Secure Payments, PCI DSS, Regulatory Compliance Blog

Online PIN Debit; Great Idea or Not so Great Idea?

October 26th, 2008 by cmark Posted in PCI PIN, Vendors

I (Chris) want to thank Susan Kohl for sending this over.  Digital Transactions has published several articles on new technology that will allow PIN Debit for eCommerce sites.  Read the article here.

In short, the new technology will present a buyer with a floating ‘PIN Pad’ on the screen. Users can then enter their PIN which will then allow the merchant to immediately debit the user’s account for payment. While the technology appears very compelling from a convenience perspective I have to admit that it also gives me pause.  In my mind, there are a number of potential issues with this technology.  I am sure (or at least hoping) the companies, banks and card brands are working through these issues but they merit discussion here anyhow.

From a security perspective, I am challenged by the technology.  My first thought is key stroke logging and malicious software.  Now I know people will likely say that this is possible with traditional eCommerce transactions.  This is accurate.  In this scenario, however, PIN data is being transmitted.  As discussed in a previous entry, there may not be a limit to the liability associated with compromise of PIN data.  See PIN or PEN in an earlier article.  It brings another question to light, as well.

If the transaction is a ‘card not present’ transaction then where is the PIN Verification Value / PIN Offset stored?  In a traditional PIN Debit transaction it is resident on the magnetic stripe of the card.  This has several benefits one of which is that it prevents a data thief from obtaining a PIN and only the primary account number and being able to conduct PIN based transactions.  If the card is not required to be presented, it appears that this would allow fraudsters to obtain the PAN or other card data and the PIN and conduct transactions.

The technology is being touted as a benefit to issuers and merchants but interestingly nothing has been mentioned about a benefit to cardholders with the exception of saying there is ‘demand’ for PIN based transactions and it will be ‘convenient’.   If someone obtains my own PIN and can empty my bank account immediately, I would probably say that is ‘less convenient’ for me.  Considering I may not have the same liability protection as afforded signature based transactions, then again this would prove problematic.

It is inevitable that PIN based debit transactions arrive online at some point.  I think it is another example of the US’s pursuit of convenience over security.  While the rest of the World moves toward Chip and PIN and E2E encryption, we are moving toward RFID and PIN Debit for online transactions.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 8 Responses to “Online PIN Debit; Great Idea or Not so Great Idea?”

  2. By Jony Rosenne on Oct 26, 2008

    If it is the same PIN as used in ATM and POS transactions this is clearly both unsafe and against the rules (PCI-PED).

    If it is a different PIN then it is just a spin.

  3. By Walt Conway on Oct 27, 2008

    Reading the article, the proposed service is aimed at Air Travel Card holderss and is designed to “add alternatives to credit cards for online ticket purchases.” I don’t think PCI would apply: it would be for PIN-based debit and would presumably not use the card brands’ networks. Therefore I go back to Chris’ theme (and the earlier comment): this is just a stupid solution searching for a problem.

  4. By EK on Oct 27, 2008

    I have been convinced for years that debit on the Internet is a very bad idea, especially for the consumer. This article just touches on my concerns.

    The absolute worst is that most consumers think their debit card has the same liability protections as their credit cards.

  5. By Chuck Phipps on Oct 29, 2008

    I have been convinced for years that debit on the Internet is a very GOOD idea, especially for the merchant. Both of the contenders for this application have already addressed the spyware and security threats, and one of them gives the cardholder a USB-connected mini-swiper. That makes it a card-present transaction for an eCommerce merchant, which is what they need.

  6. By nnanna ebiri-okoro on Nov 4, 2008

    Jony do you mind explaining why you refer to it as a spin?

  7. By John B. Frank on Nov 5, 2008

    Thanks for this insightful article. I am familiar with both “contenders.” I was a founding shareholder of Pay By Touch which purchased ATM Direct,now renamed Acculynk)

    To learn more about PIN based transactions and the security issues involved with bringing PIN Debit to the Internet, visit the HomeATM PIN Debit Blog at http://PINdebit.blogspot.com

  8. By Tom Cannon on Nov 13, 2008

    if you want to see the future, see Secured Lock from SeerGate. A true global PIN Debit solution, and it benefits all. Financial Information is never stored,nor compromised. The patented technology has broad application.

    call or email for more info. Q1 2009 live in US.

  9. By Tom Cannon on Nov 13, 2008

    tcannon@seergate,com or tcannon@whitehall.ws for Secured Lock PIN Info

Sorry, comments for this entry are closed at this time.