FEATURES

Thinking Through Web Payments

by Timothy Haight

The logjam is starting to break. At press time, vendors and industry analysts expected the two credit card powerhouses, Visa and MasterCard, to overcome their differences, support a common secure electronic credit card payment system, probably in February, and complete a specification as early as March.

Vendors such as Microsoft, Netscape and CyberCash, in turn, are expected to offer software support by summer, and widespread electronic credit card purchase services on the World Wi de Web should appear later thi s year, as soon as merchants and banks can roll them out.

For some observers, this is none too soon. Last October, industry analysts at Forrester Research wrote, "The lack of secure transactions is holding back the Internet." Industry observers expressed concern about Web sites only being secure enough for offering information and advertising. Others, however, including vendors such as First Virtual and CyberCash, argued that secure technology is available now and that the issue is when users will buy with confidence.

The situation is complex, easily confusing, but ultimately comprehensible. It boils down to a series of steps, each leading to a new level of security, or a new secure commercial activity, on the Internet, for which a rough time frame now can be known. We will trace those developments here. At each point, a key question is what standards will be needed to make wid espread deployment possible.

The Big Picture Roughly, the evolution has already b egun with de facto standards for public key encryption and secure communications channels. Vendors are adding services such as authentication, digital signatures, nonrepudiation and certification, and some of these are expected to receive widespread industry support. Others will fight it out in the marketplace. (For a primer on these technologies, see "Once Over Lightly," on page 90.)

The secure services, in turn, make a wide variety of new commercial applications available to the Web and electronic mail. Electronic forms of checks and cash will join electronic credit card payments. While some of these raise legal and policy questions because of their anonymity, others provide auditable trails that largely avoid those issues.

Some Electronic Data Interchange (EDI) traffic is already moving to the Internet, chiefly because of much lower transmission costs than are available on the private and value-added networks that now carry most E DI traffic. However, vendors and analysts ar e beginning to see an interesting interface between EDI and systems similar to electronic credit card purchasing that could allow many more merchants than now use EDI to reap its benefits.

The Specifics "Our technologies are the de facto standard for virtually all electronic commerce on the Internet," says RSA Data Systems' director of technology marketing Kurt Stammberger. "Virtually all systems for electronic transactions, EDI or credit card approval are based on RSA."

Few analysts dispute Stammberger's sweeping statement. Netscape Communications, which makes about 70 percent of the today's Web browsers, uses RSA encryption in its Secure Sockets Layer (SSL) technology to secure communications between clients and servers. Last spring, most major browser vendors agreed to support both SSL and a complementary security technology, the Secure HyperText Transfer Protocol (S-HTT P).

Microsoft is sheph erding another channel security protocol, The Private Communication Technology (PCT) Protocol, through the Internet Engineering Task Force standards process, but a Microsoft spokesperson says it is completely backward compatible with SSL.

As a result, "you've got encryption as a fundamental layer today, and authentication is coming down the pike," says Iang Jeon, senior analyst for money and technologies at Forrester. SSL also provides authentication--the process of "signing" a message and guaranteeing it came from its signer.

Above the Channel "All the questions are in the applications layer," says Dave Crocker, a principal at Brandenburg Consulting. "Beyond the channels are the questions of what participants there are, and lastly what trust services are needed."

The application with the most apparent momentum today is secure credit card payment. Until last fall, the major credit card associations, Visa International a nd MasterCard International, were working on a common system. This fall, however, Visa and Microsoft announced Secure Transaction Technology (STT), while MasterCard, Netscape, IBM, CyberCash and GTE, presented the competing Secure Electronic Payments Protocol (SEPP).

At press time, the supporters of each protocol had their individual timetables for deployment. A MasterCard spokesperson says SEPP will be tested this winter, after which they will revise and publish it. Software written to the specification should be available during the summer, she says. STT's schedule is similar. A Microsoft spokesperson says the plan is to have STT in place on the Visa system and software available to consumers by July. "Internet Explorer 2.0 will have it," he says, "and software will be available for other browsers to incorporate."

Representatives for companies in both camps confirm, however, that the two are actively engaged in discussions to unify the technologies. Barrin g un foreseen points of disagreement, an announcement of a joint effort should come this winter, perhaps as early as February. "My personal feeling is that Visa and MasterCard will come out with a joint protocol, and that will be very good for the industry," says Magdalena Yesil, CyberCash's marketing and technology industries vice president.

Not everybody believes the credit card associations will meet their timetables, however. "When was the last time you saw bug-free software in the first release?" says Forrester's Jeon. "And the longest lead time is for the business policies and procedures to be put into place, people to be trained and actual account-based programs to be rolled out."

Safer Than Credit Cards "The real promise of the new electronic payment systems is that you can have higher security than what you have today," Jeon says. "They can actually reduce fraud." The key technology making this possible is a certificat ion system, which is part of both SEPP and STT. Depending on its level of stringency, certification guarantees that the necessary encryption and authentication keys were securely distributed to their users. Conventional credit card names and numbers, by contrast, are exposed in virtually every transaction, the physical credit card being the only certificate.

More security can mean lower costs to banks, which can mean lower charges to merchants and even consumers. "We will be incorporating the industrywide standard into our software not because it will give us additional security, but because using the approved protocols of the credit card associations will result in favorable discount rates and other services, and we want our users to take advantage of that," CyberCash's Yesil says.

The question is how fast customers will feel secure with the new systems. "It's as much trust as technology," says Carl Howe, product manager for World Wide Web services for Internet access provider BB N Planet. "Some of the issues with commerce are as much marketing problems as they are technical problems."

Howe says that vendors, and perhaps banks, will offer users guarantees against any fraud resulting from their electronic transactions. CyberCash's Yesil concurs. "Ultimately, what consumers want is someone not just to authenticate but to guarantee the transaction. As 1996 rolls out, you will see programs like that from CyberCash and its partners."

Electronic Checks Several banks and other corporations are exploring methods of using electronic checks. CyberCash and Checkfree have announced an agreement to produce jointly instruments using both electronic checks and electronic cash in the future. The Financial Services Technology Consortium, a group of major banks, computer and communications vendors and nonprofit institutions, is also in the middle of an electronic check project.

BBN's Howe says that his company, a member of the Consortium, has already carried out a demonstration project for the FSTC. "An electronic check can be something as simple as an e-mail message that has attached to it a signature and some certificates," he says. "The neat thing about it is that, once you create the new front-end stuff, nothing changes on the back end. It's still a check, and it still clears through the Automated Clearing House."

Howe says the new system provides cost savings and functionality improvements for customers and banks using the existing infrastructure. "The driver for this is not the consumer, but the banks, who have an opportunity to clear checks in a universal way without putting in any more infrastructure, to reduce fraud and to achieve huge cost savings." He says the FTSC will run a pilot project this summer, with widespread availability in 1997.

Electronic Cash Amsterdam-based DigiCash and the Mark Twain Bank of St. Louis, Mo., have announced tha t the bank has begun accepting applications for e lectric cash accounts. The system works as th e user requests the bank over the Internet to transfer an amount of cash from an account into electronic cash. The case--in multiples of five cents, each unit with an encrypted serial number--is transferred to the user's hard drive. The user can then transfer the cash, even anonymously, to any merchant that accepts it over the Internet. The merchant returns the cash to the bank for payment in non-electronic cash. To date, DigiCash has been conducting experiments with artificial cash, and about 20 vendors, mostly small, have begun accepting payment in actual, U.S.-denominated e-cash.

The idea of anonymous e-cash flowing over a global Internet has raised issues of international funds transfer, tax avoidance, money laundering and unauthorized creation of money, however. Analysts are unsure how quickly, if ever, anonymous e-cash will evolve. Forrester's Jeon adds that "there are now some issues about whether e-cash is scalable and workable in a widespread fashion."

EDI: Migrati on and More EDI vendor Premenos has been offering its Templar software for secure EDI transmission over the Internet since May 1995. Its president and CEO, Dan Federman, says the company currently is measuring EDI volume on the Internet by the number of large companies it is signing up for Templar. As of October, 22 major companies that deal with an average of 500 other firms each, had moved their EDI business to the Internet with Templar. "Companies can save 80 percent of what they're currently spending on network charges by using the Internet," Federman says. "Flat-rate Internet pricing can also allow you to double or quadruple your volume at no added charge."

Jerry Michalski, managing editor of technology newsletter Release 1.0, says: "Shifting EDI to the Internet is a very natural move. It saves the extraordinary cost of going over value-added networks (VANs). P remenos is doing a great job there, and Sterling is catching up. As companies get this, they will see th at it costs a lot less to get a small vendor connected to the Internet than an X.25 connection to a VAN." Sterling Software now provides an Internet e-mail gateway from its CONNECT:Network VAN. It is exploring more Internet EDI offerings.

Michalski also sees a new role for EDI on the Web. "The interface between EDI and general electronic purchasing is interesting," he says. "EDI isn't flexible. You can't do custom orders. If EDI could become flexible and lightweight enough to operate in the general purchasing market, it could open EDI to a lot more transactions."

CyberCash's Yesil sees the opportunity. "We will scale up to EDI," she says. "CyberCash technology, its security and payment aspect, has been used for EDI. We're not particularly going after the EDI market. We'll work with people like Premenos, if they feel it's appropriate to put our technology in an EDI environment. Nothing is announced yet."

Premenos, for its part, has a nnounced the "concept" of Web EDI. "We did the same when we announced Templar," CEO Federman says. "Product details will follow this year, perhaps before July. This will be a way to get EDI spreading rapidly through the business community."

What to Do? Release 1.0's Michalski has this advice for corporations considering electronic commerce: "If you're a catalog operation, and your business is to put products in front of customers, explore it now and get to work. If you're a rust-belt industrial firm or some other kind of sales or service organization, spend your time wondering how the Internet changes your relationships with your stakeholders and customers. Instead of looking at how to make money, look below the line. Look at reducing costs of services and at improving the relationship between you and your customer base."

Timothy Haight can be reached at thaight@nwc.com.

Once Over Lightly: What Technologies Make E lectronic Commerce Work?

The processes involved in a secure Web-based credit card transaction include most of the elements necessary for several other kinds of electronic commerce, such as EDI. It's a question of reassembling the building blocks and connecting them to existing systems and institutions.

As the figure on this page shows, a secure electronic credit card purchase can consist of a series of one-to-one transactions between the customer, the vendor and a merchant bank. These transactions take place within the context of a wider set of relationships (see figure on the next page), which provide payment, further authorization and certification.

When the customer pays the merchant for a product by sending credit card information, several
technologies may come into play. A technology like the Secure Sockets Layer, which is built into Ne tscape browsers and servers, will make the customer/vendor communications channel (for example, the message stream going over the I nternet) secure. A private key will further encrypt the payment message itself, and a certified copy of the customer's public key will accompany the message.

Public key cryptography, such as that offered by RSA Systems, uses public/private pairs of keys to encrypt and decrypt messages. If the public key of the pair encrypts a message, only the private key can decrypt it. Vice versa, only the public key can decrypt a message encrypted by the private key.

Such cryptography also provides authentication--a guarantee that a message came from the sender who signed it--because if the public key decrypts it, the corresponding private key must have encrypted it. The system breaks down, however, if public/private key pairs are fraudulently acquired. Secure key distribution is therefore necessary.

In small networks, some direct contact of the parties c an handle secure key distribution outside the Internet. This is usually the case with EDI, for example. However, when the number of keys that need to be distributed becomes large, such as one for every user's credit card, certification becomes necessary. Customers contact a certification authority and receive a certificate. How rigorous a registration process the certification authority requires before furnishing a certificate depends on how much risk the customer will ask trading partners to take. The certificate provides a further layer of encryption. It is decrypted and authenticated as certified by another public key that is sent in a separate channel to an authorizing party, such as a bank.

In the figure, for example, the customer pays the merchant with an encrypted message, accompanied by a public key and a certificate. The merchant forwards information to its bank, which forwards information to the bank that issued the customer the credit card. The bank has a public key for the certifica te. It also determines whether enough money is available for the transaction. If it passes both tests, payment is authorized. Various encrypt ion/decryption processes along the line further secure the transaction. Sometimes, authorization tasks can be delegated to other parties in the system, so the authorization doesn't have to involve every party every time. However, at electronic speeds, many parties can be involved quickly.

These major elements-channel security, authentication and certification-can be applied to other kinds of commerce like certifying and authentication EDI messages, such as placing orders, guaranteeing shipment and receiving products.

February 13, 1996