Card Associations Pair Off with E-Payment Allies

Pick a pair of payment competitors, and chances are they work with different and competing security partners.

The pattern was established as soon as MasterCard and Visa decided they had to offer a system for safeguarding credit card payments over the Internet. It was still very much in evidence at the RSA Data Security annual conference this week.

It helped enliven an already noisy and entertaining mix of more than 3,000 people and several dozen information security companies vying for their attention-and for pieces of a rapidly growing business tied to on- line commerce.

Just as MasterCard and Visa have made different vendor decisions-even as they have coalesced behind the Secure Electronic Transactions standard-so did point of sale terminal rivals Hypercom and Verifone. And so did the North Carolina banking titans First Union Corp. and NationsBank Corp.

To paraphrase an old Groucho Marx line, it is as if each protagonist is saying to its rival: "Whatever you do, I'm against it."

If not for such opposition in partnerships, the SET program might not have evolved as it did. Back in 1994, Visa started working with Microsoft Corp. on a payment security protocol.

Competitive rivalries defined the MasterCard response, with the likes of International Business Machines Corp., Netscape Communications Corp., and GTE Corp. joining its camp.

When they all decided to sit at the same table in 1995, the friction almost caused a flameout, but eventually cooler heads prevailed. SET is only now getting to full commercial preparedness.

For critical components of SET-the digital certificates that must be issued to cardholders and merchants, who as a result will be able to accept payments without seeing the consumer or her card number-Visa endorsed Verisign Inc. as its preferred vendor. MasterCard went with a GTE Corp. unit now called GTE Cybertrust Solutions Inc.

The Discover card organization chose Verisign; American Express chose GTE.

NationsBank, which has a close affinity with Visa, announced at the RSA meeting an extensive deal with Verisign, which happens to be a spinoff of the conference sponsor, RSA Data Security Inc., and happens to count Visa International as one of its equity owners.

First Union had previously chosen GTE-the early MasterCard ally on what became the SET project-for digital certificates in its home banking program, one of the first such applications of the technology announced in banking.

Roger White, a NationsBank vice president of information security, sang the praises of Verisign's flexibility, low cost, and rapid implementation time. That supported an aggressive commitment by NationsBank to add this weapon to its digital security arsenal.

Mr. White said digital certificates will be in place during the first quarter for employees to use in electronic mail and inquiries about their health insurance and other benefits.

He said that within a few months Verisign certificates will also be at work in global corporate and investment banking on the Internet. He was less certain about the timing of consumer banking transactions as NationsBank migrates them from its proprietary network onto the Internet.

But NationsBank was involved in the first U.S. transaction to clear under the SET 1.0 commercial version. It was a MasterCard payment supported by International Business Machines Corp., GlobeSet Inc., and GTE digital certificates.

Loyalties may run deep, but nonexclusivity still rules.

"That's great for us, and a great interoperability story," MasterCard senior vice president Steve Mott said of the NationsBank transaction.

Hypercom Corp. and its bigger POS competitor, Hewlett-Packard Co.'s Verifone Inc., simultaneously made different choices on the Internet commerce sides of their businesses.

Each was looking to offer a hardware-based system for cryptographic processing. Off-loading that intense number crunching lets a merchant's server computer deal more efficiently with the purchaser.

Hypercom is meeting its requirements through Atalla Corp., a unit of Compaq Corp., which in turn relies on GlobeSet Inc. of Austin, Tex., for SET capability. GlobeSet concurrently claimed to be the first SET software vendor to support hardware cryptography.

"This raises the bar in terms of security for the enterprise in SET," said Hypercom product manager Michael Knox.

Verifone turned to Rainbow Technologies Inc. to add cryptographic hardware to the VPos merchant software. Rainbow, of Irvine, Calif., is a specialist in "accelerator" technology that it says can work with any and all operating platforms and standards.

"By supporting (Rainbow's) CryptoSwift in VPos 4.0, Verifone is taking an important step in providing customers with the benefits of hardware cryptography," said George Hoyem, vice president and general manager of Verifone's Internet commerce division. He said customers can look forward to "the highest possible levels of both performance and security."

Such pairings-off of buyers and sellers might imply the emergence in the end of winners and losers. That was something the conference sponsor, RSA Data Security Inc., did not have to worry about. It has licensed its data encryption technology to all of the security providers mentioned, so it can't lose.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER