Web Security Firm to Add MC-Visa Protocol

One of the companies that helped MasterCard and Visa develop their Internet payment standard said Monday that it would incorporate it in its line of security products.

Terisa Systems Inc. said it will build the Secure Electronic Transactions protocol into its SecureWeb tool kits by June. That would allow customers - makers of Internet browsers, servers, and other application developers - to have SET in place when credit card transactions are expected to begin flowing later in the year.

Terisa, a year-old company that defines its mission as securing Internet commerce, is not the first to announce an SET implementation. But Terisa's chief technical officer, Allan M. Schiffman, said he expects to give his customers a "time-to-market advantage."

Those users include two prominent Web system vendors, Compuserve Inc.'s Spry Internet division and O'Reilly & Associates.

"Our WebSite server uses Terisa, and we want to pass the benefits of SET on to our users," said Gina Blaber, director of O'Reilly's software division in Sebastopol, Calif. "We will rely on Terisa's expertise and experience with the new protocol."

Among others recently saying they will support SET was RSA Data Security Inc., the leader in data encryption systems and one of the founders of privately held Terisa Systems. (Terisa, based in Los Altos, Calif., takes its name from the initials of RSA and Enterprise Integration Technologies, a pioneer in Internet commerce that Verifone Inc. acquired last year.)

Verisign Inc., an RSA offshoot that specializes in related digital signature technology, also participated in the MasterCard-Visa project, alongside such established technology players as GTE Corp., International Business Machines Corp., Microsoft Corp., Netscape Communications Corp., and the consulting firm Science Applications International Corp.

Shortly after the MasterCard and Visa associations published their SET draft Feb. 23, Microsoft said it would deliver SET in software for American Express card payments.

Terisa also hopes to capitalize on its involvement in the SET negotiations, in which MasterCard and Visa compromised on what had been separate and conflicting security approaches for open networks like the Internet.

Mr. Schiffman called SET "a great improvement" over the earlier proposals, MasterCard's Secure Electronic Payment Protocol and Visa's Secure Transaction Technology.

Mr. Schiffman, an expert in data encryption and Web security, formerly worked at Enterprise Integration Technologies and was chief architect for the CommerceNet consortium, a multi-industry group exploring Internet commerce. Having become steeped in the workings of the bank card networks, he said SEPP and STT did not take full account of existing and available security standards.

He said SET homes in on the card transactions that banks are concerned about, shielding account numbers from merchants. It also preserves key roles for the MasterCard and Visa global communications networks and does not impose standards on other aspects of electronic transactions in ways that could have complicated the process.

By minimizing the number of cryptographic operations, SET will simplify and perhaps encourage acceptance of credit cards, Mr. Schiffman said

"SET changes things," he said. "It will permit an entirely new class of merchant to get on the Web, and you will see new classes of transactions. They can sell a spoonful at a time, which is what the Web is about - just- in-time and instant gratification."

SET, he added, is one of numerous protocols that Terisa's SecureWeb client and server tool kits will support.

While he is enthusiastic about SET, Mr. Schiffman is concerned about the proliferation of other Internet-payment associations. Just last week, CommerceNet, Verifone, the Financial Services Technology Consortium, and numerous others announced the formation of a "super consortium," the Joint Electronic Payments Initiative.

Each such group "has a reason for being," he said, "but when you look at them collectively, there are too many.

"We are very selective about those we get involved in." Aside from the potential confusion, "they require serious commitments of time and money."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER