Card Technology: Associations Plan Joint Internet Security Standard

Suppressing their competitive instincts for yet another matter of mutual concern, MasterCard and Visa have agreed to produce a joint security standard for transactions over the Internet and other personal computer networks.+

Their decision to cooperate, announced last week, came seven months after Visa began working with Microsoft Corp. on what it called Secure Transaction Technology, and five months after MasterCard entered a similar alliance with Netscape Communications Corp.

The card associations' leaders had been saying for months that their separate efforts would likely converge in this way for the benefit of their owner-members in the banking community.

"If there was any concern in the industry that MasterCard and Visa were going in different directions, this announcement should put it to rest," said Richard M. Lonergan, executive vice president of Visa International's point of transaction group.

The associations expect to publish specifications in September and to begin using them with card transactions on the Internet by early next year.

Mr. Lonergan and his counterpart at MasterCard International, senior vice president Edward J. Hogan, stressed that their common desire for transaction security and reliability would not diminish - and could actually enhance - competition between the two brands and among their thousands of card-issuing banks.

The bank card groups, among other corporate entities, anticipate an explosion of buying and selling over the Internet and interactive networks like America Online and Compuserve.

The lack of security is widely believed to be inhibiting electronic commerce. Mr. Hogan said "significant roadblocks are eliminated with this announcement."

"MasterCard and Visa have agreed to support one standard specification for electronic transactions on open networks," Mr. Hogan said in a conference call with journalists. "We are creating a set of standards that many vendors would implement."

Several startup companies - notably Cybercash Inc., Digicash Corp., First Virtual Holdings, and Open Market Inc. - are selling commerce systems complete with payment methods designed to overcome the security shortcomings of public computer networks. (See article on page 20.)

Most rely on data encryption, the use of complex mathematical formulas to scramble the account numbers and other sensitive data in transmission. The intended recipient has a key to decipher the code.

The MasterCard-Visa standard will be based on encryption products of RSA Data Security Inc. of Redwood City, Calif., a leader in the field.

Visa hooked up with Microsoft, the world-leading software company, and MasterCard with Netscape, provider of a popular "web browser" and other software for the Internet, to pave the way for bank cards to be accepted without fear of security or privacy breaches. Both efforts used RSA technology.

Those projects will continue, but with assurance that the resulting software - and that of any other vendor or system connecting buyers and sellers on the Internet - will be interoperable, Mr. Hogan said.

MasterCard and Visa are giving on-line transaction security the status accorded card encoding or terminal design: They put competition aside to agree on technical standards, which set a baseline or foundation for marketing innovations.

Visa, MasterCard, and MasterCard's European affiliate Europay have similarly collaborated on smart card specifications.

The chip card project typified the industry's "rich history of setting standards," said MasterCard president H. Eugene Lockhart. "It's exciting that we will do the same in the dynamic environment of the Internet. Our objective is to ensure that every transaction, no matter what type it is and no matter where it occurs, is processed quickly, securely, and reliably."

If these standards work like those for point of sale terminals, they could also facilitate American Express and Discover transactions.

"The standard is open and they will be able to embrace it," Mr. Hogan said.

American Express Co. issued a statement that it "welcomes any opportunity" that improves cardmembers' "access to new and valuable services." It remains to be seen whether MasterCard and Visa accomplish that goal, Amex said, suggesting they "invite broad industry participation."

MasterCard and Visa also will "welcome statements of support" Mr. Lonergan said, from on-line service providers and payment processing aspirants. But the associations intend to keep their technical working group small and efficient.

MasterCard and Visa received a formal endorsement from First Virtual. The San Diego-based company built a credit card payment system that relies on a private electronic mail network to circumvent Internet security problems.

First Virtual chief executive officer Lee Stein called the MasterCard- Visa proposal "a great achievement (that) will eliminate a great deal of controversy."

First Virtual had assumed an effective encryption infrastructure would take years to materialize, but it stands ready to incorporate the new standard. Chief scientist Nathaniel Borenstein said MasterCard and Visa could be taking "the first solid step in developing credible cryptographic standards" for the Internet, but he warned it still "may take some time."

Magdalena Yesil, vice president of marketing at Cybercash, called the initiative "very positive." She said "implementers" like Cybercash need strong, trusted "standards-setters" like the card groups.

Their collaboration will focus on bank card payments and preserving the two brand identities. It will not extend to "micropayments" of as little as a few cents that don't fit traditional bank card economics.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER