Vendors Ready - and Waiting - for E-Commerce

Bankers struggling to make headway on the information highway can take heart: They have achieved celebrity status in at least one outside community.

It is the data security industry, much of which gathered in San Francisco two weeks ago for a conference sponsored by one of their leaders, RSA Data Security Inc.

Some of the proceedings sounded distinctly like cheerleading - for the banks, their credit card networks, and any related entities that could give electronic commerce a boost.

Providers of data encryption and other systems for securing electronic messages and payments know too well that their products won't sell until there is commercial demand. And without the payment infrastructure that banks are capable of providing to the Internet and other portions of cyberspace, sellers can't easily collect from buyers.

If the RSA conference was any indication, these chicken-and-egg equations are still far from being sorted out. Solutions to security problems abound, thanks to companies like RSA and its numerous strategic partners. Payment facilities are barely into their infancy.

But the 1,200 attendees - noticeable among a smattering of bankers were 16 registrants from Citibank and 13 from Wells Fargo Bank - generated an infectious air of optimism and enthusiasm. If it could be packaged and spread around, Internet payments might already be as common as checks.

***

Basking in the glow of the conference's success was RSA Data Security's president and chief executive, Jim Bidzos.

RSA started the series four years ago as an educational exercise. It attracted 50 people at a time when the science of message-encoding based on public key cryptography was of more interest in military and academic circles than in business.

By 1995, the attendance had grown tenfold; this year it more than doubled, putting a strain on Mr. Bidzos' 50-employee organization that is based in the Redwood City technology enclave south of San Francisco.

Mr. Bidzos joked that RSA had become a conference company with a sidelight in data encryption.

"We've all been surprised by the interest," Mr. Bidzos said, noting that he had to turn people away because the Fairmont Hotel and its meeting rooms were overtaxed. "But the content of this conference is much bigger than encryption.

"This may be one of the best places to get a peek at the future of the Internet - at what it will look like in one to three years."

***

The three-year horizon will require patience among those steeped in the fast-moving Internet culture, but several experts agreed that electronic commerce will grow in evolutionary phases.

"Instant gratification is why Net commerce will take off," said Alan Schiffman, chief technical officer of Terisa Systems Inc., an Internet security provider that RSA co-founded last year with Verifone Inc.'s Enterprise Integration Technologies unit. "If I want something, I can have it - now."

But with MasterCard and Visa taking months longer than expected to produce a joint protocol for on-line payment messages - they finally announced their Secure Electronic Transactions agreement Thursday (see page 1) - Mr. Schiffman and his cohorts had to cool their heels.

Mr. Schiffman was one of many data security experts with a pipeline into the card associations' negotiations who had anticipated the resolution. It is now viewed as more of a beginning than an end.

"It will make people feel better," Mr. Schiffman said. "But I don't expect to see anything major happening on the Net in the next two months. Eighteen months from now, people will be using these systems in a big way."

***

MasterCard and Visa were represented on one of the conference panel discussions, but the speakers honored the confidentiality of the Internet security negotiations that had not yet reached a conclusion.

John Gould, MasterCard's vice president for electronic commerce, acknowledged that security is the "biggest problem" facing on-line commerce. He said MasterCard intends to become a certificate authority, one of the "trusted parties" that would technologically authenticate merchants and cardholders on the Internet's World Wide Web - or help MasterCard member banks do the same.

"MasterCard sees the Internet as having more impact on the way we live, communicate, shop, etc., even than the advent of television," Mr. Gould said. But he added that large-scale electronic commerce "will be slow" in coming.

His Visa counterpart, vice president William Powar, said the Internet must have "things people want to buy" and "sites they want to visit" to become a mass market. Consumers will initially be attracted by information and entertainment, he predicted, and business-to-business transactions will burgeon "before we see a significant volume of consumer transactions."

Mr. Powar said the uproar over payment protocols was ironic in light of the fact that "there is less risk on the Net than there is in giving your credit card to a waiter for five minutes."

Roger Bertman, general manager of Verifone's electronic commerce division, said "transactions will (eventually) be more secure than in the physical merchant space today." But "there is no Internet payments infrastructure," he said, adding, "Payment is not a core business for the Internet server and browser vendors."

***

James Barksdale, president and chief executive of Netscape Communications Corp., the quintessential browser vendor and a well- publicized target of computer hackers, described security as "the critical component."

While hailing the Internet as "the platform for the next economic shift," he said, "We cannot exist if the mass market cannot be convinced it is secure, and rightly so."

He added, "Security is to the Internet as safety is to the commercial airline business ... People are convinced flying is safe, but we still have tragedies like the recent crash in Colombia of the newest and most technologically advanced airliner, the Boeing 757."

***

Mr. Bidzos of RSA said he was encouraged by the prestige and quality of the organizations behind the on-line payment protocol.

"The infrastructure is being built by companies like Visa and MasterCard, Microsoft and IBM - brand names people trust and recognize," he said.

"Secure payment protocols will go live in 1996," said Stratton Sclavos, president and chief executive of Verisign Inc., a digital authentication systems company that RSA spun off last year. "It will take some time for a hard-goods model (of Internet commerce) to develop. But information commerce is here to stay and will be mainstream in 1996."

Mr. Sclavos said his marketing sights are on "the thousands of banks looking at how they will exist after 2000 as brick and mortar becomes less important." He is touting encryption and authentication not just for message security, but as relationship-enhancers. Digital certificates can embody the functions of passwords and access controls, but in a more "transparent" and user-friendly form than those that complicate present-day transactions.

The "killer app" this year, Mr. Sclavos said, will be secure electronic mail. RSA and other vendors have agreed on a secure E-mail protocol and Verisign plans a digital certification offering in the second quarter that can also accommodate funds transfers.

***

The RSA conference has become a showcase for technology innovations by the sponsor and its strategic partners. RSA itself announced the latest version of its Bsafe "cryptography engine" for software vendors. It also unveiled a "Genuine RSA" logo that Mr. Bidzos said could become the "Intel Inside" of data security, an imprimatur that companies like Netscape can add to their packaging and screens.

Organizations weighing in with new security developments and alliances ranged from payments entrepreneurs like Cybercash Inc. and Net1 Inc. to heavyweights like Digital Equipment, GTE, and IBM.

Their outward unity on basic security principles doesn't deter the healthy and sometimes raucous debates that pervade so many corners of the computer industry.

For example, Virtual Open Network Environment Corp. unveiled a secure transaction mechanism called SmartGate and simultaneously promoted a pet idea for inter-system compatibility called "security middleware."

Between the lines, the Rockville, Md., company, better known as V-One, was taking a swipe at Netscape's approach to standards and striking a blow for "vendor neutrality."

Chief scientist Marcus Ranum, regarded as the creator of the Internet security barriers known as firewalls, said a "middleware layer" can accelerate on-line commerce by making it unnecessary to "reinvent the security wheel for each new application."

"We're providing a growth path for smart cards and public key certificates," Mr. Ranum said. "We're a security company. We're not trying to write browsers."

Among V-One's demos was a security program for Citibank's personal computer service. Mr. Ranum said SmartGate allows banks to "go after a closed customer community with open technology."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER