A Boost from Europe for Card Readers

Two developments stimulated by Europe's friendliness toward the smart card may help lay the groundwork for the ubiquitous card-reading infrastructure whose absence has been holding the technology back, particularly in the United States.

Cyber-COMM, a venture of the top French banks and their payment associations, has set a rapid testing and deployment schedule for inexpensive card-reading devices in hopes of equipping every household in France for secure banking and electronic commerce by 2001.

The French financial institutions, which were the first in the world to adopt and standardize smart cards, have now coalesced around a requirement that the cards be used for personal identification and authentication in on-line transactions. A U.S. technology vendor, Wave Systems Corp., has won a contract to supply a key component for the Cyber-COMM Internet specification, which shows immediate promise of spreading throughout Europe through a multinational standards organization known as Finread.

Meanwhile, Celo Communications, a data security company that started in Sweden two years ago and is seeking to build on its European base through a Silicon Valley office it opened in January, introduced this month what it bills as "the industry's first truly secure, Internet-ready smart card readers."

Celo Communications is certainly not alone in selling compact smart card readers for personal computers or other devices. Smart cards have become increasingly popular in government and corporate settings where the "cost per seat" for the readers and related security features is said to be falling toward or below $50. But that price is high enough that a company such as Rainbow Technologies of Irvine, Calif., can generate interest in a cheaper alternative, the iKey, that plugs right into a PC's universal-serial-bus port without intervening hardware.

Celo claims that its patented reader design overcomes a characteristic security flaw by shielding password and encryption operations from malicious virus or hacking programs. And its unit cost of $39 can come down substantially in quantity, said Neil Costigan, the company's chief technology officer in Mountain View, Calif.

"In higher volumes, we feel this can be a mass-market device," he said.

Together with recently announced smart card deployments in the financial services industry -- such as the American Express Blue card and a program at the United Kingdom Internet bank Egg using equipment from Schlumberger, which was one of the pioneering suppliers in France -- the Cyber-COMM/Wave and Celo Communications developments are heating up the market in ways that chip card advocates had long been anticipating.

Wave Systems of Lee, Mass., deemed its Cyber-COMM business important enough to arrange a conference call with investors on Oct. 1. President Steven Sprague discouraged questions about Wave's financial performance as the third-quarter reporting period approached, preferring to underscore the national, regional, and potentially global importance of the Cyber-COMM initiative.

"They are starting a process to put a secure terminal in the home that will be the basis of everything in digital commerce," Mr. Sprague said.

Wave, which has been in business 11 years and defines its end-product as a "trusted client," sees smart cards as a useful tool in transaction security, personal authentication and privacy, and digital rights management -- the protection and authorization of video, music, and other content delivered via set-top television boxes or other media.

The Cyber-COMM group, which resulted from the combination last year of two competing efforts in France to create an on-line card payments standard, selected Wave's Embedded Application Security System, known as Embassy.

At the time of the merger of the two earlier projects, C-SET and e-COMM, French payments officials were talking in terms of $20 or less per reader. The economics are expected to be most favorable as computer and keyboard manufacturers incorporate chip card capabilities at the factory, which Microsoft Corp. and Intel Corp., among others, are actively promoting.

Embassy becomes part of an open specification designed to encourage multiple manufacturers to compete and lower the cost of the infrastructure while also speeding distribution into the mass market. Therefore, Wave has no exclusivity per se.

But through its licensing and sub-licensing agreement with Cyber-COMM, the company stands to collect what Mr. Sprague described as a "small fee" for every device deployed, which is expected to reach into the millions in France alone. The company also has direct sales ambitions.

"This is a very exciting opportunity for us," Mr. Sprague said. "There will be multiple suppliers shipping tens of millions of units and we hope to get a substantial portion of these."

Wave, with $22.4 million of assets and $17.5 million of working capital as of June 30, has been reporting negligible revenues. It had a net loss in the first six months of $7.8 million, roughly double the 1998 figure.

It has many irons in the fire, including a chip development agreement with Atmel Corp., which also plays a part in International Business Machines Corp.'s recently announced PC security enhancements, with which Embassy is compatible.

Wave also has a partnership with Sarnoff Corp. to apply its trust technology to digital television transmissions in daily volumes of 100 gigabytes. Wave is a member of the recently organized International Security, Trust, and Privacy Alliance, along with Bank of America Corp., Chase Manhattan Corp., Compaq Computer Corp., Hewlett-Packard Co., Microsoft, and others.

Wave is also a part of the Trusted Computing Platform Alliance, announced this week by Compaq, HP, IBM, Intel, and Microsoft to promote PC security standards.

In the third quarter, Wave acquired N-Able Technologies of Danvers, Mass., which had a complementary hardware security business and was pursuing sales related to SET, the Secure Electronic Transaction protocol promoted by MasterCard and Visa for Internet transactions. SET is also a key aspect of the French security program.

Jeffrey Grammer, who was chief executive officer of N-Able and is now Wave's vice president of platforms, said it took "several years of work" to get up to speed with what Cyber-COMM is requiring. He said the digital trust technology can be embedded not only in PCs but also in wireless phones, personal digital assistants, and "any other way you touch the Internet."

Mr. Grammer said Cyber-COMM, as a core participant in the Finread group, can serve as a conduit for Embassy into the European Union. Finread resulted from a European Commission mandate and expects to have a specification for secure smart card readers in place next year.

Cyber-COMM and Finread officials made a presentation this month to a meeting of SETCo, the certifying and coordinating body for the SET specification, that Mr. Grammer said was "well received" -- a sign of receptivity on an even more global scale.

"The European banking community wishes to greatly improve and expand the e-commerce, home banking, and overall financial services available to its 80 million customers," said Herve Sitruk, CEO of Cyber-COMM and chairman of Finread. "Consumers need trust and confidence, merchants need a way of guaranteeing payments, and banks need an infrastructure that minimizes the risks of fraud."

He said that Cyber-COMM as a member of Finread -- others include the European arms of MasterCard and Visa, the smart card vendor Bull, and national payment associations Banksys of Belgium, Cartes Bancaires of France, Interpay of Holland, and SIZ of Germany -- expects to "help set the standard for secure payments and privacy in Europe."

Cyber-COMM director of security Claude Meggle said the European financial institutions "are taking a very aggressive role in partnering with leading technology vendors (to) address the obstacles to a digital economy. We feel that many of these obstacles, such as a lack of privacy standards and the absence of consumer confidence in on-line transactions, can be eliminated by Wave's Embassy trusted computing solution."

Celo Communications is currently shipping its CeloCom Smart Card Reader, which is being manufactured in Germany under license by SCM Microsystems of Los Gatos, Calif. The device plugs into a PC serial port, is compatible with standards such as PC/SC for smart card-computer interfaces, and "is truly a breakthrough in price and providing real application security," said Sven Hammar, president of Celo.

"Smart cards offer the best way to achieve security and nonrepudiation for on-line transactions, but until now the readers were expensive, difficult to install, and vulnerable to theft of personal identification numbers by hackers," Mr. Hammar said.

Mr. Costigan said that previous products suffered from slow speeds and unwieldy physical "form factors" in addition to the PIN-password vulnerability stemming from keyboard keystrokes.

Celo, a data encryption specialist that includes the major Swedish banks, German Internet service providers, and NATO military networks among its customers, announced concurrently that it is offering its SSR Communicator free to encourage wider acceptance of what it calls "SSL tunneling." The system, based on Secure Sockets Layer encryption and digital certificates, is designed for the efficient assembly of virtual private networks with secure e-mail, remote administration, and other functions.

"In the spirit of the Internet, we are releasing SSR Communicator as freeware with the hope that the technical community will find its powerful capabilities useful in helping to build more secure applications, Mr. Hammar said.

FREMONT, Calif. -- Activcard, a French-American provider of authentication technology that is working closely with both MasterCard and Visa smart card initiatives, said it has been designated to provide a secure Internet access system to the Information Security Forum.

The London-based multinational forum, as it seeks to promote and demonstrate authentication capabilities on its own Web site, endorsed Activcard Digital Identity as its internal standard.

Some 200 member organizations are using Activcard secure tokens and passwords for two-factor authentication when logging into the Information Security Forum extranet.

"The ISF was seeking to expand the services it offered to members by building an electronic communications system offering authenticated access," said managing director Alan Stanley. "There was a need to provide access via the Internet to a repository of ISF reports and other services, and also to allow members to share information in a confidential environment.... Of all the systems we looked at, Activcard's was the most compelling in terms of ease of use, standards compatibility, and cost-effectiveness."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER