IMGCAP(1)]
By Will Hernandez
Heightened attention to data breaches tied to point-of-sale software and online shopping carts is bolstering a security-engineering company's argument that the use of PINs on the Internet can be done securely only using hardware—a payment card terminal that attaches to consumers' personal computers.
HomeATM ePayment Solutions, which is based in Montreal, is close to piloting a personal card-swipe device and PIN pad that consumers plug directly into a PC's USB port. The system requires no installation or software. When consumers check out at a participating merchant's Web site, the site prompts them to use the device to swipe their card and enter their PIN to complete a transaction.
If a pilot is conducted and is successful, the hardware will provide peace of mind for the consumer while turning card-not-present interchange rates to cheaper card-present rates for merchants, contends Kenneth Mages, HomeATM chairman and CEO.
The company has an agreement with a major electronic funds network to begin the pilot, but first HomeATM wants to secure participation from a large, Tier 1 merchant, Mages says. Tier 1, or Level 1, merchants process more than 6 million transactions per year. Several merchants are being considered, including a major U.S.-based airline, which Mages declined to name. The device, called SafeTPIN, received Payment Card Industry Data Security Standard certification last week.
"It's a lot more acceptable now to plug something into the USB port," claims John B. Frank, HomeATM executive advisor. "Combined with all these breaches, it's time for people to make some new decisions."
Heartland Payments Systems Inc. was the latest company to report a breach. Last month, the Princeton, N.J.-based payment processor announced hackers breached its processing network last year and captured the credit and debit card numbers and expiration dates of an undisclosed number of cards.
While the magnitude of the Heartland breach has yet to be determined, study results suggest fraudsters have matched or surpassed the payments industry's efforts to protect cardholder data. Since 2001, 72% of all data breaches in North America occurred via point-of-sale software, while 23% occurred through online shopping carts, according to a report by Chicago-based data-security company Trustwave. About 1% of breaches occur because of a hardware breach.
But those findings have not stopped two EFT networks from planning pilots to test their own software-based systems for Internet PIN-debit purchases (ADN, 11/20).
The Accel/Exchange network's system would enable consumers to enter their PINs on a virtual PIN pad that appears on the computer monitor during checkout. NYCE Payments Network LLC, which is based in Secaucus, N.J., is piloting a new version of SafeDebit, which creates virtual debit card information for one-time use and automatically fills in the required payments fields on the merchant's checkout screen. No PIN is required to make purchases, but the consumer still must use a user name and password.
An earlier version of SafeDebit used a CD-ROM that consumers put in their PCs to enter their PINs instead of keying in the numbers. It, like some at-home card-swipe devices rolled out nearly a decade ago to enable PIN-debit transactions online, including the eConnect eCash pad, failed, mostly because no one was willing to distribute them and consumers were not demanding them.
Consumer Adoption
Research found consumers were unwilling to attach peripheral devices to their computers to support PIN-debit payments online, and consumers generally were satisfied shopping online using credit or debit cards instead that did not require a terminal or PIN information.
Adil Moussa, an analyst at Boston-based Aite Group LLC, believes consumers still may be unwilling to use such a device. "People want easier and simpler things to use," he says. "Asking people to have another device on their desk for their online shopping is not really a way to achieve that."
NYCE contends its revised product is safe because it "uses authentication along the lines of online-banking protocols," a company spokesperson tells ATM&Debit News. Morris Plains, N.J.-based Accel/Exchange says its product is safe, despite opposing views from some industry observers.
Security and privacy analyst Avivah Litan is against any software or Web-based PIN-entry products. "The holy grail for criminals is PINs and ATM cards," says Litan, who is vice president of Stamford, Conn.-based Gartner Inc. She says her discussions with fraud-intelligence teams reveal fraudsters keep such data off the black market because they view PINs and ATM cards as instant cash access.
"I would highly recommend [to any consumer] not entering their PIN anywhere on the Internet unless it was hardware-based," Litan says.
HomeATM's device uses secure socket layer encryption between a personal computer, HomeATM's data center, the merchant, and a virtual private network between the company's data center and processor. HomeATM acts as the downstream processor, Mages says. HomeATM has a relationship with Brookfield, Wis.-based transaction processor eFunds Inc., which is owned by Jacksonville, Fla.-based Fidelity National Information Services Inc., to switch the transactions.
"We also encrypt the Track 2 data, which is not done at the retail level," Mages says.
HomeATM claims using hardware is safer because "it's dually authenticated like it is at the brink-and-mortar stores."
While merchants and consumers benefit from better security, less-expensive interchange rates should entice merchants to distribute the devices to their customers, Mages says.
Merchants can save more than 75 basis points on card-present transactions compared with card-not-present, according to a merchant-services guide San Francisco-based Wells Fargo & Co. released last year. For example, swiped card transactions can save merchants $7.50 per $1,000, HomeATM's Frank says.
"To put it in perspective, that's a $7.5 million dollar interchange savings for a $1 billion retailer converting its customers to a card-present environment," he says.
HomeATM has faced different challenges in bringing its device to mass market. Like many businesses, the economy hurt the company's aspirations to bring the POS terminal to the consumer sooner.
Before last year's financial meltdown, HomeATM held discussions with a major financial group to distribute 50 million devices for use with online banking. Mages believes swiping a card and entering a PIN is the only secure way to log in to a bank's online-banking portal. "We literally mirror the existing, trusted bank technology," Mages says.
The manufacturing price also was a factor. At one point, the terminal cost was $40. It is now down $15, thanks to a smaller and cheaper application specific circuit chip. The manufacturing price shrinks to $5 for an order of 1 million units, Mages says.
ASIC chips help power such electronic products as calculators, DVD players and mobile phones. "There are so many ASICs supplied by chip companies, and they cost pennies," Mages says.
Merchants distribute the devices to consumers after purchasing them from HomeATM.
Consumer and merchant adoption will determine HomeATM's success, Litan says. "It's always the chicken-and-egg problem," she says. "Consumers will not start using these devices until merchants accept them, and merchants will not accept them unless there are huge incentives."
Merchant incentives, namely cheaper interchange rates, are in place, Mages contends.
The next step is securing a major merchant willing to distribute the device for the cost of shipping. "The trick is finding someone with a big market presence that's willing to introduce something new to the market," Litan says.
