ETA Expert Insights: Mobile Phones and ATMs — Teaching an Old Dog New Tricks


By ETA Technology Committee Members

  • Michael Gray, GM Payment Networks, Netspend
    LinkedIn
  • Jim Leroux, President, PIN4
    LinkedIn
  • Richard Witkowski, CEO North America, PIN4
    LinkedIn

The ATM has been a tried and true banking solution for many years, recently celebrating its 50th anniversary. Despite the age of ATMs, global use remains strong with approximately 3.2 million ATMs deployed and nearly 100 billion ATM withdrawal transactions worldwide each year. Despite this strong showing, in certain more mature markets such as the U.S. and parts of Europe and Asia, ATM withdrawal transactions have begun to level off and even decline slightly.
New technologies, however, provide the opportunity to teach this old dog some new tricks by enabling innovative new types of ATM transactions beyond typical bank or prepaid account withdrawals. One example of this is Pin4, which combines the functionality of the ubiquitous mobile phone with the existing ATM network to provide consumers with real-time 24x7x365 mobile cardless ATM cash access under the brands Mastercard Cash Pick-Up in the U.S., Pin4 Cash in the U.K. and HalCash in Spain. The Pin4 solution is patented in 13 countries and enables real-time cardless cash access and cash disbursements to consumers for purposes such as disaster and financial relief, domestic and cross-border P2P transfers, emergency cash for lost cards, promotions/incentives fulfilment, digital account withdrawals, consumer loans, payroll and more. One of the many benefits of this solution is its ability to provide convenient real-time payments to, and cash access for, unbanked and underbanked consumers who may otherwise not be able to conduct ATM transactions because they do not have a credit/debit card or bank account.

HOW IT WORKS
For enhanced security, the Pin4 solution generates and uses random one-time use credentials for each transaction. Thus, there is no static account number and associated static PIN for fraudsters to use to compromise an underlying financial account. Pin4 delivers the first set of credentials to the order recipient’s mobile phone via SMS text message. The entity initiating the order (the “Sending Entity”) separately provides the recipient with a four-digit secret code/PIN which can be changed for each transaction. The order recipient then takes these credentials to any participating ATM and inputs the credentials into the ATM using the ATM keypad. After the recipient inputs all of these credentials into the ATM, the ATM passes the credentials to Pin4 for validation. Upon validation of the credentials, Pin4 instructs the ATM to disburse the cash.

As mentioned above, for security purposes, the Pin4 solution uses randomly generated credentials. Specifically, the text message sent by Pin4 to the order recipient contains a four-digit order number randomly generated by Pin4. The Pin4 solution also uses a patented two-factor authentication process by requiring the recipient to input a four-digit secret code/PIN. The secret code/PIN is intentionally arranged and shared separately between the Sending Entity and the recipient and can be set by the Sending Entity specifically for each individual order. In all cases, both the order number and the secret code must be input into the ATM by the recipient and authenticated by Pin4 before any funds are disbursed. Pin4 will also block any order after a number of incorrect attempts.

The Pin4 solution transaction flow and two-factor authentication process are illustrated in the diagram below:

As additional security measures, access to the Pin4 system APIs by Sending Entities and ATM partners is secured using TLS 1.2 and an OAUTH2 token authentication and entitlement mechanism to restrict access to the APIs to entities authorized to access the system. Order messages also make use of a signed SHA-256 hash to guarantee message integrity and the identity of the Sending Entity. Server certificates (public keys) are exchanged by Pin4 and the Sending Entities and ATM partners for sensitive data exchanges and sensitive data is encrypted as well.

KEY TAKEAWAYS
In addition to the security aspects discussed above, there are several other important aspects of this process:

  1. Immediate Cash Access. The order recipient can access their cash within seconds after Pin4 receives the order from the Sending Entity, thus providing immediate gratification and avoiding any delays associated with sending checks or prepaid cards through the mail or waiting for funds to made available in their bank account.
  2. No Card or Bank Account Needed. The order recipient does not need to have or use any credit/debit/prepaid card, bank account, mobile app or even a smartphone to be able to access their cash. The recipient only needs to be able to receive a text message on a standard mobile phone. This is a fundamental innovation in the utility of ATMs as it allows ATM transactions to be decoupled from any associated cards or bank accounts. This enables entirely new categories and types of transactions to be conducted at ATM and, in particular, expands financial inclusion by enabling the convenient disbursement of funds to unbanked or underbanked consumers.

TRANSACTION PARTICIPANTS
In addition to Pin4, there are four additional participants in a transaction: The Sending Entity, the Issuing Bank, the ATM Partners and the Clearing Entity.

The Sending Entities have the direct relationships with the order recipients (and, for a P2P transaction, the order senders). As such, the Sending Entities are responsible for complying with any applicable know-your-customer (KYC) requirements for the order recipients (and senders, if any). Since the Pin4 solution is particularly useful in digital and mobile customer relationships, many Sending Entities leverage digital identity verification services such as Jumio or Onfido to efficiently satisfy any KYC requirements.

The Issuing Bank approves and sets up a prefunded bank account for its Sending Entities. This prefunded bank account is used to settle the orders disbursed on behalf of each Sending Entity. In addition, in the Mastercard settlement model, the Issuing Bank creates a virtual debit card corresponding to each order created (discussed in more detail below). To protect the security of each Sending Entity bank account, the Issuing Banks provide Pin4 with PAN tokens which are used by Pin4 in lieu of the actual PANs when processing each order.

The ATM Partners own the ATMs and are responsible for disbursing orders to the recipients when approved by Pin4. The Pin4 solution works on any ATM from any ATM manufacturer. The ATM can connect directly to Pin4’s ATM API directly via a split dial or the ATM can connect to Pin4 through its existing ATM processor/switch. The ATM software requires a modest update to display the ATM screens which prompt the order recipient to input their Pin4 order credentials. All communications between Pin4 and the ATMs/ATM processor are secured and, where appropriate, encrypted as described above.

The settlement between the Sending Entities and ATM Partners for disbursed orders uses two different models depending on the country. Outside the U.S., Pin4 designates one of its Issuing Banks as the Clearing Entity responsible for aggregating the funds for disbursed orders from participating Sending Entities and other Issuing Banks each day and remitting these funds to the appropriate ATM partners. In the U.S., Pin4 partners with Mastercard to settle for disbursed orders each day over the Mastercard rails. This process involves the Issuing Banks creating a one-time use virtual Mastercard debit card for each order and providing Pin4 with a token representing each virtual card. Then, when the order recipient inputs the correct credentials into the ATM and these are authenticated by Pin4, Pin4 uses the appropriate token to retrieve the virtual card from the Issuing Bank and transmits it to the ATM. The ATM processes the virtual card just as if a physical plastic card were being used at the ATM. Thus, the virtual card is processed, authorized and settled between the applicable Issuing Bank and ATM Partner via the Mastercard rails just like a card-based ATM withdrawal.

PROGRAM MANAGEMENT
One of the advantages of the Pin4 solution is that the Sending Entity has real-time visibility into, and control over, its orders. This is because the Pin4 system is updated in real-time as orders are created, redeemed, expired or cancelled. For fraud and regulatory compliance purposes, the Issuing Banks and Sending Entities can also set various controls such as order size limits, aggregate order limits, order velocity limits and more. These controls can be customized for each specific Sending Entity program or campaign.

SAMPLE PROGRAMS
The Pin4 solution has been operating in Spain for over 10 years and has disbursed millions of orders representing the equivalent of hundreds of millions of dollars. As mentioned above, the Pin4 solution is also now live in the U.S. and the U.K. with additional countries in process. Some sample programs include:

  1. Text to Win (UK): In the UK, a promotions company is working with leading brands to include “text to win” codes on packages of chips, bread, candy and more. The consumer texts the code from the product package to the promotions company and, if the consumer is a winner, the promotions company uses Pin4 Cash to instantly deliver the cash prize to the consumer.
  2. Hurricane Relief (US): In the US, a non-profit organization is using Cash Pick-Up to deliver cash to individuals in the New Orleans area displaced by hurricanes. The individuals are able to use the cash to purchase food, gasoline and other necessities.
  3. Caritas Charitable Relief (Spain): In Spain, Caritas, the charitable arm of the Catholic church, is using HalCash to distribute financial relief to individuals and families suffering financial distress due to the COVID crisis.
  4. Domestic P2P Remittances (US): In the U.S., a cross-border remittance company is using Cash Pick-Up to enable payouts of domestic US P2P transfers. The orders are originated through the company’s U.S. agent locations but are paid out at ATMs using Cash Pick-Up.
  5. Cardless Account Withdrawals (UK): In the UK, many credit union members do not have ATM cards to use for withdrawals. With Pin4 Cash, these credit union members can use their mobile phones to make cardless withdrawals at any participating ATM.
  6. Online Gaming Payouts (Spain): In Spain, several large online gaming companies allow their customers to make cardless withdrawals from their gaming accounts using HalCash.

CONCLUSION
With 3.2 million ATMs and approximately 5 billion mobile phone users around the world, there are significant opportunities to leverage these assets to provide businesses and consumers with innovative new ways to send and receive cash beyond the typical card-based consumer ATM withdrawal. Cardless technologies like Pin4 can also provide meaningful new transactions and revenues to the ATM ecosystem. While this old dog has been a loyal and reliable partner for the last 50 years, the ATM now has something new to bark about.

Categories
CONTACTLESSEMVMOBILE+TECHOPINIONSSECURITYTRENDS

WEEKLY NEWSLETTER

Check out ETA’s weekly recap on innovations and policies shaping payments. Written by industry experts, get insights on payments like nowhere else. View weekly newsletter archives here.

Tags

Back to Top