[IMGCAP(1)]
Now that its personal card-swipe device and PIN pad have received certification from the Payment Card Industry Security Council, HomeATM ePayment Solutions plans to target the person-to-person funds transfer and online banking authentication markets.
The Montreal-based company recently signed a deal with a foreign remitter that would enable consumers to wire funds from the U.S. to their home countries using its SafeTPIN device. The remitter is set to distribute 250,000 devices, according to Kenneth Mages, HomeATM chairman and CEO. Mages declined to reveal the foreign remitter or where it is based.
"Once those [250,000] units are out there, they do us a lot of good because they can be used for any merchant who wants to use our payment method," Mages says.
HomeATM's device plugs directly into a PC's USB port. The system requires no installation or software. If used in an online-merchant environment, the Web site prompts consumers to use the device to swipe their card and enter their PIN to complete a transaction (ADN, 2/12).
"The [PCI] certification removes the merchant from the scope of [Payment Card Industry Data Security Standard compliance] since the device is already certified," says John B. Frank, HomeATM executive advisor. If a breach occurs with SafeTPIN, the responsibility is on HomeATM, not the merchant, because the device is certified.
Last week, HomeATM visited SourceMedia's Chicago office to demonstrate the person-to-person funds-transfer capabilities of the company's device.
When prompted at a dedicated Web site, the sender enters his name, e-mail address and the recipient's name and e-mail address. The sender then selects a security question, the answer to which both parties know. An amount is entered, and the sender can choose between an instant transfer or one scheduled for sending later.
After the sender fills in the required fields, the Web site asks to confirm the security question answer and the recipient's e-mail address. The sender then selects a payment type–credit or debit–and is prompted to swipe his card through his reader and enter a PIN. A screen then appears to show the transaction is complete.
Both the sender and recipient receive an e-mail message about the transaction. The recipient clicks the hyperlink included in the e-mail and is transferred to a Web site to complete the transaction. The recipient enters the security question answer and then swipes his card through his own reader and enters a PIN. The funds instantly are transferred to the recipient's checking account.
The process takes less than five minutes.
"It's user friendly," Frank says. "Consumers know how to go to a retailer, swipe their card and enter a PIN."
Mages says the company has not determined how much the devices will cost merchants and financial institutions, but it will be on them to distribute SafeTPIN to consumers.
HomeATM will display and demonstrate the device at this month's Electronic Transactions Association trade show in Las Vegas. The company will share a booth with Brookfield, Wis.-based transaction processor eFunds Inc., a unit of Jacksonville, Fla.-based Fidelity National Information Services Inc.
Mages' hope is financial institutions will realize SafeTPIN is the only secure method to log into an online banking environment. "If someone puts malware on your computer and they are keylogging the strokes or they phished you to a third party, they are going to be able to read your bank account," he says.
Paul Turgeon, who helped created NYCE's original SafeDebit product, agrees with Mages. The Federal Financial Institutions Examination Council has required two-factor authorization for online banking for some time and "almost no one is doing it," Turgeon claims. "And no one I know is doing it very well," he adds.
Login credentials required for online banking can be hacked, Turgeon says.
Turgeon believes HomeATM's device is a "reasonably affordable and very good" product, but the technology is not the issue. Merchants and financial institutions that would ship the devices to consumers want to know if they are making a good investment. "[For merchants] how many consumers is it going to get for me and [banks will ask] what is the interchange rate," Turgeon says.
He adds any kind of Internet PIN-debit product will face challenges until "some vehicle [comes along] to get enough mass to get both parties interested."
HomeATM's PCI certification comes at a time when the Accel/Exchange electronic funds transfer network is piloting its own software-based Internet PIN-debit product. That system enable consumers to enter their PINs on a virtual PIN pad that appears on the computer monitor during checkout (ADN,11/20). While Morris Plains, N.J.-based Accel/Exchange contends its product is secure, HomeATM disagrees and has cited a number of studies to support its position.
Since 2001, 72% of all data breaches in North American occurred via point-of-sale software, while 23% occurred through online shopping carts, according to a report by Chicago-based data-security company Trustwave. About 1% of breaches occur because of a hardware breach.
Mages and Frank both say they are concerned with what happens with a software-based system because of what a breach would mean for HomeATM's prospects. "It's not so much that we are jealous of [Atlanta-based] Acculynk [Inc.] (which is partnering with Accel/Exchange), for lack of a better word," Frank says. "We're concerned if a breach occurs, then the whole ecosystem gets messed up and that affects us."
A breach on a software or hardware Internet PIN-debit product would be "very damaging" from the consumer point of view, Turgeon says. "If it were to get hacked, then I would think the merchant community would ask what's the upside to [Internet PIN-debit]," he adds. ATM
