After Truce on On-Line Security, Card Groups Come Out fighting

MasterCard and Visa's Internet security effort, recently a love-feast of public-spirited cooperation, is turning quickly into a competitive dogfight.

A month after they mutually hailed publication of their common standard for processing on-line credit card payments, the associations came out swinging this week with rival approaches to a key aspect of the technology.

They chose different routes for providing digital certificates, which are designed to authenticate, or certify, cardholders, merchants, and banks in electronic transactions.

The choices - MasterCard went with the venerable telecommunications company GTE Corp., while Visa endorsed the year-old authentication specialist Verisign Inc. - prompted a display of one-upmanship uncharacteristic of recent relations between the bank-owned card companies.

It was a sign of how high the stakes are perceived to be in the emerging field of Internet commerce and was reminiscent of an earlier stage in the joint specifications project when negotiations between the two associations broke down.

MasterCard, GTE, and International Business Machines Corp., among others, were allied against Visa and Microsoft Corp. before those talks got back on track this year. Verisign, while now closer to Visa, is a spinoff of RSA Data Security Inc., a leader in commercial data encryption whose technology is embedded in both GTE and Verisign products.

MasterCard officials are pointing to the advantages of their long working relationship with GTE and to GTE's even longer track record in cryptographic security, particularly under government contracts.

"GTE has a lot of experience and is doing this today, which is a great comfort factor," said Jerry McElhatton, MasterCard's president of global technology and operations.

Verisign's big selling point is that it is the only company fully dedicated to digital authentication. Its work force has increased by more than 60% this year, to 80 people, and it is building a global infrastructure of four certificate-issuing centers and round-the-clock operation, said president and chief executive officer Stratton Sclavos.

Even in their competitive mode, the associations are uniformly optimistic that the coming availability of digital certificates, in compliance with the joint security protocol known as SET, or Secure Electronic Transactions, will spark an explosion of commercial activity on the Internet's World Wide Web.

Based on data encryption, SET assures that card numbers can be transmitted without being intercepted or compromised, even if a merchant somehow slips through with criminal intent.

"We have card issuers around the world, corporations, and suppliers clamoring for this service," said Stephen C. Mott, senior vice president for electronic commerce-new ventures at Purchase, N.Y.-based MasterCard. "We think we'll see significant volumes as soon as we put (an electronic certification service) out the door."

Those volumes and the SET standardization could help reduce the cost of a cardholder certificate to a "trivial" dollar or two, Mr. Mott said, which is several dollars less than the generic certificates available from GTE, Verisign, and a few others.

In the speed-to-market contest, Verisign said it is already distributing "test certificates" through its Web site to assist developers of SET- compatible software.

"Visa banks have the option of going to another issuer" of digital certificates, Mr. Sclavos conceded. "But our arrangement with Visa makes it easy. It will be scalable and available worldwide. It will be the most cost-effective, quickest-to-market way to implement SET."

The Verisign-Visa contingent struck first in the nascent war of words on Monday. Verisign emphasized the immediate availability of its testing formats and said it would take its SET product to the next level of "pilot deployments and interoperability testing" this year.

Weighing in for Verisign, Mike Rothman, vice president of the research firm Meta Group, called the Visa deal "the first step toward trusted transactions over open networks. Verisign continues to forge ahead in both mind-share and delivery" of digital certificate products.

Neither side promised full-scale deployment before next year. But Wednesday Mr. Mott claimed MasterCard and GTE would be "bigger, better, and faster" than the competition.

Like Visa, MasterCard stressed the global, "bank-branded" nature of its certification program. "MasterCard can offer services under strong brands ... permitting many participants to take the plunge in electronic commerce right away," said Tom Carty, director of GTE's CyberTrust unit.

MasterCard has scheduled SET pilots this fall in the United States, Denmark, and Malaysia. Participants will include MasterCard's Europay International affiliate, various stored-value card systems, and Verifone Inc., which unveiled a line of Internet payment products in June.

Indicating the fluid nature of these alliances, Verifone listed both GTE and Verisign among supporters of its SET strategy.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER