Steve Dieringer comments on my Online Debit on the Internet posting from yesterday:
SSL/PIN is acceptable for online banking because the bank provides the URL to use, e.g., http://www.bankone.com.
Using SSL to connect to some unknown merchant is a WHOLE different story! There are already bogus merchants who set up shop just to skim card info (typically Œbaiting the hook‚ with unbelievably good prices on software). So collecting name, address, phone number, card number, expiration date and CVV value is pretty easy ˆ collecting a PIN would be a piece of cake. And once the bad guys have your PIN they can do soooo much damage!
So we need a scheme that assures the PIN is kept secure by end-to-end encryption. Which means a token (CD or smart card) or secure device. All of these have drawbacks at the moment. Sony is working on USB devices, aren‚t they? A keyfob USB device might have promise if cost can be brought down.
Keeping PIN’s out of the hands of merchants is an important requirement of any solution here — but it seems that at least one such solution already exists. There’s not any substantive difference between a Verified by Visa password and an online debit card PIN, is there? VbV’s online authentication of a cardholder takes place via a secure SSL session initiated by the merchant between the cardholder’s browser and the card issuer’s server — yet without any merchant visibility to the cardholder’s secret information.