of slightly related interest
http://www.garlic.com/~lynn/.2001g.html#57
Peter Yeatrakas <[EMAIL PROTECTED]> on 08/01/2001 05:22:31 PM
To: Lynn Wheeler/CA/FDMS/FDC@FDC, [EMAIL PROTECTED]
cc: CheeHoong Fok <[EMAIL PROTECTED]>,
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: RE: Visa Debit Card
Lynn,
I believe your observation is correct; the issurer supplied the private key
on the security token (smart card) which was used to sign the required
information that was sent back through the ATM switch as part of the ISO
8583 message; I can't tell you if the format of the payment object was or
wasn't X9.59. The issurer (Commerce Capital Bank, in this instance) held
the public key and did the authentication of its customer and authorized
(or not) the merchant transaction.� The pilot used existing ATM switch
infrastructure, but as noted above, a certificate WAS NOT provided to the
customer, only the private key.� In fact there was discussion that a third
party could issue and hold the public keys and perform the authorization as
a third party service.� Since the authorization is being directed back to
the issurer (or its TPS), PKI is not necessary for this closed
"authentication/authorization" system.
This was seen as one of three methods that might be used to enable the use
of ATM (debit) cards for Internet transactions.� As you can conclude a
natural hurdle is the cost of the smart card and reader; in this case both
readers had PIN PADS as well.� The UTM device could also read the Smart
Card mag strip.� At least STAR/HONOR (recently acquired by Concord, I
believe) now has the technology in place and I understand that the ATM
rules will be adopted that will allow those merchants and financial
institutions to begin commercializing this approach.
I only offer this as information; I don't work in the card world, but I
participated for two years as an industry observer on the ISAP project on
behalf of the Western Payments Alliance, an ACH and Check Clearing House
for about 1100 financial institutions in seven Western States.
Since You also included another list, I provide the NACHA URL as
information.
.� Here's the URL for the July 23 news release:
http://www.nacha.org/news/news/pressreleases/2001/PR072301/pr072301.htm
The results document that Lynn refers to has been completed but I am not
sure if publicly available.� Chuck, since CommerceNet is a Council member,
you may want to see if it is something that you can share on your site.
Best regards,
Pete Yeatrakas
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 01, 2001 5:05 PM
To: [EMAIL PROTECTED]
Cc: CheeHoong Fok; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: Visa Debit Card
Note that NACHA did do an online debit "AADS" trial last year with digital
signatures that appears to have been declared a success. Participants made
the necessary modifications to the online debit network infrastructure to
support online debit public key transactions. While
the format of the payment object wasn't exactly "X9.59" ... it was
reasonably close that it would appear that it could be converged to X9.59
w/o a great deal of trouble.
for misc. pointers to X9.59, AADS, and the NACHA trial ... see
http://www.garlic.com/~lynn/
Chuck Wade <[EMAIL PROTECTED]> on 08/01/2001 06:49:35 AM
Please respond to [EMAIL PROTECTED]
To:�� CheeHoong Fok <[EMAIL PROTECTED]>,
����� [EMAIL PROTECTED]
cc:
Subject:� Re: Visa Debit Card
CheeHoong Fok wrote:
>
> How is Visa Debit Card used for Internet Shopping
> Payment? Since all the sites I've seen only ask for
> the card number and expiry date, but no PIN. Is there
> any additional authentication mechanism to this?
>
> Thanks.
>
CheeHoong Fok,
There is some confusion regarding the two forms of debit cards
used within the United States.
Online debit cards are the original type of debit card (or ATM
card) that requires entry of a PIN to authenticate use of the
card. Note that industry rules require that the PIN be entered
via a secure keypad that immediately encrypts the PIN before
sending it to the bank that issued the card. Since only the
issuing bank is capable of decrypting this message, the PIN is
reasonably well protected, and every transaction is confirmed
with the issuing bank. Since it is not possible within web
transactions to encrypt the PIN at the point of entry, it has not
been feasible to utlize online debit cards over the Internet.
However, there are some new industry initiatives underway to
overcome this restriction.
Offline debit cards are a '90s innovation where a credit card
transaction is used instead of a PIN-entry "online" debit
transaction. However, instead of adding the amount of the payment
to the cardholder's account, the credit card transaction is
converted into a direct debit against the cardholder's checking
account. This is why these sorts of offline debit cards are
sometimes referred to as "check" cards. The Visa debit card you
refer to is an "offline debit card."
I find the terms "online" and "offline" confusing in this
context. Both types of transactions are truly online, so it is
awkward to explain why the term offline is used to describe the
credit card conversion.
Given that "offline" debit cards are completely equivalent to
credit cards as far as the merchants are concerned, you can use
one of these cards in any situation where a credit card would be
accepted--including over the Internet. This even works when the
offline debit cards are used outside of the United States,
although it is my understanding that offline debit cards are only
issued in the US.
As an aside, the merchants who have invested in upgrades to their
point-of-sale (POS) equipment to be able to accept traditional
online debit cards have not been pleased to have the offline
version come into the market. The reason is that merchants pay
the same transaction fees for offline debit cards as they do for
credit cards. These fees are much higher than the corresponding
fees for online (PIN-entry) debit cards. On the other hand, the
banks have found offline debit cards to be very profitable.
>From a consumer point of view, it can be hard to distinguish
between these two types of payments. In fact, many banks issue
ATM cards that can be used as either an online or offline debit
card. When one of these dual-use cards is presented to a merchant
that can accept either online debit or credit cards, the consumer
gets to decide which type of transaction they would like to make
(according to industry rules). The one obvious advantage that
offline debit cards provide to consumers is that the consumer
does not have to have a good credit rating to get the offline
debit card, just a checking account.
Please understand that I have simplified the above explanation
considerably. As you might suspect, there are just a few "devils
in the details."
Regards...
--
...Chuck Wade
�� CommerceNet
�� "Setting the business agenda for global electronic commerce"
�� +1 508 625-1137� Office Phone/Voice Mail
�� +1 309 422-9871� Fax Service
�� http://www.Commerce.Net
