From the January/February 2009 issue of ISO&Agent magazine.
Merchant efforts to steer shoppers to use personal identification numbers instead of signatures when paying with debit cards may be poised to move to a new front: the Internet. Two companies plan to test rival software-based debit-processing systems this year and may fully launch them by mid-summer.
The difficulty with Web-based PIN debit, in which consumers enter PINs and their debit card numbers to complete transactions online, is keeping PINs safe from fraudsters and complying with operational regulations, according to observers. Atlanta-based software vendor Acculynk Inc. and NYCE Payments Network LLC, a unit of Milwaukee-based Metavante Technologies Inc., however, believe their respective systems are secure and provide convenience and safety for debit cardholders.
Should one or both pilots succeed, it may represent good news for merchants tired of paying the steeper fees associated with accepting signature-debit or credit cards. Analysts and ISOs, however, are hesitant to say these systems are the long sought-after answers to enabling PIN-debit purchases online.
The Floating Pad
For its pilot launch, Acculynk chose five merchants and multiple electronic funds transfer networks, including Accel/Exchange and NYCE, to test its system, says Nandan Sheth, Acculynk president. The Acculynk system recognizes a debit card after the customer keys in the card number. A pop-up window then asks the customer to enter his PIN using mouse clicks on a floating keypad. As the customer clicks each number, the keypad scrambles itself, changing the location of each number. This rearrangement fools malicious software, or malware, that might try to track the mouse movements to capture the PIN, Sheth says.
After the customer enters the PIN, the computer sends the coordinates of the clicks to the Acculynk processing center, which reassembles the PIN. The company then sends the transaction information through the secure EFT network to the issuer for authorization.
Because the system sends click coordinates-and not the PIN-over the Internet, even if a hacker intercepts the data the information would be worthless, Sheth says.
The system helps meet consumers' expectations, one debit insider says. "The way the world is going, the future is online," says Michael Kelly, general manager of Brookfield, Wis.-based Accel/Exchange, one of the five EFT networks participating in the Acculynk pilot. "We need to provide solutions to operate in that space. We love brick-and-mortar PIN with its dual-factor verification and its security. We think all that can be replicated in the Web space."
The interface does a good job of mimicking the question shoppers already are used to receiving before transactions, will that be debit or credit? Kelly says. "We think enough people will say debit to make this worthwhile," he says. "We are truly replicating the point-of-sale behavior consumers are used to and moving it online."
In what may seem like hedging its bets, NYCE also is conducting a pilot to test a second rendition of its SafeDebit system, which the network tried unsuccessfully to roll out nearly a decade ago. This time, instead of using a CD-ROM to store the PIN, SafeDebit is built into the merchants' checkout screen. And instead of a floating keypad, customers click a dropdown box that offers SafeDebit as a payment choice.
When customers choose SafeDebit, the system prompts them to choose their issuer from a second dropdown box. If the customer's bank is a participating institution, the log-in screen for the bank appears in a pop-up window, and the customer logs in. Then the system generates a one-time-use debit card number and automatically fills in the rest of the fields in the merchant's checkout screen.
"The solution keeps the consumer's sensitive financial information in the hands of the bank or credit union," says Steve Rathgaber, NYCE president and chief operating officer.
Even if fraudsters hack the system, the information transmitted over the Internet is one-time-use only and would not compromise the customers' accounts.
NYCE is not releasing its merchant rates for SafeDebit transactions. "For merchants, the rate will certainly be competitive with signature debit from a straight-cost perspective," Rathgaber says.
A Growing Market
Debit is a growing market, says Sheth. "We don't think we can convert all of those transactions over to PIN debit, but even if we come close and capture a fraction, you have a winning product with a critical mass that will only continue to grow," he says.
Debit card payments in 2006 exceeded credit card payments, reported the Federal Reserve. Debit card payments rose 17.5% per year, to 25.3 billion in 2006 compared with 15.6 billion in 2003. Credit card payments rose 4.6% per year, to 21.7 billion in 2006 compared with 19 billion in 2003, according to the Fed.
The Fed also reported that consumers in 2006 used debit cards for 27.1% of noncash payments and credit cards for 23.3%, compared with roughly 19% for debit and 23% for credit in 2003. The agency typically conducts electronic-transaction studies every three years, says an agency spokesperson.
The difference between signature debit and PIN debit is an important distinction to many merchants, their acquiring banks and the payment networks because it has serious financial implications.
For example, a $40 signature-debit transaction made at a supermarket has an interchange rate of 1.05% plus 15 cents, for a total of $40.57, when using a MasterCard Worldwide rate. That same purchase as a PIN-debit transaction is about $40.26 to the merchant, when using a MasterCard rate of 25.5 cents per transaction. These figures do not include processing and acquirer fees that merchants pay as part of the discount rate for their transactions.
Acculynk's goal is to set its Web-based PIN-transaction costs at about 30% below the cost of credit card processing, Sheth says. An Acculynk spokesperson says the transaction fee for the pilot has not been determined yet.
Besides the lower fees, observers tend to associate PIN debit with less fraud and fewer charge-backs, which is another reason merchants may want to encourage customers to use PINs, says Bruce Cundiff, director of payments research and consulting for Javelin Strategy and Research, a Pleasanton, Calif.-based research firm.
Fraud Risk Remains
Risk of fraud is reason enough for an ISO to steer merchants away from an online PIN-debit system, says Michael Wiener, president of Advanced Merchant Group, a Warminster, Pa.-based ISO.
"In Philadelphia, we just had a case where they found card skimmers in the gas pumps of a major convenience-store and gas-station chain," he says. "This is a multibillion-dollar company. You figure they are totally secure, PCI compliant, but they still got scammed. Knowing that, how comfortable would you be giving them your PIN? And knowing they can get scammed, how comfortable would you be giving your PIN over the Internet? It is all an issue of security," says Wiener.
That criticism just does not ring true, counters Accel/Exchange Network's Kelly. "How is it a worse idea than putting your Visa check card out there?" he says. "With the PIN, you have dual-factor identification. That is better than just a single verification. If you believe in the algorithm and the security of the system, then you will be good to go," says Kelly.
Tim Sloane, group director of prepaid and debit advisory services for Maynard, Mass.-based Mercator Advisory Group Inc., says he is inclined to trust a third-party system that uses credentials instead of the entry of a PIN online. User ID and password credentials to an online bank account can be changed relatively easier if they are compromised than if a PIN is stolen and needs to be changed.
The risk with a credential system is that the bank account could be jeopardized. Sloane acknowledged that regardless of the security measures, hackers inevitably would try to attack whichever system is used.
Cracking The Web
Industry veterans would be justified if they rolled their eyes at the idea of another company claiming to have come up with "The-Internet-PIN" solution. "A couple of companies have made a splash over the years and claimed to have the solution-of-all-solutions, only to end up with little-to-no wide-scale usage," Cundiff says.
Besides NYCE's initial SafeDebit venture, previous attempts used everything from at-home magnetic stripe card readers to purely software-based systems. But each attempt failed to garner enough buy-in from the EFT networks or failed to conform to strict security regulations, so they failed to gain any traction, Cundiff says.
The problems previous PIN-debit systems faced break down into two categories, says Sloane. "First there is the challenge of technology, then there is the challenge of acceptance," Sloane says.
The EFT networks put up steep operational regulations for their card-not-present transactions for fear of fraud. Without a costly piece of hardware, such as an at-home mag-stripe reader or PIN pad, which would be impractical on widespread applications, most of the networks refused to accept the transactions. And simply keying a PIN into a Web form failed to pass security muster for most networks because crooks could embed rogue software to capture the keystroke data.
With such limited buy-in, those systems inevitably failed.
One way EFT networks have enabled some merchants to process through their systems is with PIN-less debit, in which an established customer sets up a recurring payment tied to a PIN-debit card. Most merchants do not qualify to accept PIN-less debit transactions. In fact, only low-risk billers, such as utility companies, universities and municipalities, are eligible.
EFT networks contend a thief is not likely to pay the cardholder's electric bill or child's tuition bill with the stolen debit card information. And if the thief did pay a qualifying bill, it would not be difficult to track down the offender. With such low risk, eliminating the extra layer of security was acceptable, Cundiff says.
But beyond those ultra-low-risk transactions, EFT networks have not expanded the types of merchants that can route transactions through their systems. And the fear of fraud is well founded, Cundiff says.
"From the beginning, we have all been told don't share your PIN with anyone, and that is good advice because the risk of someone getting your PIN is just too costly," Cundiff says. A thief equipped with unfettered access to a debit account easily could empty someone's life savings with very little in the way of customer protection available, he says.
PIN Or Pen Demand?
While the differences between PIN and signature debit are important to merchants, it may seem like splitting hairs to the majority of consumers.
"There are studies pointing both ways, but really, customers don't seem to have a preference between signature and PIN debit," says Cundiff. "If the merchant prompts me to use my PIN, then fine. Otherwise, I will sign. It is a transaction-by-transaction decision."
While customers may be indifferent in the use of PINs or signatures, the lower transaction costs associated with PIN debit has prompted many merchants to make a habit of "PIN steering" their customers at the point of sale. With PIN steering, merchants encourage customers to enter their PINs after swiping their cards.
"The merchants encourage PIN transactions. It is less expensive for them, so they are pushing the buyers at the point of sale," Cundiff says. "On the other hand, financial institutions are more biased toward signature-based transactions because they get more revenue there. This is just another front on the PIN-steering war."
Debit card issuers, however, typically encourage customers to sign for transactions using rewards, points or contest entries as bait. "We have seen it in the past where financial institutions try to dissuade their merchants from using PINs, and I suspect they will double their efforts when it comes to online," Cundiff says.
Some ISOs, however, do not see the benefit of PIN steering. "I would say that it would depend on the average ticket," says Nancy Barnhart, vice president of partner relations at POS Card Systems, a Redwood City, Calif.-based ISO. "If the average ticket is low, and their volume is low, it may not make sense in the long run."
That is because, while PIN transactions cost merchants less, the incremental savings may not justify the cost of joining a new network or investing in new processing equipment, Barnhart says. For example, if a merchant's typical credit transaction costs 80 cents, it might cost 70 cents as a PIN-debit transaction. Depending on volume, that 10-cent savings may not justify the investment, Barnhart says.
Besides, customers seem to be happy running transactions as signature debit, Barnhart says. "So far, we haven't seen the need to provide any e-commerce PIN-debit transactions," she says. "The merchants haven't asked for it. Their customers aren't asking for it. And since we haven't had any requests, we haven't even looked at it."
Though ISOs earn less revenue on each PIN-debit transaction because the fees are less than for signature-debit or credit transactions, Barnhart would offer the service to her merchants if they requested it.
"If I am doing an analysis for a merchant, and if PIN would reduce their costs and provide a little more security over signature, I would push that. Even if it means I make a little less, I will push it if it makes sense for my merchant," she says. ISO