIN entry process, (they are readily admitting that they are capturing unenrypted data associated with the PIN entry process...otherwise they wouldn't have to encrypt it...right?) then transmits that encrypted data (Editor's Question: So exactly "when" do they encrypt it?) in a separate message from the message used for the card number. This makes it extremely difficult (Editor's Note: that's "press releasian" for it's entirely possible. It's analogy time...ready? Okay, here goes: It's "extremely difficult" to get into Harvard, but every year people do) for fraudsters to capture any information that could be used to compromise a consumer’s debit card or account.
In addition, producing a counterfeit card would be virtually impossible because the magnetic stripe data is not captured during the online transaction. (Editor's Note: This statement is accurate. The magnetic stripe data IS "NOT CAPTURED" which is the what HomeATM feels is the security issue. We would respectfully like to point out that a cybercriminal doesn't need a "cloned card" to make purchases online...you need the PAN and the PIN. So the cloned card argument is completely irrelevant. If you don't believe me, send me your PAN and PIN. In order to properly prophetize (sic) I would kindly request that only people with more than $10,000 in their checking account should comply. C'mon, Humor me! I'll bet that there's several people at PULSE that qualify... I promise I won't make a counterfeit card! I also promise you bank balance will drop dramatically!)
“PULSE believes that Internet PIN debit could provide significant benefits to cardholders, e-commerce merchants and financial institutions,” said McGuire. “Our pilot program will help us determine whether this product delivers a favorable cardholder experience.”(Editor's "Dry" Note: Or quite possibly an unfavorable one)
I want to be clear. Once again, I love the attention that all this is bringing towards making PIN Debit on the Internet a reality. But there's a different reality that concerns me. It's the H-Word. Right now the "H" is silent in Acculynk's approach to bringing it. If the Hackers "bring it" the industry will receive a huge black eye...the retailers will get reemed, and the consumers, well ironically, they'll be severely "inconvenienced." Here's some food for thought...Who's got the liability if there is a breach?
About PULSE
PULSE is one of the nation’s leading ATM/debit networks, currently serving more than 4,500 banks, credit unions and savings institutions across the country. PULSE is owned by Discover Financial Services (NYSE: DFS). The network links cardholders with more than 289,000 ATMs, as well as POS terminals at retail locations nationwide. The company is also a valued resource for industry research related to electronic payments and is committed to providing its participants with education on evolving products, services and trends in the payments industry. For more information, visit www.pulsenetwork.com.
About Acculynk
Acculynk is a leading technology provider with a suite of software-only services that secure online transactions. Backed by a powerful encryption and authentication framework protected by a family of issued and pending patents, Acculynk’s services provide greater security, reliability, convenience and return on investment for consumers, merchants, networks, issuers and acquirers. Acculynk is headquartered in Atlanta, Georgia, with a management team that brings extensive experience in the financial, network, security and payment processing industries. For more information, visit www.acculynk.com.
Contacts
Anne Rhodes, 832-214-0234
arhodes@pulsenetwork.com
Acculynk
Danielle Duclos, 678-894-7013
dduclos@acculynk.com
0 comments