“Card-Present” Transactions From Across The Web? Not Exactly

Written by Frank Hayes
July 27th, 2011

New ideas for keeping E-Commerce payments secure are coming thick and fast—and some of their purveyors are playing just a little fast and loose with the benefit buzzwords. Case in point: On Tuesday (July 26), Jumio announced a service called Netswipe, which lets E-Commerce customers hold payment cards up to their PC’s webcam for processing. The Netswipe software takes over the webcam to scan the card using secure streaming video, decide if the card is real or fake and then extract the card number. The idea is clever. Not so clever is Jumio’s boast that this lets E-tailers do “card-present” transactions remotely.

Card present? That’s certainly the right buzzword to get the attention of big retailers, who know it means lower interchange fees. But what exactly does it mean to have a card-present transaction where the card is only present at the far end of an Internet connection? Answer: Not much.

The term “card present” does still mean something. “It is a card brand term that means the magstripe was read as part of the authorization,” said StorefrontBacktalk PCI Columnist—and QSA—Walt Conway. “Somehow I don’t think my webcam can quite do that yet. The best [Jumio] might be able to claim is equivalent to a key-entered transaction.”

Jumio also calls Netswipe “PCI ready,” although there’s no sign that the PCI Council is ready for remote-payment applications like this. And Jumio’s credibility isn’t helped by its repeated claims on Tuesday about its “patented Netswipe solution”—which is actually a patent-pending process. Only time and the Patent Office will tell whether Netswipe will ever be patented.

Jumio founder Daniel Mattes has been describing Netswipe as “Square without hardware.” The irony is that Square actually can do card-present transactions, because it has hardware to read the magnetic stripe. No hardware? No card-present transactions.

It’s easy to understand why Jumio wants to stretch the meaning of those buzzwords. It’s not the first startup to use a camera to scan payment cards—AisleBuyer and do that, too—so it’s playing catch up. And it is nice to see that payment startups are beginning to show an understanding of what will make retailers sit up and take notice.

Now if only they can actually deliver something that will cut interchange rates—that will hold retailers’ attention.


5 Comments | Read “Card-Present” Transactions From Across The Web? Not Exactly

  1. Randy C. Will Says:

    I get that the magic words “card present” mean “magstripe was read as part of authorization”, but I have to agree with Jumio that it’s a bit of a misnomer. Whether they actually work or not is still up in the air, but Jumio’s algorithms make some solid efforts to verify that you’ve got a real card in your hand — in other words, making sure that you have a card present at the time of transaction.

    Please correct me if I’m wrong, but this appears to be what sets Jumio apart from the likes of AisleBuyer and which both appear to be little more than front-ends for Tesseract or the like.

    As with any new technology, backers have raised visual swipe as the holy grail of Internet-based payment processing. No greppable cardholder data ever passes through the customer system and at least in Jumio’s case, you have some assurance that the system will only work with real cards as opposed to photocopies. This is all well and good, but there’s one little detail that everyone in the market seems to be forgetting: webcam spying and exploit software has been available in the wild for years. Webcam spying is no longer the stuff of science fiction and tinfoil hats. Remember the Lower Merton School District? Personally, I have never purchased a computer with a built-in webcam and the day that is no longer an option is the day I invest heavily in masking tape. The last thing I’m going to do with a webcam is offer it sensitive data willingly.

    At the end of the day, this new technology brings me a couple thoughts:

    First, it’s great that we’re looking for new and innovative ways to prevent the theft of cardholder data. Moving away from plaintext formats is one interesting way to help. However, we as an industry need to be very careful so as not to fall into traps, especially ten year old, squeaky, rusty traps.

    Secondly, why in the world are we still using embossed physical tokens to store cardholder data? Does anyone else find it strange that taking a picture of a piece of embossed plastic is considered a major security enhancement over existing systems? Come on folks, it’s time to go back to the well and start thinking about completely new ways of managing sensitive data.

  2. Christine at 3D Merchant Says:

    I agree Frank. The term “Card Present” is probably creating a million eyeballs looking at their product. It’s an interesting product but I’m not ready to put my card in front of a camera yet. Plus, I’d like to see the real beef on the focus group. There are a lot of numbers missing like # of participants, total transactions, time frame, estimated margin error rate etc.

  3. Dave Says:

    You both make great points

    This will never be considered for card present/mag stripe rates.

    The whole point of swiping the card is to prevent fraud. Which is why interchange is better on “swiped” transactions.

    There is even technology out that can tell if a “magnetic stripe” is real or has been fraudulently duplicated.

    I don’t see this as being a more secure way to process transactions.

    It’s a lot easier to recreate an image of a card than the mag stripe contents.

    Unless they are verifying ID (which can also be fraudulent) this really adds no security value over exsiting mag stripe processing.

    I would also be leary of the storage of images of the card and cardholder and ID on a server that can be hacked.

    I haven’t looked further than this article, this is just an off-hand observation from someone who works in the industry.

    I agree that they are using great terms to attract business, they just need to get it right.

  4. ed Says:

    I don’t know if this has been covered but Home Depot have been employing desktop cameras at their self-serve and customer service desk to record transactions.

  5. Says:

    Consumers demand ease of payment and high security at the same time. Unfortunately the two do not always go hand in hand. We would all love to pay by simply holding a card in front of a webcam, but what if that card is stolen or misplaced? The last thing any of us want is to become victims of fraud.

    I think Jumio is trying to appeal to both shoppers and retailers at the same time. However a closer look at what they offer reveals that neither the customer nor an online store would be likely to take on the risks involved.

    Online payments can surely be made easier but not many would want to compromise on security in order to do so.”


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.