On-Line Banking: For Suppliers of Data Security, a Waiting Game

As they weigh the available options for safeguarding money, commerce, and confidentiality in the digital world, everybody is waiting for something.

Internet merchants do not want to step up to a higher level of credit card security until consumers are routinely equipped with virtual wallets that conform to SET, the Secure Electronic Transaction standard.

Whether on the World Wide Web or in conventional stores, retailers are reluctant to try new payment mechanisms such as smart cards or electronic cash until they are assured of lower costs or other benefits.

Makers of computer keyboards, cell phones and palmtops, and TV-cable boxes are boldly incorporating smart card readers in their designs, but in this otherwise leading-edge society, where are the cards?

And those selling the technologies are asking, where are the banks?

Customers are not exactly holding their breaths for any of this. Millions do not think twice about keying in credit card numbers on-line, and the low-loss experience to date proves the wisdom in that. But surveys just as surely show that millions more refrain from transacting because of safety or privacy fears. The right kinds of reassurances, perhaps from trusted financial services institutions, might turn those attitudes around.

Banks or others could accomplish that with technologies based on the science of data encryption-readily available from an eager band of suppliers who, lo and behold, have been waiting and hoping for the financial industry to take this bull by the horns.

These technologists are entrepreneurs, an optimistic lot, but their patience has been tried.

"We always think things will go faster than they actually do," lamented Sue Pontius, president of Spyrus in Santa Clara, Calif., which offers a full range of authentication technologies. They include digital- certificate-bearing smart cards for authentication and PKIs, the public key infrastructures for issuing and managing the necessary encryption codes.

Ms. Pontius and others in the field have had to become educators-not just in how to put the technology to use, and not just teaching the differences between, say, a certificate authority and a registration authority.

She is tirelessly trying to get across that there is no difference between old and new security principles, that the new technologies simply "overlay" ordinary and continuing business practices. The function of a registration authority in a PKI is the same as customer enrollment- something "that should remain within companies."

So devoted is Ms. Pontius to the educational cause that she praises two frequent competitors-Entrust Technologies Inc. and Verisign Inc.-for succeeding to the point where they were able to make initial stock offerings this year, thereby bringing acronyms such as PKI and CA (certificate authority) to some public awareness.

"This is evangelizing," Ms. Pontius said. "All of us small companies are doing it. We have to separate fact from fiction."

Spyrus, a privately held, 90-employee company that says it has been profitable since it started six years ago, got to where it is largely on the basis of government contracts. The company sees a "second wave" of PKI proliferation just now spreading into the "corporate/enterprise" market, including intranet and extranet and electronic commerce systems that would authenticate employees or trading partners through digital certificates on cards that could be inserted in any device with a standard reader.

Many suppliers are putting pieces of that security-assurance puzzle together, often viewing wholesale or business-to-business opportunities as more immediate than consumer. Some are selling "end-to-end solutions" but no one seems capable of moving the entire market by itself.

Just the act of replicating the credit card infrastructure on the Internet, the goal of the SET protocol, is "very complex," said Anil Pereira, director of marketing for Verisign, which has provided certificate services to more than 200 institutions around the world in SET pilots.

While SET has been a struggle, particularly in the United States, "there is a lot of activity at the extranet level now," Mr. Pereira said, supporting Ms. Pontius' notion of a corporate-centered take-up of the technology. Using PKI techniques to grant secure system access to customers or suppliers has bottom-line impact, he said. And Verisign is working with smart card and other security-token manufacturers to offer the option of portable certificates.

Verisign's customer signings provide hints of a groundswell of interest and activity. First Union Corp. recently turned to Verisign for what promises to be an extensive authentication framework encompassing many business units. Verisign's Onsite service will do the "heavy lifting," while First Union concentrates on its banking relationships.

Another Onsite customer, Morgan Stanley Dean Witter & Co., plans to complete issuance of digital certificates early next year to 15,000 employees for secure e-mail. Later it expects institutional customers to use certificates in trading and investing.

The market has learned about the limitations of password-based security, Mr. Pereira said. "In extranet or e-commerce applications, information- technology and businesspeople figure it out: All roads lead to Rome, in the form of digital certificates."

Belief in that "all roads" theory is strong enough to have created a healthy field of competition, some of it on a philosophical plane. Verisign and Entrust represent a certain "establishment" approach to CAs that upstarts question or snipe at. A common criticism-roundly denied, of course-is that they have yet to prove an ability to operate economically at mass-market scale.

A company founded last year in Los Angeles, Secured Information Technology Inc., has joined with First Data Corp. computer scientists Lynn and Anne Wheeler in exploring a CA alternative called account authorities, said to be well suited for banks and credit card companies. SITI also owns patents on elliptic curve cryptography that may heighten scalability.

Xcert International Inc. of Walnut Creek, Calif., touts new-generation PKI technology for the business market revolving around anonymous certificates and on-line verification. (See page 15.)

"Pilots today are proving that scaling to millions and billions of transactions is possible," said Xcert president and chief executive officer Thomas Nolan.

These companies are also in a bank-friendliness competition. Mr. Nolan said, "Our business plan is focused on the financial services market," which was instrumental in winning the business of ABAecom, the American Bankers Association's root CA venture for the financial industry.

ABAecom and another recent development, the global trust enterprise, may be the strongest signs that bankers are awakening to the opportunity. The trust enterprise is a recently formed venture of BankAmerica Corp., Bankers Trust Corp., Citigroup, Chase Manhattan Corp., and four European banks to run a certificate hierarchy for potentially millions of business customers.

But even this arouses some philosophical skepticism from Reginald Foster, chief e-commerce officer of American Management Systems, Fairfax, Va. He wonders if the trust enterprise is backing itself into a commoditization corner, because the technology will be easily duplicated and underpriced and lacks a "value added" that customers would pay extra for.

William Crowell, president of Cylink Corp., Sunnyvale, Calif., said banks have a "strong security" heritage, and in fact are a major revenue source for his data security company.

But the advent of the Internet has brought about "more confusion than commitment," he said. "There is confusion about PKIs, whether to outsource, how to integrate and operate virtual private networks, standards, and interoperability."

Mr. Crowell, too, sees "an education problem."

"Complexity breeds frustration," Credit Suisse First Boston analyst Bill Burnham wrote in his mid-November review. Nowhere is his e-commerce picture more muddled than in the security area.

"There are 10 to 15 different Internet security technologies (including firewalls, proxy servers, link encryptors, digital certificates) that a business must install and operate to be sure that its Internet transactions are truly secure," Mr. Burnham said. "And that's just for security." It does not include a "dizzying array of disparate" payment and order processing technologies every bit as essential.

"Adding insult to injury," he said, "many of the different products were never designed to work together. ... Not only will flap A not fit into slot B, but even if it does there is no guarantee that the assembled technologies, once integrated, will actually work."

BroadVision Inc. of Redwood City, Calif., an innovator in customer relationship software for Internet businesses, has worked with Verisign and others to put "hooks" into its system for any form of customer authentication that may be desired.

But BroadVision president Pehong Chen, as high-tech a CEO as there is, keeps his distance.

"Depending on an institution's preferences, we can support a simple log- in, which is often sufficient, or digital certificates," he said recently. "Now we are talking about voice prints, though I do wonder what happens if somebody catches a cold.

"Nothing is perfect. Digital certificates are not very portable. Voice prints are very portable but there is a question of reliability. We don't dictate but we have it if they want it."

Mr. Foster sees no reason to panic. "I see the degree of concern (about security and privacy) down and the number of available solutions up." Though he said he does not minimize the importance of addressing these challenges, he expects the necessary technologies to filter out sooner rather than later.

"It looks like a problem that's abating," Mr. Foster said. "I don't see this as a major, showstopping concern."

Xcert chief technology officer Patrick Richard said, "It's still an early stage for a lot of people, but not from the point of view of technology and its ability to solve problems. It's a question of people understanding the compelling reason to do this."

"We are out to accelerate the marketplace," said Ms. Pontius of Spyrus. "With multiple products out there, the best of breed will win. We just wish the educational process could go faster."

Mr. Richard predicted "1999 will be prime time-we will see significant rollouts of PKI."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER