MasterCard and Visa still have some distance to travel before fully delivering on the agreement they proclaimed Thursday on a standard for electronic payment security.
The announcement of their accord brought a sigh of relief from the high- tech companies developing secure methods for transferring funds over the Internet and other open computer networks. Many such efforts had been on hold, awaiting a technical baseline analogous to the bank card associations' point of sale standards.
But though they have apparently resolved the differences that set back their timetable by at least five months, MasterCard and Visa have not completed the all-important documentation.
Even when the publication comes out - association officials said it would be on their World Wide Web sites in a couple of weeks - it will be subject to comments and revisions. And that doesn't count the hard system development and public education work that lies ahead to convince consumers the Internet is safe for their cards.
Still, the bank card and Internet commerce communities are generally convinced that the technical specifications are finally on track after months of public wrangling and behind-the-scenes haggling between the opposing camps. (See related article on page 16.)
With Microsoft Corp. working closely with Visa, and Microsoft rivals Netscape and IBM among MasterCard's allies, the rhetoric seemed more typical of computer industry rivalries, which can get far more combative than anything bankers know.
But card association officials claimed the controversy was blown out of proportion, even after Visa broke ranks last September and unilaterally published an 81-page specification document.
Edward J. Hogan, MasterCard International's senior vice president and Internet point man, said this week that media reports "characterized (the split) incorrectly and didn't accurately reflect the work we were doing."
The project team, relying heavily on data encryption and related technologies from affiliates of California-based RSA Data Security Inc., honored a code of silence even as reports swirled alleging deep divisions. Mr. Hogan said the specification agreement was publicized ahead of its publication to preempt further speculation.
Richard M. Lonergan, executive vice president-point of transaction at Visa International, conceded, "There is certainly more work to do. But there is not a lot of conflict."
The executives said software testing would begin in the second quarter, but commercial offerings from banks won't be on the market before the fourth quarter.
Mr. Hogan hailed the "reconvergence on a single standard (that) was always our objective." He said the new protocol, titled Secure Electronic Transactions, or SET, "takes the best of the previous specs" that the two groups had begun on their own.
He estimated that SET would run "hundreds of pages," longer than either MasterCard's SEPP (Secure Electronic Payment Protocol) or the Visa- Microsoft STT (Secure Transaction Technology). But he said, "We are further along now than we would have been" because SET addresses "issues we would have had to deal with a year from now if we stayed on the earlier course."
"This is a giant step in the direction of electronic commerce and toward making payments as safe in a cybermall as in a real mall," said Mr. Lonergan.
Well aware that he and Mr. Hogan made similarly sanguine statements last June 23, when MasterCard and Visa announced their initial agreement to develop a joint security protocol, Mr. Lonergan added, "There is no real chance this will fall apart."
"Even if the specifications are only 80% there, I think we can expect the rest will be done within a month or two," said Magdalena Yesil, vice president of Cybercash Inc., which has developed a card payment system for the Internet and worked closely with MasterCard on the SEPP program.
"For a company like ours, this is a very exciting development," Ms. Yesil added. "For the last six months, there has been a lot of focus on how the Internet may not be safe for financial transactions. Now we can begin to get beyond that and focus on the real problem, which is making shopping over the Internet attractive to the consumer."
Roger Bertman, vice president of the credit card terminal maker Verifone Inc. and general manager of its Internet commerce division, said the MasterCard-Visa project is unlikely to come unglued this time.
"I am close to individuals on both sides who have been working on this, and they are extremely serious about making this happen," Mr. Bertman said.
He called the agreement "pivotal and positive for the enabling of Internet commerce," putting the entire bank card industry on a common path with respect to cryptography, digital signatures, certification authorities, privacy of financial information, and other necessary components.
Officials of companies in the security project (see box) praised the card groups for pushing toward a conclusion. "This is a genuine agreement, and we're pleased to see Visa is more interested in an open standard than in the past," said Netscape product manager Jeff Treuhaft.
Visa and Microsoft denied they had ever opposed openness. But Mark Greene, vice president of electronic commerce at IBM, called SET "stronger than STT." Unlike the latter, he said, it incorporates the X.509 digital certificate standard "and there is nothing proprietary about that."
"This is a happy conclusion - to the first phase," Mr. Greene said.
"This has important symbolism to it," said Keith Coughey, the top bank card executive at PNC Bank Corp. "But I don't expect to see my outstandings go up as soon as this standard is posted on the Net.
"This is important for the long term."
