Tuesday, July 28, 2009

Is Your False Sense of Security Insecure?


Are PIN debits coming soon to e-commerce transactions?
by Neil Moncrief on July 28, 2009

In a blog post written by Neil Moncrief of CreekFinancial, he writes about PIN Debit for eCommerce transactions.  He makes a couple key points, which I have emboldened in red.  The one point he misses out on, is the difference between "perceived" security and "authentic" security.  I'm sure you've heard the term: "perception" is reality, but I can guarantee you that "perceived" security and reality can be  and this case are, completely dissparate. 


Every so often, I’ll have an e-commerce client ask me “Will I ever be able to accept PIN-based debits online?” Although many companies have tried to devise a solution, I never seriously believed it would happen.

After all, how could a consumer enter a 4-digit PIN from a personal computer and still meet the high encryption standards required for Payment Card Industry (PCI) compliance?  (Editor's Note:  They Cannot)

Nevertheless, the topic is resurfacing again, and online PIN debits may finally be just around the bend.

The primary reason e-commerce merchants want to accept PIN debits is the savings. As I explained in this article I posted several months ago, brick-and-mortar merchants with high-dollar average sales can save considerable amounts by requesting PIN numbers from customers.

But the PCI rules requiring that the debit card be swiped through a magnetic card reader and that the PIN number be encrypted have kept online merchants from participating. 
(Editor's Question:  What has changed?)

In her June 2009 article for Transaction Trends magazine, Julie Ritzer Ross profiles software and hardware developers that are on the leading edge of finding a workable solution. PaySecure, from Atlanta-based Acculynk, is currently being tested by some of the largest players in the debit network business: ACCEL, NYCE, and Pulse. PaySecure’s software will place a floating “keypad” on a shopper’s screen, receive the PIN, scramble and encrypt it, and then pass it along to the appropriate network. 

Hardware developer, HomeATM ePayment Solutions, recently introduced Safe-T-PIN,
a small and inexpensive USB PCI 2.x certified card reader with integrated PIN Pad, that allows consumers to swipe their own credit cards (and securely enter their PIN)  while shopping online. 

Editor's Note:  HomeATM's system does not need to be "tested" since it 100% replicates the existing PIN Debit transaction done in the brick and mortar world.  In fact it has been "tested" by the Payment Council Industry, (Visa, MasterCard, Discover, AMEX and JCB) and is PCI 2.x certified.  HomeATM also recently went through a TG-3 audit and has been told they will receive their certification imminently.  After going through both the PCI 2.x certification process and a TG-3 PIN Audit, HomeATM becomes the first and only eCommerce payments company in either hemisphere to be certified by one or the other...and we have BOTH.

When this technology finally does make its way into the homes of America’s shoppers, it will be a day for merchants to celebrate.
It’s rare that something comes along that benefits business owners more than consumers or credit card companies. And with the struggles of the past year, it’s about time merchants caught a break!

Read the Entire Article at the Creek Financial Blog


Reblog this post [with Zemanta]

Disqus for ePayment News