Frustration abounds in the tight community that views the Internet as the next great banking and payments frontier. These advocates are convinced that the requisite security measures are within reach, if not already in place, to make financial transactions as safe in cyberspace as they are in the physical world. Yet consumers and probably many traditionalists and risk managers within the banking industry aren't ready to take the experts' assurances. The high-tech proponents have data encryption, digital signatures, and firewalls in their arsenal, but the public holds the real power over their ability to succeed. Which puts the onus on the technology providers to get their message out. "Security is the No. 1 reason given by people saying why they don't use the Internet more ahead of bandwidth and usability," said Mark Greene, an International Business Machines Corp. vice president who is part of a recently created Internet division. "I would say that by the end of 1996, there will be no remaining security obstacles to widespread use of the Net for transactions," Mr. Greene said in an interview. "But we're far away from resolving the security perception problem." "Security is king," said Roger Bertman, vice president and general manager of Verifone Inc.'s Internet commerce division. "The security obsession is good," added Mr. Bertman, who like the IBM officials and many other security and payment-system luminaries gathered in San Francisco last month for a conference sponsored by RSA Data Security Inc., the leader in commercial data encryption technology. "Transactions will be more secure than they are in the physical merchant space today," Mr. Bertman said. He conceded there is still a critical need for an Internet payments infrastructure, but RSA Data Security, Verifone's Enterprise Integration Technologies unit, the bank credit card associations, and a host of others are working feverishly to put the necessary pieces together. "Thousands of banks are looking at how they will continue to exist after 2000 as brick-and-mortar becomes less important to them," said Stratton Sclavos, president and chief executive of Verisign Inc., a digital authentication company that RSA Data Security spun off last year. "The most forward-thinking banks are looking at RSA public key (encryption) technology." "I'm anxious to get out of the spec wars," said Mr. Sclavos, referring to the protracted negotiations between MasterCard and Visa on the secure payments protocol. "Once a standard is in place, communications will really take off." "The fact is, there is less risk on the Net than in a restaurant when you give your credit card to a waiter for five minutes," said William Powar, vice president of Visa International. The bank card industry, Mr. Powar and others pointed out, has spent more than 20 years building the confidence that results in cardholders' surrendering possession to waiters and reading account numbers over the telephone. "Cardholders have confidence because they know their liability is limited" in case of loss, theft, or fraud, said IBM security technology specialist Kathy Kincaid. That perception has yet to carry over into on- line systems. Mr. Powar noted that ever since a burst of counterfeiting around 1980, the bank card industry has taken a succession of actions designed always to keep it ahead of the next big crime wave. "The one thing we didn't have to deal with over those years, but do now, is public scrutiny." Speaking at the RSA conference, SRI International principal scientist Peter Neumann said given reports of computer security compromises against Netscape and Citibank, among others, it is legitimate to ask whether the Internet "can handle really critical digital commerce, and not just penny- ante stuff." The controversy over payment protocols with Visa and Microsoft in one corner, and MasterCard, IBM, GTE, and Netscape Communications in the other also didn't help the payment industry's confidence-building. But MasterCard and Visa officials said their differences were blown out of proportion in media reports, and Mr. Greene at IBM said the strength and effectiveness of the underlying technologies were never in question. In any event, Internet commerce is barely off the ground, and security deficiencies may not be the only reason. Encryption is routinely built into Web browsers and other applications, yet the Internet is still some distance away from becoming the electronic bazaar that many futurists foresee. "Security is necessary but not sufficient for electronic commerce," said Jay Weber, director of Web products at Enterprise Integration Technologies and co-developer of the Website secure publishing and payment system with O'Reilly & Associates of Sebastopol, Calif. "We are at an early stage, but this is not about lack of technology," he said. "The raw materials are here." Given the rapid pace of technological change and perhaps high levels of impatience "we may dealing with an expectations issue," said Mr. Greene of IBM. "Plastic cards are subject to ANSI (American National Standards Institute) protocols. To put it in perspective, it took us 20 years to get them in the physical world." "The Net is inherently insecure," said Frank Trotter, vice president of Mark Twain Bancshares in Missouri, the first U.S. bank to test Ecash. (See page 4A) "Technical firms adapted to it in a minute, but the marketing- savvy people took longer to get to accepting payments. 'Malls' will emerge that bring the technical and creative sides together, and then the technical side can explain that the security is there." Mr. Powar said he sees commercial activity carrying Internet commerce through its early stages, and consumers would follow in due course. Jay M. Tenenbaum, founder of EIT, which helped create CommerceNet and which Verifone acquired last year, predicted 1997 will be the year Internet payments reach a broad scale. "There is no doubt in my mind that Net commerce will take off," said Alan Schiffman, chief technical officer of Terisa Systems, an Internet security company formed last year by RSA and Verifone's EIT. "Net commerce allows the buyer to 'have it now,' and that means I can't lose," Mr. Schiffman said. He recalled that a decade ago, mail and telephone transactions were discouraged by high, risk-based pricing by MasterCard and Visa. "The credit card companies didn't want it to happen, but others stepped in with solutions that made it happen, and now we can understand why."
