credit card industry 5: Debit Cards
Part 5 - Debit Cards
EVOLUTION OF DEBIT CARDS
The debit card originated as a method for bank customers to have access to their funds through Automatic Teller Machines (ATMs). This was seen as a way for banks to automate their branches and save money, as well as a benefit for customers. A secondary intent was for the card to be used as a method of identification when dealing with a human teller. Although that idea never really caught on, it has seen renewed interest from time to time.
One problem with using cards to access bank accounts is that federal regulations required a signature be used for each withdrawal transaction. After much debate, the concept of a Personal Identification Number (PIN) was invented, and federal regulations were modified to allow PINs for use in place of signatures with bank withdrawals. ATMs also faced many other regulatory difficulties. In many states, for example, there are limitations on the number of branches a bank can have. In a conflict that only a lawyer could conceive of, a ruling was required about whether an ATM constitutes a bank branch or not. Since such rulings were made on a state by state basis, it varies across the country. This results in some very odd arrangements in some states, because of requirements placed on bank branches.
In early attempts, the card actually carried account information and balances. The cardholder would bring the card into a branch, and bank personnel would "load" money onto the card, based on the customer's actual account balance. The cardholder could then use the card at a stand-alone machine that would update the information on the card as money was withdrawn. The information was stored on track 3 of the magnetic stripe, as mentioned in an earlier installment. This approach had many problems. It was far too susceptible to fraud, it could not reasonably handle multiple accounts, and it could not be used as a vehicle for other services. Since it was pretty much limited to withdrawals, it didn't even automate much of the bank branch functions.
The online ATM offered a solution to the problems of the early ATM cards. Since the ATM was connected to the bank's host, it was no longer necessary to maintain account balances on the card itself, which removed a major source of fraud. Also, access to multiple accounts became possible, as did additional services, such as bill payment.
Once banks started buying and installing ATMs, they quickly realized that it is very expensive to maintain a large number of machines. Yet customers began demanding more machines, so they could have easier access to their funds. Since many banks in an area would have ATMs, the obvious solution was to somehow cross-connect bank hosts so that customers could use ATMs at other banks, for convenience. The lawyers struck again. Does a shared ATM count as a branch for both banks? Does a transaction at a shared ATM mean that one bank is doing financial transactions for another, which is not allowed? If two banks share ATMs, but refuse to allow a third bank, is that monopolizing or restraint of trade? Strange restrictions on shared ATM transactions resulted.
Soon interchange standards began to evolve, and ATM networks became a competitive tool. Regional and national networks started to emerge. And the lawyers struck again. If a network allows transactions in one state for a bank in another state, isn't that interstate banking, which was at the time forbidden? Should an ATM network that dominates a region become a regulated monopoly? Should an ATM network that gets really big be considered a public utility?
Today, the regional and national networks continue to grow and offer more services and more interconnections. All of the regulatory issues have not been resolved, and this is creating a lot of tension for easing banking restrictions.
An ATM card is just an ATM card, regardless of how many ATMs it works in. Most banks long ago saw an opportunity for the ATM card to be used as a debit card, presumably to replace checks. A tremendous number of checks are used each year, and it costs banks a lot of money to process them. Debit card transactions could cost less to process, given an appropriate infrastructure. Some of the costs could potentially be passed on to the merchants or the consumers, who are notoriously reluctant to directly pay the cost of checks. So far there have been many trials of using ATM cards as debit cards at the point of sale, but they have, in general, met with consumer apathy. In some areas, where banks have aggressively promoted debit, things have gone better. Still, general acceptance of debit seems a ways off.
One interesting twist to the debit card story, as mentioned earlier, is the emergence of third party debit cards. Issuers of these cards have no real account relationship with the cardholders. Instead, they obtain permission from the cardholders to debit their checking accounts directly through the Automated Clearing Houses (ACHs), the same way checks are cleared. (Think of it as direct deposit, in reverse.) Oil companies first started experimenting with this a couple of years ago, and it has met with surprising success. Banks dislike this concept, because it competes directly with their debit cards, but isn't subject to the same state and federal regulations. ACHs like this, because it bolsters their business, which otherwise stands to lose a lot by acceptance of debit cards. Merchants generally like this, especially the large retailers, because it allows them to get their payment systems out from under the control of the banks.
THE ATM
An ATM is an interesting combination of computer, communication, banking, and security technology all in one box. A typical machine has a microprocessor, usually along the lines of an 8086, a communications module (which may have it's own microprocessor), a security module (also with a microprocessor), and special-purpose controllers for the hardware. The user interface is typically a CRT, a telephone-style keypad, and some soft function keys. Typically there is a lot of memory, but no disk. The screens and program are usually downloaded from the host at initialization, and are stored in battery-backed RAM indefinitely. The machine typically interacts with the host for every transaction, but it can operate offline if necessary, as dictated by the downloaded program. The downloaded program is often in an industry-standard "states and screens" format that was created by Diebold, a manufacturer of various banking equipment, including ATMs.
Most machines can use a few IBM protocols (bisync, SNA, and an outmoded but still used "loop" protocol), Burroughs poll/select, and perhaps some others, depending on which communications module is in place. This allows the manufacturer to make a standard machine, and plug in different communications hardware to suit the customer. The IBM bisync and SNA protocols are most common, with most networks moving toward SNA.
The security modules do all encryption for the ATM. They are separate devices that are physically sealed and cannot be opened or tapped without destroying the data within them. In a truly secure application, no sensitive data entering or leaving the security module is in cleartext. Arranging this and maintaining it is more complicated than I can go into here.
Most ATMs contain two bill dispensers, a "divert" bin for bills, a "capture" bin for cards, a card reader, receipt printer, journal printer, and envelope receptacle. Some ATMs have more than two bill dispensers, and can even dispense coins.
When an ATM is dispensing money, it counts the appropriate bills out of the bill dispensers, and uses a couple of mechanical and optical checks to make sure it counted correctly. If the checks fail, it shunts the bills into the divert bin and tries again. Typically, this is because two bills were stuck together. I've seen ATMs have sensor faults, and divert the total contents of both bill dispensers the first time a user asks for a withdrawal. "Gee, all I did was ask for $50, and this machine made all kinds of funny whirring noises and shut down." Most banks will put twenty-dollar bills in one of the dispensers and five dollar bills in the other. Some use tens and fives, or tens and twenties. Depending on the denominations of the bills, the size of the dispensers, and the policy of the bank, an ATM can hold tens of thousands of dollars.
The journal printer keeps a running log of every use of the machine, and exactly what the machine is doing, for audit purposes. you can often hear it printing as soon as you put your card in or after your transaction is complete.
When you put an envelope into an ATM, the transaction information is usually printed directly on the envelope, so that verifying the deposit is easier. Bank policies typically require that any deposit envelope be opened and verified by two people. In this, you're actually safer depositing cash at an ATM than giving it to a human teller.
A card will be diverted to the capture bin if it is on the "hot card" list, if the user doesn't enter a correct PIN, or if the user walks away and forgets to take the card.
On some machines, the divert bin, capture bin, envelope receptacle, and bill dispenser bins are all separately locked containers, so that restocking can be done by courier services who simply swap bins and return the whole thing to a central site.
The entire ATM is typically housed in a hardened steel case with alarm circuitry built in. These suckers have been known to survive dynamite explosions. The housing typically has a combination lock on the door, and no single person knows the entire combination. The machine can thus be opened for restocking, maintenance, or repair, only if at least two people are present.
DEBIT CARD PROCESSING
Debit card processing is fairly similar to credit and charge card processing, with a few exceptions. First, in the case of ATMs, the accepter and acquirer are usually the same. For debit card use at the point of sale, the usual acquirer-accepter relationship holds. In general, acquirers may do front-end screening on debit cards, but all approvals are generated by the issuer - the floor limit is zero. This makes it possible to eliminate a separate settlement process for debit card transactions, but places additional security and reliability constraints on the "authorization". Often a separate settlement is done anyway.
One problem that has caused difficulties for POS use of debit cards is the use of PINs. Many merchants and cardholders would rather use signature for identity verification. But most debit systems grew out of ATM systems, and require PINs. This is an ironic reversal of the early ATM card days, when people were trying to avoid requiring signature. Other than the PIN, the information required for a debit transaction is the same as that required for a credit transaction.
One last installment on the networks that tie this all together, and the Credit Card 101 course will be complete. There will be no final exam - you will be graded entirely on classroom participation. Most of you are failing miserably...
Joe Ziegler
att!lznv!ziegler