Friday, February 10, 2006

Pay by Touch to Test PIN Debit on Web

ATM Direct Says It Will Test PIN Debit on the Web in 2006

A technology that allows consumers to use their debit cards and PINs to buy items on the Internet will likely undergo tests with at least one electronic funds transfer network starting the first half of 2006.

A full commercial rollout involving at least one major merchant should be in progress by the end of 2006, says ATM Direct, the Irving, Texas-based company that invented the technology, which relies on a screen-based "floating PIN pad" to let cardholders enter PINs by means of mouse clicks rather than key entry.

The company, whose assets were acquired out of bankruptcy this year by Pay By Touch Solutions, the San Francisco-based biometric-payment processor, is already in discussions with Internet merchants and hopes to secure agreements to flow transactions through regional EFT networks beyond ACCEL/Exchange, the Bellevue, Wash.-based network with which it expects to conduct a pilot next year. "We're in aggressive conversations with a majority of the EFT networks," says Robert Ziegler, senior vice president and general manager for ATM Direct.

Ziegler says the only EFT network he hasn't approached is Interlink, which is owned by Visa USA. "I hope that they will see the value in this market opportunity and be as receptive as other EFT Networks have been as we go to market in 2006,” says Ziegler.
ACCEL/Exchange, a unit of banking processor Fiserv Inc., says it has been in talks with ATM Direct for some time and is in the midst of planning its pilot of the company's system. "There is going to be demand for this product" among consumers to whom the security of PIN debit will have appeal for e-commerce, says Mike Williams, senior vice president at the network. No definite specifications have been settled on yet, says Williams, but he says it "will have a limited scope and will be very regulated."

Ziegler says that, as part of on ongoing marketing and promotional activity, the initial bank, which he won't name, will be the primary issuer of the debit cards. He figures it will send out about 50 to 100 cards per month to key “influencers,” including industry analysts and merchants, each of whom will receive a PIN-protected card that can be used at participating merchant sites. An unnamed merchant in Dallas will be the first site operational in 2006.

A launch by ATM Direct of PIN-based online payments would represent the latest effort to bring debit secured by PINs or passwords to the Internet. NACHA, the rules-setting organization for the automated clearing house, is formulating a system whereby consumers could pay online from their checking accounts by authenticating themselves to their online banking programs (Digital Transactions News, April 13, 2005). And at least one other company, InstaPay Systems Inc.'s Kryptosima unit, has introduced a system that involves PIN pads that hook up to consumers' PCs (Digital Transactions News, Sept. 7, 2004).

Up to now, EFT networks have been loath to allow PINs to be used on the Internet, fearing the potential for fraud. Only in the past couple of years have they allowed so-called PIN-less debit transactions, in which consumers can pay bills to a limited range of organizations using their PIN debit accounts but without entering a PIN. For this reason, ATM Direct's technology, on which it has seven patent applications pending at the US Patent and Trademark Office, has the potential to open the broad world of Web-based retailing to PIN debit, a rapidly growing form of electronic payment. "Our revenue opportunity is quite large," says Ziegler.

ATM Direct will charge online merchants directly for each transaction, absorbing network interchange fees and building them into its own pricing. Ziegler won't reveal ATM Direct's merchant fee, but projects that for most merchants it will be roughly half what they currently pay for card-not-present transactions.

ATM Direct's system works by downloading digitally unique code to the consumer's desktop, setting up a process of multi-factor authentication in which the company can authenticate the consumer by recognizing the code and by means of technology such as geo-location. The company also sweeps the consumer PC for keyloggers and other trojans. "We turn the consumer's PC into a recognizable point-of-sale terminal" on ATM Direct's network, Ziegler says. The company can also present out-of-wallet questions, set up by consumers when they enroll with merchants or online banking programs, in cases when it suspects something is amiss.

"We're looking at over 300 data points in real time to determine if this terminal is trusted," says Ziegler. This process includes matching shipping and billing addresses and performs online address verification with third-party databases, he says.

When the consumer is ready to buy and ATM Direct is satisfied the PC is secure, the system presents on the screen a keypad for PIN entry. The pad is called a floating PIN pad because a different numerical configuration is presented each time. This process disables the computer keyboard, allowing entry only by mouse click. Ziegler says that while the clicks initiate the PIN acquisition process, they don't yield the actual PIN. PIN acquisition is triggered by another process underlying the virtual PIN pad, details of which he won't discuss. "This gets into our secret sauce," he says.

Once this process is complete, ATM Direct returns a signed token to the merchant, asking if the merchant wants to go forward with authorization. If so, it creates a transaction message, including a PIN block with PINs encrypted at two-key triple DES, to go to the relevant EFT network for authorization and settlement at the issuing bank. "We look exactly like a PIN debit processor" to the network at that point, says Ziegler.

ATM Direct's efforts to process PIN transactions for online merchants represents a thrust by Pay By Touch, which secures physical point-of-sale payments by means of mathematically derived fingerprint templates, into the virtual world. It's also the second major initiative launched by Pay By Touch regarding PINs. As reported by Digital Transactions News earlier this week, the company is in discussions with EFT networks to allow biometrics as a proxy for PINs for in-lane payments. Pay By Touch says one undisclosed network has already changed its operating rules to permit the biometric proxy (Digital Transactions News).