( From ATM&Debit News)
Fiserv Inc.’s Accel/Exchange debit network and a payment vendor are teaming up to give PIN debit — often deemed too risky for use in cyberspace — another shot on the Internet.
This month J. Paul Co., a Dallas retailer of promotional merchandise, began using a system developed by ATM Direct, an Irving, Tex., division of Solidus Networks Inc. in San Francisco.
For now online PIN debit transactions are limited mostly to employees of Accel/Exchange and employees of the card issuers that are part of its 20-member Network Advisory Council.
The testers must use one of about 120 special PIN debit cards, though Fiserv plans to eventually expand that number to 1,200. (Fiserv would not name the issuer.)
Fiserv plans to roll out the option gradually to all of the companies that issue cards bearing the Accel/Exchange mark. There are about 80 million such cards now in circulation.
Mike Williams, Fiserv’s senior vice president of electronic funds transfer services, said the transition from initial tests to a full-blown pilot test program, and ultimately to a general rollout, has been slow because Fiserv, ATM Direct, and a third-party security assessor need to ensure the system’s security.
In 2000 the NYCE debit network of Montvale, N.J., tested a program that required cardholders to insert into their home computers CD-ROMs that held encrypted password and card information. First Data Corp.’s Star debit network once carried transactions for 1,000 Citibank customers to test smart cards and readers the bank had distributed for use with home computers.
Neither program survived, partly because of the extra equipment necessary. ATM Direct’s system requires shoppers to download software, but not the distribution of millions of disks or readers.
Steve Bacastow, the founder and partner of Collective Dynamics LLC, an Atlanta consulting firm, said PIN debit has no place on the Web. “I think it’s going to be disastrous for PIN debit, with little benefit for consumers.” The ATM Direct system may be secure now, but it will have to remain many steps ahead of data thieves, he said.
But Robert Ziegler, the general manager of ATM Direct, said its new system complies with the same encryption-security standards as PIN debit systems for transactions initiated at the point of sale.
“We haven’t had to lower the standards in order to implement this on the Internet,” Mr. Ziegler said. “We’ve had to increase the controls, the cryptographic processes, on an order of magnitude above what people do” in the brick-and-mortar space.
Online merchants that want to use ATM Direct’s system to accept PIN debit payments will display an ATM Direct link alongside other payment options on their Web sites. The PIN-encryption data will bypass the merchants, Mr. Ziegler said.
The ATM Direct system requires cardholders to download a driver and related software. Some of the software will search the cardholder’s computer for spyware and other malicious programs.
It also downloads a unique code to identify the consumer’s computer to ATM Direct; that code serves as an additional layer of authentication. The system prompts people to use their mouse to click on an image of a PIN pad, avoiding keystrokes that keylogger viruses can detect and transmit to criminals. The software converts the clicks into an encrypted PIN, which is forwarded to the issuer for authorization.
