DENNIS F. LYNCH Vice president, electronic banking Fleet Financial Group Providence, R.I.
PIN-based identification has been and is now a secure form of user identification for ATM usage. At present, PINs authorize over 8 billion transactions a year. Losses association with ATM activity are overwhelmingly the resulted of adherence to stringent consumer rights and not due to systematic or ad hoc breaches in PIN-based architecture.
When financial institutions and associated processors manage PIN-based transactions with proper care, such as encryption, file protection, audit controls, and activity reporting, the level of risk and pro rata losses are significantly lower than in mainstream payment systems like checks and credit cards.
Yet, with that said, the electronic payment system cannot stand still. PIN-based point of sale will create millions of service points throughout the world that by their nature will increase risk.
As we work toward the next generational change in user identification, like biometrics, the PIN-based system can and should be enhanced via initiatives such as plastic authentication, additional magnetic stripe card value verification, continuous surveillance systems, and more sophisticated behavioral tracking software.
PAUL SCHMELZER Vice president of marketing Deluxe Data Systems Inc. Glendale, Wis.
The PIN is still a cost-effective form of cardholder indentification. We have known for years that it has limitations, but when compared to the cost and reliability of alternative technologies, the PIN remains the reasonable choice.
The event at Buckland Hills Mall in Connecticut earlier this year has to be taken as a wake-up call for the industry. The experience demonstrated that the PIN is at risk as long s the magnetic stripe is vulnerable to counterfeiting. If we cannot successfully secure the magnetic stripe, significant investment in some alternative technology will eventually be required.
Alternative technologies include an array of biometric experiments in weird science. It's hard for me to imagine the consumer embracing such intrusive procedures as retina scans, voice prints or hand geometry -- may be for national security clearance, but not for a gallon of milk.
In behavioral terms, probably the best-chance alternative is signature verification, but the infrastructure cost of digitizing signatures, issuing chip cards, and upgrading terminal readers add up to a business case that still comes down solidly on securing the magnetic stripe, if we can.
BARRY J. ABRAMOWITZ Senior vice president, corporate operations Northeast Savings Hartford, Conn.
The current methodology for customer identification via the PIN is sufficiently secure for the present marketplace. Certainly, any system in place can experience a breach; however, this is not necessarily the case with a PIN.
The security problems experienced today are more the result of the behavior of financial institutions and consumers than of the technology's limitations. For example, if more customers were allowed to select their PIN rather than having it assigned, there would be no need to write the number on the card envelope or to keep it in the wallet or purse.
The same holds true for the card number, which should never be the actual account number. Without the PIN, the card is rendered useless. Close guarding of the PIN by the customer is the key to reducing fraud in today's environment.
Unfortunately, the ability to execute more technologically advanced fraud, as in the recent ATM scam in Connecticut, now places pressure on the industry to develop more advanced mechanisms for customer identification.
LARRY HANSON Senior auditor, electronic data processing California Federal Bank Los Angeles
Although PINs have been an adequate form of identification, it is time for an industrywide plan to strengthen this control.
Our concern over security has increased because of the broadened use of PINs for a wider range of products and services, such as point of sale and voice mail. Many people use the same PINs for multiple systems and do not periodically change them. This may compromise the PIN, because some of the services do not have the same level of security controls as ATM systems. Even with the existing ATM controls, however, there have been many incidents in which criminals have videotaped ATM customers entering PINs and then retrieved card numbers from abandoned receipts.
Of further concern is the use of only four-digit PINs, and the technological changes that make it increasingly easier to break encryption schemes.
A solution may be to use smart cards - which are standard cards with a computer microchip to generate dynamic PINs. This could provide better protection against tampering and would not require costly new hardware systems. Other ideas might involve requiring longer PINs or using new encryption algorhythms.
DON GIBBONS Senior vice president First Chicago Corp. Chicago
PINs presently provide adequate security for ATMs. ATMs are secure terminals and send encrypted messages to the cardholder's bank, maintaining the integrity of the network.
However, as the ATM card's utility is expanded to access multiple point of sale locations as a debit card, the present PIN security system will lose effectiveness.
A collusive merchant who can capture both the card's magnetic stripe data and the PIN will increase system vulnerability.
Both MasterCard and Visa are pursuing card authentication technologies which will verify to the cardholder's bank the authenticity of the card and reduce the danger of compromise.
Since no single solution is foolproof, constant vigilance and continuing technology improvements will be needed to provide ongoing ATM network security.
