By the time you read this, American Express Co. should have introduced to the United States technology that European and Middle Eastern issuers recently began using to deter cybercrooks. Amex was planning to introduce its proprietary version of one-time credit card number software as Bank Technology News went to press.
Moreover, the New York-based payments giant is so confident about this method of making online shopping more secure that it is taking it commercial without first doing a pilot. Private Payments, Amex's system, will allow an Amex customer to shop online without revealing his card number, by replacing his actual card number with a temporary number at the moment he goes to make a purchase.
At the checkout section on an Internet merchant's site, a Private Payments window automatically pops up asking for a user name and password. Once verified, Amex immediately zips over a randomly generated "credit card number" which appears on the payment form. This number is invalid after one purchase.
Installation is relatively painless. Consumers can obtain the software from the Amex Web site and download it in three minutes or less. However, since customers shopping online can also visit the Amex site where Private Payments is in place, they won't ever need to download the software. The advantage of the software is that a Private Payments icon will reside at the bottom of users' PC screens so they won't have to hop from site to site as they buy from participating merchants.
Merchants won't have to change anything. As far as they're concerned, the number they receive is a genuine American Express card number.
The product is not available to Amex's corporate customers, but will be free to all Amex consumer and small business customers and will be available at any Web merchant that accepts the American Express card.
Some may express doubt at an Amex Internet privacy initiative. Blue, the smart card Amex introduced last year, designed for better online security, has received mixed reviews. Users needed to hook up a card reader to their computers to take advantage of the technology. And getting consumers to install anything is like herding cats. However, Alfred Kelly, group president of consumer and small business services, claimed the product is "very successful" during a September teleconference announcing the launch of Private Payments. He also said that Private Payments would be available on all Amex cards, Blue included.
"Blue was designed to attract a new type of person to American Express-tech savvy people," Kelly said. The primary and secondary target audiences for Private Payments will be card members who browse but don't shop, shoppers who are still fearful and not aggressive buyers, and finally, prospective customers.
Private Payments is the first in a three-part series of privacy products and services to be unveiled by Amex over the next few months. The second, to be announced later this year, was developed through a joint effort with Privada Inc. of San Jose, CA, a digital privacy infrastructure provider, and will enable users to decide how much of their personal information is shared when they browse a Web site. Amex is currently running a series of distinctive television advertisements about online privacy-the consumer's face is "blacked out" by being digitized and distorted.
"(Private Payments) gives peace of mind to our customers," Kelly said.
The suite was launched in response to what Amex says is a still- lingering fear by consumers of online shopping. Meridien Research of Newton, MA, for example, says that payment fraud over the Internet totaled $2 billion in 1999 and it expects that number to skyrocket to $60 billion by 2005. And despite efforts by online merchants to secure shoppers' personal data, there is still a small grain of wariness in the back of some consumers' minds as they input their card numbers on a purchase form online.
Amex might have uncovered a gem with the new number-switching technology. Overall, this type of device is relatively easy to use from a consumer perspective and merchants don't have to do a thing.
"This (technology) is a good thing from a consumer point of view," says Frank Prince, senior analyst, e-business infrastructure at Cambridge, MA-based Forrester Research. "For the first time, people will have a sense that they can reach into cyberspace and exert control in the electronic world."
But Private Payments is not exactly the "breakthrough technology" Amex has repeatedly touted it to be since it appears to be modeled after similar technologies launched months earlier by at least two overseas technology companies.
In June, BTN profiled Dublin, Ireland-based Orbiscom, a vendor which developed what it calls "O-powered" technology that, like Private Payments, exchanges a cardholder's real number with a temporary account number for making purchases online. ("Orbiscom Aims To Foil Net Fraud," June 2000.)
Users download a 50-to-100 KB applet at their credit card issuing bank's site. When they want to shop online, they click on the O-card icon on their desktops that is designed to resemble their credit card. They enter their password, click 'Go' and within seven seconds they receive an O-number from their credit card issuer. When they reach the credit card number section on merchants' order forms, they enter this O- number.
Orbiscom's product gives users a bit of versatility. They have a number of features at their disposal, such as the ability to set custom controls for a particular shopping session, such as setting specific dollar amounts on their O-numbers and determining whether they want particular numbers to work for one or multiple merchants. The O-card also works with non-PC Internet access devices, such as mobile phones and PDAs.
Ray Sheridan, chief operating officer of U.S. operations for Orbiscom, says the O-card is being used by European customers of Allied Irish Banks, Dublin, Ireland, and Household Finance Corp., the U.K. operation of Household International Inc., Prospect Heights, IL. "Consumers can use their O-powered payment product anywhere in the world...and it is compatible with all payment products, including consumer and commercial."
Another player in the number-switching arena is New York-based Cyota. Its version of this technology is called SecureClick and it was launched in late spring. SecureClick is beyond the pilot stage and is in use today by 1.5 million "Isracard" cardholders in Israel.
As with Private Payments, a SecureClick window pops up when the user's computer realizes something is going to be purchased online. To enroll, cardholders visit their issuer's site, their identification is confirmed and a 250 KB applet is downloaded automatically to their computers. They can start shopping immediately. The temporary card number appears on a spinning number roll during each shopping session so the user can watch as it is randomly generated.
Additionally, banks get what Cyota's President, Naftali Bennett, calls "real estate property" on users' computers. "With SecureClick, banks get a branded custom toolbar that appears on their customers' browsers. It's always on the browser and has buttons that show real-time card account status and links to online banking, for example," says Bennett.
The company has some heavy hitting members of the security and financial services communities on its roster. To start, Cyota was founded by four veterans of intelligence units in the Israeli Defense Force. (Its research and development facilities are located in Tel- Aviv.) Also, the security system is being developed under the expert eye of Professor Adi Shamir, a cryptographer responsible for co-inventing RSA encryption, the de facto security standard in the industry. (He's the 'S' in RSA.) Further, Cyota's Chief Executive Officer, Gary Heatherington, was president of Bank One International in Canada and was executive vice president of global markets at MasterCard International.
But what makes the Amex product stand out is that it works exclusively with American Express cards. The security products offered by Orbiscom and Cyota are in use primarily with Visa and MasterCard systems. Cyota's Bennett claims, however, that SecureClick could, conceivably, be designed for the Amex system if the company had been asked. "We built a generic protocol to work with anything," he says.
So why did Amex go it alone? According to a spokeswoman for the company, Amex felt creating a homegrown product would be faster than working with a partner. "We developed (Private Payments) in-house because we wanted to get the product to market ASAP."
Forrester's Prince applauds Amex for developing Private Payments in- house. "If you're a really big company and feel an investment in something is worth doing, then do it. No one else was stepping up to do this, so Amex did it on its own."
But Cyota's Bennett is not convinced by that reasoning. Although Amex knows the card side of the process, he thinks there are issues involving the technology itself that may cause Amex to falter. "Amex might have problems with Internet issues-things happen. I'd be interested to see this. And with any bank product, banks use vendors. This is our business."
Sheridan of Orbiscom is reluctant to comment directly on the manner in which the Amex product was developed "since we haven't yet seen it in action." But he says, "The Orbiscom product was developed over a two and a half-year period by industry experts, it's issuer and merchant ready and our customers are happy-and have been live with the technology for months now."
Be that as it may, companies like Cyota and Orbiscom need to license their software to card issuing banks, unlike Amex. And the minimum installation time for banks to implement either SecureClick or O-powered technology is about 12 weeks. Amex already has a finished product on its Web site.
Additionally, most deployments of card number-switching technology appear to be outside the U.S. This may be a matter of plain geography (Orbiscom is based in Ireland and Cyota has R&D facilities in Israel). Although Cyota and Orbiscom claim to be working with domestic issuers, they're reluctant to name any at this time. So in this regard, the launch of Private Payments marks the first public U.S. deployment of this technology.
Although he considers himself "bullish" on this kind of security, Prince says there is no real consumer drive for issuers to set up these systems. Though assuaging people's fear that their identity will be stolen online is important, "If you got everybody who suffered identity theft into a room, it wouldn't have to be a very big room." Rather, he says the key to larger acceptance of this technology is efficiency. "Issuers have to convert the phony number into the real number. This costs money. Companies like Orbiscom and Cyota will need to make the argument that this will increase issuers' operating efficiency."
Amex's Kelly admits they haven't stumbled upon the "silver bullet" of anti-Internet fraud devices, but it's a good first step. "Fraudsters usually start with one bit of information and build from there. By protecting the card number, it's a step in the right direction."
Cyota's Heatherington says, "I've seen hundreds of Internet security programs that looked good on paper but that never worked in the real world because you had to coordinate all parties." Products like the aforementioned require little, if any, work from those involved. Bennett adds, "With something like SET (Secure Electronic Transaction protocol), it was a matter of getting critical mass of merchants and critical mass of cardholders doing the same thing. It was the eternal chicken and egg problem. This (kind of technology) solves it."
Orbiscom's CEO, Graham O'Donnell, said in a previous interview, "It's easier for (Visa and MasterCard) to work with (this technology) than SET, because to get that to work, you have to rewire the world."
"As we are seeing time and again, hackers compromise a site's firewalls and steal shoppers' card details," comments Sheridan. "With an O-powered payment, shoppers do not have to worry about their information floating around in cyberspace. After transactions are made, O-card numbers become invalid." The same is true of the Amex and Cyota product.
While it seems Amex made a smart move in jumping on the number- switching train, its technology competitors are doubtful that this will win over new customers. Although he lauds Amex for developing Private Payments, Heatherington thinks Amex's focus is too narrow. "They're talking to their cardholders and I think they made the right decision. But there are an awful lot of people with Visa, MasterCard, Eurocard and debit cards. They're missing an awful lot."
Orbiscom's Sheridan agrees, saying, "The Orbiscom solution leverages the ubiquitous Visa/MasterCard/bankcard acceptance network."
Amex's announcement "was a major icebreaker for this technology," admits Cyota's Bennett. "But we're here and ready."
Prince takes a different view. "Historically, American Express has always been a little ahead in terms of consumer privacy initiatives and I don't think they get enough credit for this."