From the January/February 2009 issue of ISO&Agent magazine.
Merchant efforts to steer shoppers to use personal identification numbers instead of signatures when paying with debit cards may be poised to move to a new front: the Internet. Two companies plan to test rival software-based debit-processing systems this year and may fully launch them by mid-summer.
The difficulty with Web-based PIN debit, in which consumers enter PINs and their debit card numbers to complete transactions online, is keeping PINs safe from fraudsters and complying with operational regulations, according to observers. Atlanta-based software vendor Acculynk Inc. and NYCE Payments Network LLC, a unit of Milwaukee-based Metavante Technologies Inc., however, believe their respective systems are secure and provide convenience and safety for debit cardholders.
Should one or both pilots succeed, it may represent good news for merchants tired of paying the steeper fees associated with accepting signature-debit or credit cards. Analysts and ISOs, however, are hesitant to say these systems are the long sought-after answers to enabling PIN-debit purchases online.
The Floating Pad
For its pilot launch, Acculynk chose five merchants and multiple electronic funds transfer networks, including Accel/Exchange and NYCE, to test its system, says Nandan Sheth, Acculynk president. The Acculynk system recognizes a debit card after the customer keys in the card number. A pop-up window then asks the customer to enter his PIN using mouse clicks on a floating keypad. As the customer clicks each number, the keypad scrambles itself, changing the location of each number. This rearrangement fools malicious software, or malware, that might try to track the mouse movements to capture the PIN, Sheth says.
After the customer enters the PIN, the computer sends the coordinates of the clicks to the Acculynk processing center, which reassembles the PIN. The company then sends the transaction information through the secure EFT network to the issuer for authorization.
Because the system sends click coordinates-and not the PIN-over the Internet, even if a hacker intercepts the data the information would be worthless, Sheth says.
The system helps meet consumers' expectations, one debit insider says. "The way the world is going, the future is online," says Michael Kelly, general manager of Brookfield, Wis.-based Accel/Exchange, one of the five EFT networks participating in the Acculynk pilot. "We need to provide solutions to operate in that space. We love brick-and-mortar PIN with its dual-factor verification and its security. We think all that can be replicated in the Web space."
The interface does a good job of mimicking the question shoppers already are used to receiving before transactions, will that be debit or credit? Kelly says. "We think enough people will say debit to make this worthwhile," he says. "We are truly replicating the point-of-sale behavior consumers are used to and moving it online."
The Redirect
In what may seem like hedging its bets, NYCE also is conducting a pilot to test a second rendition of its SafeDebit system, which the network tried unsuccessfully to roll out nearly a decade ago. This time, instead of using a CD-ROM to store the PIN, SafeDebit is built into the merchants' checkout screen. And instead of a floating keypad, customers click a dropdown box that offers SafeDebit as a payment choice.
When customers choose SafeDebit, the system prompts them to choose their issuer from a second dropdown box. If the customer's bank is a participating institution, the log-in screen for the bank appears in a pop-up window, and the customer logs in. Then the system generates a one-time-use debit card number and automatically fills in the rest of the fields in the merchant's checkout screen.
"The solution keeps the consumer's sensitive financial information in the hands of the bank or credit union," says Steve Rathgaber, NYCE president and chief operating officer.
Even if fraudsters hack the system, the information transmitted over the Internet is one-time-use only and would not compromise the customers' accounts.
NYCE is not releasing its merchant rates for SafeDebit transactions. "For merchants, the rate will certainly be competitive with signature debit from a straight-cost perspective," Rathgaber says.
A Growing Market
Debit is a growing market, says Sheth. "We don't think we can convert all of those transactions over to PIN debit, but even if we come close and capture a fraction, you have a winning product with a critical mass that will only continue to grow," he says.
