Certco LLC, a Bankers Trust New York Corp. venture capital start-up, outmaneuvered more established companies to win a key digital certification assignment from MasterCard and Visa.
Bidding jointly with Spyrus, a provider of data security hardware, Certco was named exclusive provider Tuesday of the root certificate authority system for SET-the Secure Electronic Transactions protocol.
The root certificate authority, or CA, is central to the card associations' standard infrastructure for secure Internet payments.
Certco and Spyrus' competitors included GTE Corp., which MasterCard earlier had endorsed as the preferred provider of digital certificates for its member banks, and Verisign Inc., which won a similar designation from Visa.
Entrust Technologies, a spinoff of the Canadian communications company Northern Telecom, also sought to provide the root CA, an industry source said.
Certco and Spyrus are taking a "split key" approach that will let each payment brand-MasterCard, Visa, American Express, Discover, Diners Club, and JCB-retain the root key to cardholder transactions.
"This is a pivotal step toward putting SET into the public domain," said Steve Mott, senior vice president of electronic commerce-new ventures at MasterCard International. "The Certco-Spyrus solution facilitates control and ownership by multiple brands."
"This puts us in prime time and gives us credibility," said Laurence Walker, president and chief executive officer of Certco, which Bankers Trust spun off last year. "This solution allows a given brand to build a root that will act as the touchstone for an SET credit card transaction."
The root CA will generate digital signatures using encryption technology from Spyrus. The signatures will be embedded in cardholder, merchant, and bank certificates-which might be issued or managed by GTE, Verisign, or another vendor-to authorize and authenticate all aspects of a transaction.
Once original certificates are generated, the root private key will be broken up and distributed among independent parties. Each card containing a fragment will be individually encrypted. When the root CA needs to create a certificate, the cards need not be brought together, but the necessary data will be aggregated through secure messaging.
"MasterCard and Visa, taking a farsighted view, have begun the process of rising above the individual brand and getting a good SET-enabled brand," said Charles Walton, a senior vice president at New York-based Certco. "The root represents a more global view of a valid credit card transaction over the Internet."
Although they have not made formal announcements, American Express and Japan-based JCB have lent their support to the Certco-Spyrus solution.
The root CA decision clears the way for MasterCard SET pilots in Europe, Asia, and South Africa and Visa's in Asia and Europe. A formal publication of a "production version" of SET is due in June, and the card associations anticipate general availability in the fourth quarter.
"We see this as another step toward establishing a global infrastructure for open network security for payments," said Steve Herz, senior vice president of electronic commerce at Visa. However, its adoption will depend on software vendors' distributing it and financial institutions' deploying it to merchants and cardholders, he added.
Certco and Spyrus have moved to the forefront of an emerging "trust" industry with "something that is bank-ready from the ground up," said Scott Smith, director of the digital commerce group at Jupiter Communications in New York.
Carl Howe, director of network strategies at Forrester Research in Cambridge, Mass., said he sees it as a "new model" for certification but raised an operational issue: Because of decentralization, "nobody is responsible for driving a transaction forward to its conclusion. It will be a challenge for the companies to figure out how this works and take liability for the business process."