scott guthery <[EMAIL PROTECTED]> on 6/8/2003 4:29 pm wrote: Yep, everybody's going to instantly stop doing business on the Internet until they can rent a $150 card reader from a bank that uses the device to block transactions with businesses that won't pay it PIN handling fee and use their network and clearing services.
there seems to be a little exaggeration. none of the finread terminals i've seen come anywhere close to $150/terminal. also, in most cases, the issue is security/integrity proportional to the risk. the specific example quoted in the original posting was a terminal for secure ACH transactions, not something that you currently find being done on the internet. the original posting also gave the example of single-factor "something you have" authentication (as in transit, not requiring two-factor authentication) .... aka internet-payments doesn't necessarily limit things to consideration for only existing consumer/merchant e-commerce operations. the existing consumer internet based infrastructure is heavily based on the original work that my wife and I were involved with for payment gateway with a small client/server startup (originally in menlo park, subsequently moved to mountain view and since been bought by AOL): http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.garlic.com/~lynn/aadsm5.htm#asrn3 the current, existing infrastructure is oriented to shared-secrets and single-factor "something you know" authentication that has been heavily exploited for fraud. One case would be to look at the various cost/benefit trade-offs for improving the existing fraud situation (past postings to these mailing lists have it at 30-50 times higher than similar transactions not done on the internet). Also the existing scenario makes little or no attempt at non-repudiation .... it is assumed that the consumer can readily and easily repudiate all internet-originated transactions. Non-repudiation may not be a requirement for internet transactions; something you have and something you know, two-factor authentication may be sufficient. Presumably, the PIN handling fee refers to the transition from shared-secret based infrastructure (aka PIN) to non-shared-secret digital signature based infrastructure ... where the public key is registered in lieu of the PIN and a digital signature authentication is done in lieu of a PIN comparison. A possible X9.59 cost/benefit then potentially is the possible significantly reduced fraud-related fees to the merchant being significantly larger than the PIN (or digital signature) handling fee. Somewhat as a total aside .... in the case of X9.59 standard, the protocol specification is the same regardless of whether or not a token is used. Any requirement for a token becomes a business process assurance issue, not a protocol issue. The requirement for signing environment that supports intention also is a business process assurance issue, not a protocol issue. It is possible to use the same x9.59 protocol standard across a broad range of varying business process assurance and integrity implementations. -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm