A company called ATM Direct Inc. is developing a software-based system to let people use PIN-based debit cards for Internet purchases and is in discussions with bank card processors and electronic funds transfer networks that might buy it.
The Dallas company, founded in 1999, is one of several trying to bring to market a scheme that would make this kind of debit card relevant for e-commerce. Right now people can use signature-based Visa and MasterCard debit cards for Internet purchases by typing in the account number but cannot use PIN-based debit cards that are processed by EFT networks.
One such network, NYCE Corp., has come up with a product, SafeDebit, that would let people use PIN debit cards for online buying, but it is not yet being offered widely. ATM Direct says its product is easier to use than SafeDebit because it does not require the user to insert a CD-ROM.
Though it would benefit companies such as NYCE if people could do this type of transaction, there is no evidence that people are clamoring for PIN-based debit cards online.
ATM Direct's system is not even at the test stage, but it would put a payment icon at a merchant's Web site that would say "ATM Direct." When someone clicked on it, an image of an automated teller machine would pop up. First-time users would be directed to a "secure payment signup," where they could register with the company and be assigned a digital certificate; repeat users would be asked to enter a personal identification number on an on-screen keypad that is meant to mimic the familiar interface of an ATM.
"People are creatures of habit," said Tandy G. Willeby, chief strategist for ATM Direct, which is trying to get its software technology patented. He said the other PIN-based debit schemes are more cumbersome because they require "some sort of hardware that's sent" to the consumer and must be properly installed. "There's no way to justify that kind of expense with millions of people," Mr. Willeby said.
For security, the numerical keypad that people would use to click in their PINs is scrambled after every digit is entered so that the numbers do not appear in the same places on a nine-digit grid. ATM Direct said this feature would make it harder for an interloper to figure out another person's PIN.
"Someone would have to stand right behind you to figure out what your PIN is," said Robert Widner, chief executive officer of ATM Direct. A cardholder would get three tries to enter a PIN and after that would be locked out to prevent hacking.
After a PIN is entered, the transaction would be routed to an EFT network, then sent to the card-issuing bank. Neither the account number nor the PIN would be sent to the merchant or stored on ATM Direct's server.
ATM Direct would store only a customer's digital certificate, which would include the person's name, address, e-mail, and a password that is not the PIN. That information would be kept in the company's "vault," which is a computer system off the network.
Mr. Widner said, "We figure less is more - the less you know, the better the system."
Before founding ATM Direct, Mr. Widner said, he was a lawyer specializing in Internet law, intellectual property, and patent law. He said he came up with the idea for the company about three years ago, when he noticed that Internet merchants were having problems with chargebacks.
Steve Schutze, the director of e-strategies for the American Bankers Association, called ATM Direct's system "an interesting concept."
"I'd like to dig under the covers more and find out how they're really handling the information," Mr. Schutze said. "They have to retain the PIN for a certain amount of time as they process the transaction. There's a log of what happened."
He said that some aspects of the system might make people nervous. "In the banking network, there are a whole lot of routines that make sure the PIN is secure," he said. "And a company comes along like this and says, 'Give me your PIN,' and as a consumer my first thought is, 'What do I know about them, and why should I give them my PIN?' "
