Part 5 - Debit Cards
EVOLUTION OF DEBIT CARDS
--------- -- ----- -----
The debit card originated as a method for bank customers to have access
to their funds through Automatic Teller Machines (ATMs). This was seen
as a way for banks to automate their branches and save money, as well
as a benefit for customers. A secondary intent was for the card to be
used as a method of identification when dealing with a human teller.
Although that idea never really caught on, it has seen renewed interest
from time to time.
One problem with using cards to access bank accounts is that federal
regulations required a signature be used for each withdrawal transac-
tion. After much debate, the concept of a Personal Identification Num-
ber (PIN) was invented, and federal regulations were modified to allow
PINs for use in place of signatures with bank withdrawals. ATMs also
faced many other regulatory difficulties. In many states, for example,
there are limitations on the number of branches a bank can have. In a
conflict that only a lawyer could conceive of, a ruling was required
about whether an ATM constitutes a bank branch or not. Since such rul-
ings were made on a state by state basis, it varies across the country.
This results in some very odd arrangements in some states, because of
requirements placed on bank branches.
In early attempts, the card actually carried account information and
balances. The cardholder would bring the card into a branch, and bank
personnel would "load" money onto the card, based on the customer's ac-
tual account balance. The cardholder could then use the card at a
stand-alone machine that would update the information on the card as
money was withdrawn. The information was stored on track 3 of the mag-
netic stripe, as mentioned in an earlier installment. This approach
had many problems. It was far too susceptible to fraud, it could not
reasonably handle multiple accounts, and it could not be used as a ve-
hicle for other services. Since it was pretty much limited to with-
drawals, it didn't even automate much of the bank branch functions.
The online ATM offered a solution to the problems of the early ATM
cards. Since the ATM was connected to the bank's host, it was no
longer necessary to maintain account balances on the card itself, which
removed a major source of fraud. Also, access to multiple accounts be-
came possible, as did additional services, such as bill payment.
Once banks started buying and installing ATMs, they quickly realized
that it is very expensive to maintain a large number of machines. Yet
customers began demanding more machines, so they could have easier ac-
cess to their funds. Since many banks in an area would have ATMs, the
obvious solution was to somehow cross-connect bank hosts so that cus-
tomers could use ATMs at other banks, for convenience. The lawyers
struck again. Does a shared ATM count as a branch for both banks? Does
a transaction at a shared ATM mean that one bank is doing financial
transactions for another, which is not allowed? If two banks share
ATMs, but refuse to allow a third bank, is that monopolizing or re-
straint of trade? Strange restrictions on shared ATM transactions re-
sulted.
Soon interchange standards began to evolve, and ATM networks became a
competitive tool. Regional and national networks started to emerge.
And the lawyers struck again. If a network allows transactions in one
state for a bank in another state, isn't that interstate banking, which
was at the time forbidden? Should an ATM network that dominates a re-
gion become a regulated monopoly? Should an ATM network that gets re-
ally big be considered a public utility?
Today, the regional and national networks continue to grow and offer
more services and more interconnections. All of the regulatory issues
have not been resolved, and this is creating a lot of tension for eas-
ing banking restrictions.
An ATM card is just an ATM card, regardless of how many ATMs it works
in. Most banks long ago saw an opportunity for the ATM card to be used
as a debit card, presumably to replace checks. A tremendous number of
checks are used each year, and it costs banks a lot of money to process
them. Debit card transactions could cost less to process, given an ap-
propriate infrastructure. Some of the costs could potentially be
passed on to the merchants or the consumers, who are notoriously reluc-
tant to directly pay the cost of checks. So far there have been many
trials of using ATM cards as debit cards at the point of sale, but they
have, in general, met with consumer apathy. In some areas, where banks
have aggressively promoted debit, things have gone better. Still, gen-
eral acceptance of debit seems a ways off.
One interesting twist to the debit card story, as mentioned earlier, is
the emergence of third party debit cards. Issuers of these cards have
no real account relationship with the cardholders. Instead, they ob-
tain permission from the cardholders to debit their checking accounts
directly through the Automated Clearing Houses (ACHs), the same way
checks are cleared. (Think of it as direct deposit, in reverse.) Oil
companies first started experimenting with this a couple of years ago,
and it has met with surprising success. Banks dislike this concept,
because it competes directly with their debit cards, but isn't subject
to the same state and federal regulations. ACHs like this, because it
bolsters their business, which otherwise stands to lose a lot by
acceptance of debit cards. Merchants generally like this, especially
the large retailers, because it allows them to get their payment sys-
tems out from under the control of the banks.
THE ATM
--- ---
An ATM is an interesting combination of computer, communication, bank-
ing, and security technology all in one box. A typical machine has a
microprocessor, usually along the lines of an 8086, a communications
module (which may have it's own microprocessor), a security module
(also with a microprocessor), and special-purpose controllers for the
hardware. The user interface is typically a CRT, a telephone-style
keypad, and some soft function keys. Typically there is a lot of
memory, but no disk. The screens and program are usually downloaded
from the host at initialization, and are stored in battery-backed RAM
indefinitely. The machine typically interacts with the host for every
transaction, but it can operate offline if necessary, as dictated by
the downloaded program. The downloaded program is often in an
industry-standard "states and screens" format that was created by
Diebold, a manufacturer of various banking equipment, including ATMs.
Most machines can use a few IBM protocols (bisync, SNA, and an outmoded
but still used "loop" protocol), Burroughs poll/select, and perhaps
some others, depending on which communications module is in place.
This allows the manufacturer to make a standard machine, and plug in
different communications hardware to suit the customer. The IBM bisync
and SNA protocols are most common, with most networks moving toward
SNA.
The security modules do all encryption for the ATM. They are separate
devices that are physically sealed and cannot be opened or tapped with-
out destroying the data within them. In a truly secure application, no
sensitive data entering or leaving the security module is in cleartext.
Arranging this and maintaining it is more complicated than I can go
into here.
Most ATMs contain two bill dispensers, a "divert" bin for bills, a
"capture" bin for cards, a card reader, receipt printer, journal
printer, and envelope receptacle. Some ATMs have more than two bill
dispensers, and can even dispense coins.
When an ATM is dispensing money, it counts the appropriate bills out of
the bill dispensers, and uses a couple of mechanical and optical checks
to make sure it counted correctly. If the checks fail, it shunts the
bills into the divert bin and tries again. Typically, this is because
two bills were stuck together. I've seen ATMs have sensor faults, and
divert the total contents of both bill dispensers the first time a user
asks for a withdrawal. "Gee, all I did was ask for $50, and this ma-
chine made all kinds of funny whirring noises and shut down." Most
banks will put twenty-dollar bills in one of the dispensers and five
dollar bills in the other. Some use tens and fives, or tens and twen-
ties. Depending on the denominations of the bills, the size of the
dispensers, and the policy of the bank, an ATM can hold tens of thou-
sands of dollars.
The journal printer keeps a running log of every use of the machine,
and exactly what the machine is doing, for audit purposes. you can of-
ten hear it printing as soon as you put your card in or after your
transaction is complete.
When you put an envelope into an ATM, the transaction information is
usually printed directly on the envelope, so that verifying the deposit
is easier. Bank policies typically require that any deposit envelope
be opened and verified by two people. In this, you're actually safer
depositing cash at an ATM than giving it to a human teller.
A card will be diverted to the capture bin if it is on the "hot card"
list, if the user doesn't enter a correct PIN, or if the user walks
away and forgets to take the card.
On some machines, the divert bin, capture bin, envelope receptacle, and
bill dispenser bins are all separately locked containers, so that re-
stocking can be done by courier services who simply swap bins and re-
turn the whole thing to a central site.
The entire ATM is typically housed in a hardened steel case with alarm
circuitry built in. These suckers have been known to survive dynamite
explosions. The housing typically has a combination lock on the door,
and no single person knows the entire combination. The machine can
thus be opened for restocking, maintenance, or repair, only if at least
two people are present.
DEBIT CARD PROCESSING
----- ---- ----------
Debit card processing is fairly similar to credit and charge card pro-
cessing, with a few exceptions. First, in the case of ATMs, the ac-
cepter and acquirer are usually the same. For debit card use at the
point of sale, the usual acquirer-accepter relationship holds. In gen-
eral, acquirers may do front-end screening on debit cards, but all ap-
provals are generated by the issuer - the floor limit is zero. This
makes it possible to eliminate a separate settlement process for debit
card transactions, but places additional security and reliability con-
straints on the "authorization". Often a separate settlement is done
anyway.
One problem that has caused difficulties for POS use of debit cards is
the use of PINs. Many merchants and cardholders would rather use sig-
nature for identity verification. But most debit systems grew out of
ATM systems, and require PINs. This is an ironic reversal of the early
ATM card days, when people were trying to avoid requiring signature.
Other than the PIN, the information required for a debit transaction is
the same as that required for a credit transaction.
One last installment on the networks that tie this all together, and
the Credit Card 101 course will be complete. There will be no final
exam - you will be graded entirely on classroom participation. Most of
you are failing miserably...
Joe Ziegler
att!lznv!ziegler