“Card-Present” Transactions From Across The Web? Not Exactly
Written by Frank HayesNew ideas for keeping E-Commerce payments secure are coming thick and fast—and some of their purveyors are playing just a little fast and loose with the benefit buzzwords. Case in point: On Tuesday (July 26), Jumio announced a service called Netswipe, which lets E-Commerce customers hold payment cards up to their PC’s webcam for processing. The Netswipe software takes over the webcam to scan the card using secure streaming video, decide if the card is real or fake and then extract the card number. The idea is clever. Not so clever is Jumio’s boast that this lets E-tailers do “card-present” transactions remotely.
Card present? That’s certainly the right buzzword to get the attention of big retailers, who know it means lower interchange fees. But what exactly does it mean to have a card-present transaction where the card is only present at the far end of an Internet connection? Answer: Not much.
The term “card present” does still mean something. “It is a card brand term that means the magstripe was read as part of the authorization,” said StorefrontBacktalk PCI Columnist—and QSA—Walt Conway. “Somehow I don’t think my webcam can quite do that yet. The best [Jumio] might be able to claim is equivalent to a key-entered transaction.”
Jumio also calls Netswipe “PCI ready,” although there’s no sign that the PCI Council is ready for remote-payment applications like this. And Jumio’s credibility isn’t helped by its repeated claims on Tuesday about its “patented Netswipe solution”—which is actually a patent-pending process. Only time and the Patent Office will tell whether Netswipe will ever be patented.
Jumio founder Daniel Mattes has been describing Netswipe as “Square without hardware.” The irony is that Square actually can do card-present transactions, because it has hardware to read the magnetic stripe. No hardware? No card-present transactions.
It’s easy to understand why Jumio wants to stretch the meaning of those buzzwords. It’s not the first startup to use a camera to scan payment cards—AisleBuyer and Card.io do that, too—so it’s playing catch up. And it is nice to see that payment startups are beginning to show an understanding of what will make retailers sit up and take notice.
Now if only they can actually deliver something that will cut interchange rates—that will hold retailers’ attention.
-Marc
July 29th, 2011 at 10:10 am
I get that the magic words “card present” mean “magstripe was read as part of authorization”, but I have to agree with Jumio that it’s a bit of a misnomer. Whether they actually work or not is still up in the air, but Jumio’s algorithms make some solid efforts to verify that you’ve got a real card in your hand — in other words, making sure that you have a card present at the time of transaction.
Please correct me if I’m wrong, but this appears to be what sets Jumio apart from the likes of AisleBuyer and Card.io which both appear to be little more than front-ends for Tesseract or the like.
As with any new technology, backers have raised visual swipe as the holy grail of Internet-based payment processing. No greppable cardholder data ever passes through the customer system and at least in Jumio’s case, you have some assurance that the system will only work with real cards as opposed to photocopies. This is all well and good, but there’s one little detail that everyone in the market seems to be forgetting: webcam spying and exploit software has been available in the wild for years. Webcam spying is no longer the stuff of science fiction and tinfoil hats. Remember the Lower Merton School District? Personally, I have never purchased a computer with a built-in webcam and the day that is no longer an option is the day I invest heavily in masking tape. The last thing I’m going to do with a webcam is offer it sensitive data willingly.
At the end of the day, this new technology brings me a couple thoughts:
First, it’s great that we’re looking for new and innovative ways to prevent the theft of cardholder data. Moving away from plaintext formats is one interesting way to help. However, we as an industry need to be very careful so as not to fall into traps, especially ten year old, squeaky, rusty traps.
Secondly, why in the world are we still using embossed physical tokens to store cardholder data? Does anyone else find it strange that taking a picture of a piece of embossed plastic is considered a major security enhancement over existing systems? Come on folks, it’s time to go back to the well and start thinking about completely new ways of managing sensitive data.
July 29th, 2011 at 4:15 pm
I agree Frank. The term “Card Present” is probably creating a million eyeballs looking at their product. It’s an interesting product but I’m not ready to put my card in front of a camera yet. Plus, I’d like to see the real beef on the focus group. There are a lot of numbers missing like # of participants, total transactions, time frame, estimated margin error rate etc.
July 29th, 2011 at 5:49 pm
You both make great points
This will never be considered for card present/mag stripe rates.
The whole point of swiping the card is to prevent fraud. Which is why interchange is better on “swiped” transactions.
There is even technology out that can tell if a “magnetic stripe” is real or has been fraudulently duplicated.
I don’t see this as being a more secure way to process transactions.
It’s a lot easier to recreate an image of a card than the mag stripe contents.
Unless they are verifying ID (which can also be fraudulent) this really adds no security value over exsiting mag stripe processing.
I would also be leary of the storage of images of the card and cardholder and ID on a server that can be hacked.
I haven’t looked further than this article, this is just an off-hand observation from someone who works in the industry.
I agree that they are using great terms to attract business, they just need to get it right.
August 2nd, 2011 at 7:46 am
I don’t know if this has been covered but Home Depot have been employing desktop cameras at their self-serve and customer service desk to record transactions.
August 3rd, 2011 at 12:08 pm
Consumers demand ease of payment and high security at the same time. Unfortunately the two do not always go hand in hand. We would all love to pay by simply holding a card in front of a webcam, but what if that card is stolen or misplaced? The last thing any of us want is to become victims of fraud.
I think Jumio is trying to appeal to both shoppers and retailers at the same time. However a closer look at what they offer reveals that neither the customer nor an online store would be likely to take on the risks involved.
Online payments can surely be made easier but not many would want to compromise on security in order to do so.”