myPINpad brings the same security as Chip and PIN to online retail
If you’re anything like me you detest 3D Secure checkouts on mobile sites – having a Barclay’s debit card the incarnation I’m often faced with is Verified by Visa and it’s awful. Mastercard SecureCode is just as bad from a consumer perspective.
What’s wrong with 3D Secure?
It shouldn’t be that hard, apart from the fact that I can never remember my password. I got lazy and every time I was presented with Verified by Visa I just clicked the forgotten password link and set a new password but then it’d never let me reuse a password. Eventually I resorted to typing in a random string accepting that I’d have to do the same every time it popped up.
Retailers don’t particularly like 3D Secure either – it’s just yet another reason for consumers to abandon checkout and leave a basket of goods languishing in hyperspace. That’s why many turn off 3D Secure for lower value items. That however leaves them open to fraud – no 3D Secure means no protection from the card issuer, which is why currently it’s a necessary evil.
Why can’t we use Chip and PIN on the Internet?
Now myPINpad asks the question “Why can’t we use Chip and PIN on the Internet?”. Of course in face to face transactions at least in the UK (the US has a long way to catch up) Chip and PIN is ubiquitous. Retailers are covered and it’s more secure then magnetic stripes which keeps card issuers happy.
The technical bits
The premise behind myPINpad is that the user can enter their PIN number on their mobile or other internet connected device. Key to entering the PIN securely into the users device is the ability to completely bypass or ‘fool’ the various system buffers and memory including the screen and keyboard buffers. They totally randomise the PIN input through a process that presents an alternative keypad to the user every time. The device and ALL buffers/memory are then totally convinced a different number to the real PIN was entered by the user.
Consumers enter their PIN into their on-line device using myPINpad obfuscating PIN pad software. Neither the customers PIN nor their financial data is stored on the device as it all happens in the cloud.
The obfuscated PIN is sent securely and separately to a secure PCI environment and only once Within a hardware security module is the obfuscated PIN transformed into the customer’s actual PIN which then enters the payments system. From that point onwards a standard POS message is sent to the issuer for approval.
What it means for online retailers
myPINpad aim to give retailers the ability to accept online orders with the same protection as Chip and PIN. It’s that simple. For consumers, when myPINpad is used it will remove the need to remember anything other than their normal card PIN number – no more complicated passwords which will inevitably be forgotten by the time they face their next 3D Secure checkout.
If it makes online retail easier with less friction and importantly offers just as much security to the retailer as an in person Chip and PIN transaction then I’m all in favour.
myPINpad are on target to have their first UK deployment in place some time in the early Autumn of 2015.
as much as they claim to obfuscate it, they dont point out where the corners are cut, or the bits they forgot.
add to that your pin is associated to your bank account on someone elses server which you have no control over.
even if this all works out well in the end for myPINpad, how long before someone clones it, or genuine companies copy the model with less care over the phone keypads access to your data?
i have no issue with 3d secure – forgetting your password isnt the fault of the technology. if you remember your password then 3d secure works fine.
having all of 12 seconds to think about this, all a hacker has to do is take a screenshot silently, at the same time as recording the screen presses, then the randomised keypad is completely pointless.
James – thanks for raising your concerns, we have already considered the points you raised, and our technology, while not described fully in the article, resolve those challenges. If you would like to discuss this further we are happy to answers any questions here http://mypinpad.com/contact-us/
“Now myPINpad asks the question “Why can’t we use Chip and PIN on the Internet?”.”
It may be sort of using PIN, but it isn’t using Chip at all, is it?
John – thank you also for your input. As you rightly point out, myPINpad technology does not use Chip, just PIN technology. The title is a little misleading, but if you would like to ask any other questions please direct them to http://mypinpad.com/contact-us/