RSA Data Security Inc. is planning an announcement today that it says will bring secure Internet payments a giant step closer to reality.
The leader in data encryption technology is releasing a software development package, called a tool kit, for the MasterCard-Visa Secure Electronic Transactions protocol.
Banks, developers of "virtual malls" and merchant sites, and providers of electronic commerce technology could use the kit, known as S/PAY, to replicate the card-acceptance system that exists in conventional retailing.
"The SET protocol is very complex, and without a tool kit to speed development, it could take a lot longer to get these systems into the market," said Ira Machefsky, an analyst at Giga Information Group in Santa Clara, Calif.
Building on its dominance in public key cryptography - the scrambling of messages according to complex formulas so they are useless if intercepted - RSA hopes to set a de facto standard that could boost payment acceptance on the otherwise insecure World Wide Web.
"Time-to-market and interoperability are the main benefits" of an RSA tool kit, Mr. Machefsky said.
RSA contributed to Secure Electronic Transactions implementations already on the market from companies like Verifone Inc. S/PAY has been jointly developed with, or incorporated in cryptographic systems of, Tandem Computers Inc. and its Atalla division, and NEC Corp. of Japan, which gives RSA - and potentially the SET protocol - a big global boost.
Several Internet commerce vendors have licensed S/PAY and will be making individual announcements soon, said Gary Kinghorn, director of product marketing at RSA Data.
The Redwood City, Calif., data security company was acquired last quarter by Security Dynamics Technologies Inc., Bedford, Mass. Mr. Kinghorn said the turnkey nature of S/PAY "changes our business model, putting us more into the product business and taking us worldwide for the first time."
S/PAY is the first such "strong encryption" product to qualify for export, he said. U.S. policies have crimped international marketing of high-level cryptography.
The tool kit has been awaited since the bank card associations and several technology partners - including RSA - issued their SET document in June. Adhering to that specification, S/PAY comes in separate versions for cardholders, merchants, and the banks that acquire, or process, the merchants' transactions.
Each of those parties requires a digital certificate to complete an encrypted credit card transaction; RSA worked closely with a company it spun off, Verisign Inc., on the certification component.
Mr. Kinghorn, who joined RSA a month ago from Tandem, said S/PAY can help software vendors embed SET in cardholder wallets, Internet browsers, or home banking systems; in merchant servers and electronic malls; and in "acquirer gateways," which could include banks.
Pricing is flexible, Mr. Kinghorn said. A developer can buy unlimited rights or pay less for limited implementation, such as in a finite number of consumer wallets or just for testing.
Mr. Machefsky said RSA is in uncharted territory with its price list. He said there may not be much competition, or many buyers. RSA said there are perhaps 100 acquiring-bank prospects worldwide.
