PIN Debit's Race To the Internet

  PIN-based debit transactions over the Internet have been a dream for years, yet making them a reality has proved difficult. Does the latest entry in the race have what it takes to win?
  Since the start of the e-commerce boom of the late 1990s, merchant acquirers have sought a way to make personal identification number-based debit a viable form of currency on the Internet. The argument in favor of PIN-based debit is that it will reduce the potential for fraud in a card-not-present environment because entering the PIN serves as a form of ID for the cardholder.
  Subsequently, the lower risk associated with PIN debit will translate into a cheaper interchange rate on PIN-based transactions, thus making the cards more attractive to Internet merchants.
  It's a great theory, but in reality attempts to get PIN-based debit to take root among Internet merchants have foundered. The primary stumbling blocks have been finding a way to get a card reader with PIN pad into the hands of cardholders and convincing consumers that their PIN is entered into a secure environment that cannot be compromised by fraudsters or computer hackers.
  Card experts point to American Express Co.'s struggles several years ago to seed the market with PIN pads by offering a free unit to its Blue card holders to show how tough it is to deploy a sizable base of PIN pads among consumers.
  Concurrently, every publicized hacking of a credit card database makes consumers all the more skittish about entering PINs on the Web, which is an unsecure public network. The chief security concern for consumers is that fraudsters can lift PINs and account data using spyware software that attaches to personal computers through an innocuous source, such as e-mail.
  Once that information is attained, a counterfeit debit card can be created and used to clean out the cardholder's demand-deposit account (DDA). Visa/MasterCard zero-liability policies as well as federal banking regulations aimed at minimizing cardholder losses protect credit cards and signature-based debit cards. But if a DDA is accessed fraudulently through a PIN-based debit card, the consumer has only the tiered protections available through the federal Regulation E.
  Unanswered Questions
  "Yes, PIN-based debit can in theory lower card fraud on the Internet and even give merchants a lower (interchange) rate for those transactions, but who is going to pay for the terminals and create the perception the network is secure?" asks John Gould, director of consumer credit for Needham, Mass.-based TowerGroup. "Until these questions are answered, PIN-based debit is not going to work over the Internet."
  One company that believes it has found a solution to these problems is Atlanta InstaPay Systems Inc., whose Kryptosima subsidiary last summer struck a deal to offer its PIN-based debit service to Internet merchants linked to the Tampa, Fla.-based Armed Forces Financial Network (AFFN). Kryptosima was merged into InstaPay, which is a public company, last year.
  Rather than rely on issuers to distribute PIN pads to consumers, InstaPay is using merchants as its distribution channel. InstaPay's business model is that Internet merchants will absorb the cost of the PIN pad in return for a more secure transaction and lower interchange on that transaction compared to what they pay for a credit card transaction.
  The idea is that merchants will first distribute the terminals to their best customers who generate the highest average ticket, thus lowering their initial distribution costs. As volume builds over the AFFN network, merchants connected to it will broaden their distribution base. Terminals will cost about $50, or possibly less, depending on the amount purchased.
  "We are driving this from the acquiring side of the market and having the merchant distribute terminals to their best or riskiest customers," explains Harry Hargens, president of InstaPay. "A card issuer can't expect to touch all their demand-deposit accounts when it comes to deploying terminals, because there is not a strong enough business case."
  InstaPay has signed a handful of merchants, including LaRose.com, a Jersey City, N.J.-based florist and gift shop with an average ticket of $55. It also has signed PayByCash.com, a Charlottesville, Va.-based Web site that offers access to Internet subscription sites for consumers who want to use direct debit or other alternative forms of payment systems designed for the Web, such as PayPal.
  The company also has signed a small travel agency, which it declines to identify, and is in discussion with airlines and a brokerage firm. In the case of the latter, Hargens says PIN-debit acceptance will be used as a way for the brokerage house to lower the cost of a wire transfer for its customers.
  Connecting Peripherals
  "Customers will only get charged the cost of the transaction, which is a lot less than the $15 or so they get charged to initiate a wire transfer," he says.
  Although InstaPay merchants have deployed about 500 terminals, Hargens expects the terminal base to grow significantly in 2004 when the company releases a new PIN pad that connects to a universal serial bus (USB) port on a personal computer, rather than to the keyboard as with the previous model. USB ports are an easy way for consumers to connect peripherals to their personal computer.
  Once high-volume, large-ticket Internet merchants are signed, InstaPay intends to target small and mid-sized Internet merchants and eventually provide consumers a way to reload value on prepaid cards online, says Hargens without being more specific.
  Merchants present InstaPay as they do any other payment option such as Visa, MasterCard, AmEx, Discover or e-check. Once at the digital checkout lane, the cardholder clicks on the payEncrypt logo, which is InstaPay's brand for its PIN-debit application, to launch a Java applet that turns on the PIN pad connected to her computer. Next, the cardholder selects the ATM/debit payment option, swipes her card and enters her PIN. Cardholder account data and the merchant ID are encrypted using SSL (Secure Socket Layer) technology three times during the transaction.
  After the processor has provided authorization, a transaction number and confirmation number are sent to the merchant. At no time does the merchant see the cardholder's account data or PIN. The cardholder receives confirmation of the transaction via e-mail from the merchant. "We are using the same encryption model as ATM and POS networks," says Hargens.
  Consumer Perception
  Nevertheless, consumer perception about security remains a major issue, as the tools available to computer hackers have become more sophisticated. One such tool is a worm, which can attach to a computer when a consumer visits a Web site or receives an e-mail. Once the worm attaches itself to a PC or laptop hard drive, it can secretly open files and relay information entered into the system, such as passwords, to the hacker who launched it.
  That hackers can attain the ability to monitor a home computer is a frightening thought for consumers at a time when they are becoming increasingly concerned about privacy.
  "All you need is one breach of the system and consumer confidence goes out the window," argues TowerGroup's Gould. "There are a lot of sophisticated ways to break into computers, just as there are to lift PINs in stores at the point of sale or from an ATM using cameras and other devices. Consumers have to be confident no Trojan horse is lurking before they will feel confident using PIN debit over the Internet."
  Consumer fears that criminals will abscond with their PIN if they use their debit cards to make a Web purchase is the key reason why Ottawa, Ontario-based ModaSolutions Inc. opted to exclude the use of PINs from its Internet payment service.
  ModaPay, which has been launched in Canada, is based on Internet bill-payment applications. After clicking on the online banking icon at the checkout page, the consumer enters the amount of the payment. The data are encrypted and sent to ModaSolutions' online banking gateway. An e-bill is then generated and sent to the consumer that can be paid online through his bank. When payment has been processed the consumer receives an e-mail confirmation. Funds are routed directly to the merchant.
  "We moved away from the use of PINs for reasons of security and the perception of security," says Marwan Forzley, chief executive of ModaSolutions. "The bill-payment model is a familiar approach to consumers and secure. We wanted to tie into the behavior people are used to when it comes to making payments over the Internet."
  ModaSolutions intends to launch its service in the U.S., according to Forzley, who declines to reveal the size of the company's merchant base.
  "Credit cards are the dominant form of payment on the Internet, but there is a segment of the population that does not use cards online or simply does not have a card," he says. "About 20 million people in the U.S. do not have a credit card and another 40 million have limited credit lines."
  A Challenge
  Reaching those people with debit-based Internet solutions, as well as consumers with sterling credit ratings, remains the challenge. Payments experts doubt many merchants will absorb the cost of seeding the market with PIN pads, even if they can reduce fraud and receive a lower interchange rate on PIN-debit transactions.
  "I don't see merchants underwriting the cost of a PIN pad just because they can save money on interchange," says Steven A. Rathgaber, executive vice president and chief operating officer for Woodcliff Lake, N.J.-based NYCE Corp. "Merchants really can't afford to distribute PIN pads to individual consumers for use on their personal computers. That model was tried during the Internet boom and failed. Remember, it took more than a decade to get PIN pads at merchant locations."
  NYCE, which operates the nation's second-largest electronic funds transfer network, in 2001 shelved plans to launch its SafeDebit solution after it became clear the market was not ready to embrace the product. In tests, cardholders received a SafeDebit CD-ROM debit card that, when activated on a PC, allowed the user to enter a PIN using the computer's keyboard. Cardholder data and PINs never passed through the merchant's server. NYCE intends to reintroduce a modified SafeDebit, but has set no timetable.
  That NYCE, which operates a national EFT network with a trusted brand, was unable to successfully launch a PIN-based debit application for online purchases raises questions about the long-term viability of InstaPay. Although AFFN has about 84 million cardholders, it is considered a closed network: one limited to active and retired military personnel and their families. Many AFFN cardholders shop at post exchanges on military bases and merchants that cater primarily to military personnel.
  InstaPay's Hargens counters that although AFFN serves military personnel and their families, banks that join the network typically allow their entire card base to access the network.
  "That only military personnel can use AFFN is a misperception and we point that out to merchants," says Hargens, who adds the company is talking to other networks about payEncrypt.
  Nevertheless, some merchants that accept payEncrypt are not deploying PIN pads to their customers, because InstaPay volume does not warrant it. "We accept InstaPay, but our volume is light," says Daniel Dachille, president of LaRose.com, which also operates a retail store. "We hope PIN debit will deliver incremental sales online, but we are not in a position to deploy terminals. We feel it is up to InstaPay and banks to address that issue."
  LaRose.com will accept InstaPay transactions from consumers that have received PIN pads from other InstaPay merchants.
  Hargens argues that while LaRose.com is not deploying terminals, the fact it accepts payEncrypt is the first step in building enough volume to warrant PIN-pad deployment.
  Nevertheless, the solution to getting enough PIN pads into the market to generate sufficient volume to draw merchant support remains elusive. Many payment experts argue that any PIN-based debit product will require the support of Visa USA and MasterCard International, as they have the most trusted brands in the payments business.
  'A Virtual PIN'
  Others, however, argue that the solution lies in developing a secure, consumer-friendly software application that does not necessarily require cardholders to attach a PIN pad to their computers to make Internet purchases.
  "Asking a consumer to add a device to their computer is cumbersome, even if the device is free," says Cindy Ballard, executive vice president for Pulse, the third-largest EFT network. Houston-based Pulse had planned to offer SafeDebit before NYCE shelved the product.
  "The solution really needs to be more software-based than hardware-based, and secure and user-friendly enough that consumers are comfortable using it," continues Ballard. "One possibility might be having a virtual PIN-pad pop-up on the screen, just as they do now in stores on some POS terminals. Right now all the pieces are not in place for PIN debit on the Internet."
  Without a doubt, advocates of Internet PIN-based solutions have shown it is possible to launch such a product and make it secure. What they have not been able to demonstrate is that such a product will fly with merchants and consumers. Until then, efforts to bring PIN-based debit to the Internet can be equated to salmon attempting to swim upstream to spawn. Expect many failed attempts before the first success.