CNP Expo: Are PINs the Key to Increasing Debit Use Online?
May 21, 2014
Forty-five percent of online merchants in North America haven’t implemented customer authentication out of concern for customer experience. John Ambrose, director of product strategy at Canadian debit network Interac, began a Tuesday afternoon discussion of card-not-present PIN debit transactions with that grim statistic. But, debit cards are cheaper for merchants to accept and they offer an authentication method consumers already are comfortable with: PINs. Could they be the answer?
“They have trouble remembering passwords, but they already remember PINs on a regular basis,” said Nandan Sheth, president and COO of Acculynk.
Terry Dooley, senior vice president and CIO of debit network Shazam, explained that card issuers are reluctant to get on board: “Issuers are concerned that if debit transactions are authenticated, the liability falls to them, so they want control over the validation of the transaction.”
Whereas the PIN pad at a brick-and-mortar store allows merchants to meet the issuers’ security requirements, there is no standard online transaction security for debit cards.
Sheth argued that “time is of the essence” in finding a way to integrate CNP PIN debit into merchants’ accepted online payment methods. The middle class in Brazil and China is growing now, and there is demand for U.S. goods there.
“There is a growing need to enable foreign consumers, who have only cash or PIN debit cards,” he said. “That market is growing now,” and U.S. merchants can’t afford to wait for other solutions to emerge.
The recent data breaches have led to an industry-wide search for a solution, like tokenization, that will take card data out of online transactions. According to the panelists, PIN-debit technology has already been proven to work and to be scalable. When a PIN is captured, it goes through multiple steps of mapping and coding that Sheth believes are as safe if not safer than the steps we take to secure credit card data.
And, Dooley points out that “there isn’t a single tokenization standard for card data yet, so we’re looking at all this fancy stuff to make card data irrelevant, but if we just use PIN data, well, PIN makes that data irrelevant already. So why are we spending all this money trying to develop new technology and new security standards? We’ve got PIN technology that works now.”