Yes... "IF" online shoppers swipe their card and enter thier PIN on a PCI 2.0 Certified PIN Entry Device which instantly encrypts the cardholder data including the PVKI and PVI, both of which are required to conduct a genuine PIN Debit transaction.
However, it's "NO" if consumers are asked to "TYPE" their card numbers into a box on a website and "mouse click" their PINs into a GUI.
I'm not picking on Acculynk. I love what they've done to heighten the realization of merchants to want PIN Debit on the Web. I'm just saying there's two ways to go about it, and a software based PIN Debit solution simply won't cut it in the real world (wide web) It's too fraught with insecurity.
Let me ask you a serious question: "How long do you really think it would take the bad guys to put together a malware program designed to capture mouse clicks as you enter them on into a graphical user interface?" The short answer, is NOT LONG. In fact, the Limbo 2 trojan can already intercept mouse clicks and Acculynk is only accepted at 7 online sites (out of millions) Wait until they have a significant amount of merchants. Then you'll see the bad guys come out of the wood work.
Do you really believe that if Acculynk was available at thousands of internet retail checkouts, hackers wouldn't "target" them? (for those who answered "no" let me ask again after pointing out that a consumers "PIN" is the Holy Grail for hackers.) The bad guys would "scramble" to compete with each other in order to be the first to create a trojan that intercepts each "mouse click" in order to obtain that "Holy Grail."
Bottom Line: If you can see the GUI on your screen, so can the bad guys. Don't believe me? Doesn't matter...in time you will.
Consumers who enter (Stop with the "enter" B.S.... "Consumers who TYPE" ) their debit information on a Web site using PaySecure are (subject to the dangerous insecurity of web browsers) shown a graphical PIN pad following the entry of their card information, and are given the option to have their transaction processed as (a hybrid) PIN debit. Those who opt against it have their transaction processed as a signature debit and go directly to a purchase confirmation page; those who choose the PIN option enter their PIN by clicking their mouse on the graphical PIN pad.
Plane rides and jelly beans
According to Acculynk, seven merchants are currently processing with PaySecure, which hit the market in March 2009.Editor's Admittedly Sarcastic Note: According to my calculations, it's been 11 months since March of 2009 and they already have SEVEN merchants. That equivocates to .636 participating merchants per month. So...at the current pace, Acculynk will reach the 1000 merchant plateau in only 1572 more months. (A mere 131 years for those who were curious)
Among them are AirTran Airways and the Jelly Belly candy company. Two merchant vendors are currently selling the product: Merchant e-Solutions Inc. and Elavon Inc.
According to Kevin Gallagher, General Manager, E-Commerce, for Merchant e-Solutions, trends giving rise to the use of PIN debit include both the increased use of debit cards generally, as well as heightened security concerns among both merchants and consumers.
"The shift over the last few years from credit to debit is really driving this to be potentially a gangbuster product," Gallagher said. He added that PIN offerings can "open up a channel for incremental business because there are about 80 million debit holders that are only PIN-enabled for debit."
PaySecure uses the electronic funds transfer (EFT) network operated by providers like Discover Financial Services' Pulse, NYCE Payments Network LLC and Shazam. Interchange rates for online PIN debit transactions on these networks are substantially lower than those for online signature debit.
"What Acculynk does is become the stand-in for every issuer that agrees to [offer online PIN debit], and most issuers would because it's a transaction they don't get today," said Steve Mott, founder and Principal of BetterBuyDesign, a payments industry consulting company.
"The Acculynk rate is significantly less than what the signature debit rate is and what the standard STAR or NYCE rate would be if it goes directly through the issuer," Mott said. "Acculynk is doing a separate deal through the EFT network with the issuers. It's like a separate payment service, the same way PayPal does it. Most of these alternative payment forms usually give you a 20 to 25 basis point reduction from the signature debit rate."
(Editor's Note: The Acculynk rate is significantly "higher" than genuine PIN Debit. In fact it's higher than "card present" interchange because...the card is NOT present. It is "typed" into a box in a browser.)
According to Acculynk Chief Executive Officer Ashish Bahl, transaction fees for merchants are 20 to 40 percent lower with PaySecure than with online signature transactions. He added that about half of all PaySecure customers, given the option of signature or PIN debit online, choose PIN debit.
Mott said PIN debit transactions benefit consumers because they tend to clear faster than signature ones. He said most banks clear PIN debit transactions within a day of purchase, whereas signature debit transactions (which tend to run on the Visa Inc./MasterCard Worldwide rails) generally take two to three days to clear. Within that extended timeframe, consumers are more likely to overdraw their bank accounts, he said.
Both Gallagher and Mott touted the fraud-fighting benefits of online PIN debit as well, although the capacity of a program like PaySecure to reduce fraud in today's e-commerce environment is questionable.
For one, Gallagher said merchants who adopt the program invariably maintain a non-PIN payment option; given that they do, the PIN feature would seem to do very little to protect against traditional fraudsters, who can simply choose the non-PIN payment option when committing fraud with stolen debit card numbers.
Despite that danger, Gallagher said the benefits to merchants of using multiple payment channels outweigh fraud concerns. "As a merchant, you probably don't want to turn away anyone that wouldn't want to use the PIN debit option," he said. "Lost sales are worse than whatever extra basis points you would have to pay [for a signature or non-authenticated transaction]."
However, both Gallagher and Mott said even just having the option of PIN debit helps guard against one type of fraud in particular: "friendly fraud," or the practice of making an authorized purchase and then disavowing it.
Consumers who use the PIN option, they said, will have a harder time committing friendly fraud because they've entered a password theoretically known only to the card's real owner, making it much more difficult to credibly disavow a purchase.
"What you're really trying to do with the PIN debit is get the purchaser to own the transaction and not be able to repudiate it," Mott said. "When you're [entering PIN information], unless somebody's holding a gun to your head and making you enter it, you pretty much own the transaction."Mott conceded that more rational friendly fraudsters could circumvent trouble by using the non-PIN payment option, but said that not everyone would. He said sometimes friendly fraud isn't planned, and that charges are often refuted out of embarrassment or some unforeseen circumstance.
Editor's Insert: "Users are more at risk from malicious websites that steal credit cards than ever before, according to the latest IBM X-Force 2009 Mid-Year Trend and Risk report. The report's findings show an unprecedented state of insecurity as web client, server and content threats converge to create an untenable risk landscape. (click here to read the story at ComputerWeekly)Mott added that PaySecure could set the stage for a shift to the exclusive use of PIN debit online.
"With this, somebody like Acculynk and somebody like NYCE or PULSE can go to the issuer and say, 'All the bad guys are using signature debit, and you think you're getting more money on interchange [with signature] … but after you deduct all the chargebacks and charge-offs from the signature debit, you're really better off doing a PIN transaction," Mott said.
Fraud's hidden costs
Mott noted that "PIN debit is significantly the most popular form of payment for both consumers and merchants," and that issuers that favor signature for its higher interchange aren't always correctly calculating the total costs of additional fraud.
"It's not just the direct losses, but it causes all this noise – the customer service and all this stuff – and now you have a bigger problem on the consumer side," he said.