Card Frontiers: Gemplus, Verifone Test Encrypted PIN

Teaming up with the smart card manufacturer Gemplus, Verifone Inc. claimed it has taken a big step forward in cryptographic security of on- line transactions.

Verifone combined vWallet, its virtual wallet system for consumer Internet purchases, with a Gemplus GPK 4000 chip card to raise the level of security of personal identification numbers.

The PINs are encrypted in the cards, turning them into portable security devices that enable consumers to transact business at any computer equipped with a chip card reader. The encryption and deciphering of PINs according to complex mathematical formulas creates greater assurance that the cardholder is who he or she claims to be.

While desktop computers with smart card readers are still few and far between, announcements like this call attention to the readiness of the technology and might generate more interest among system suppliers and merchants.

Verifone and Gemplus exhibited the capability last week at the Internet Showcase meeting in San Diego, where fewer than 100 "serious contenders" won the competition to strut their stuff, said the event's executive producer, David Coursey. He said the Verifone-Gemplus product made the cut because it had "potential to have a profound impact on the industry."

Another aspect of the demonstration was also said to be a first: a debit card payment processed under SET version 1.0, the Secure Electronic Transactions protocol promoted by MasterCard International, Visa International, and several technology companies.

"Our easy-to-use vWallet software is the first to provide consumers a choice in smart-card-based debit transactions in addition to credit transactions," which generally don't require PINs, said George Hoyem, vice president and general manager of Verifone's Internet commerce division in Menlo Park, Calif.

The debit aspect may be the clearer and more immediate breakthrough, since SET-secured Internet debit purchases are likely to follow in significant volumes. But the PIN encryption may be a more important, longer-term step toward consumer acceptance, because it can help instill the peace of mind that electronic commerce vendors are eager to promote.

PIN encryption is, in fact, a relatively elementary form of user authentication-digital certificates issued and managed by banks or other "trusted parties"-that these and other vendors are driving toward.

Verifone and Gemplus, which is based in France, developed PIN encryption to meet the specifications of Ecom, an Internet commerce program that includes the major French banks. Smart cards are already a payment system standard in France; credit and debit cards have had chips embedded in them since the early 1990s.

Mr. Hoyem sees PIN encryption as "just a small step away from the digital certificate stage and then to electronic cash."

"This is the first stage of realizing the convergence of the smart card with Internet commerce," Mr. Hoyem said. "We are excited about the use of certificates for electronic commerce. Certificates on a smart card create mobility for the consumer."

Gemplus Group's leadership as a smart card supplier dovetailed with Verifone's aggressive electronic commerce software strategy. Verifone's parent, Hewlett-Packard Co., has been a proponent of incorporating smart card readers in personal computer design, and Gemplus offers a series of devices that can bridge the gap between cards and the Internet.

"We are the first to integrate smart card support with the (virtual) wallet," said Mr. Hoyem. "That brings together the virtual world with the physical card.

"Everybody is talking about the convergence of smart cards with Internet commerce. This is a tangible, mainstream example of that."

The California-based company's work with Gemplus is not exclusive, Mr. Hoyem said. It was prompted specifically by the Ecom project but he said it can have much broader ramifications.

"We think France and other early-adopter smart card markets are places to show this off and it will drive acceptance of the technology elsewhere," he said.

Gemplus, meanwhile, is working with a long list of technology allies- ranging from Hewlett-Packard and Sun Microsystems Inc.'s JavaSoft unit to International Business Machines Corp. and Microsoft Corp.-on a variety of projects with PC- and Internet-security implications.

The need to issue digital wallets for SET creates a "complicated environment," said John Landwehr, director of product marketing at Gemplus' U.S. base in Redwood City, Calif. Smart cards like those in the GPK-Gemplus Public Key-series "can simplify it a lot for users" by unobtrusively harnessing cryptographic functions.

Schlumberger Electronic Transactions said it has released the Cyberflex Multi 8K card, the latest of its smart cards designed for use with the Java programming language.

With 8,000 bytes of electronically erasable, programmable read-only memory-EEPROM-the cards have three times the memory space of earlier versions available for the application programs Schlumberger calls Cardlets.

Customers of the France-based vendor, which has a U.S. center in Austin, Tex., demanded the greater capacity, said Paul Beverly, vice president of marketing in the Schlumberger smart cards division.

"With the hundreds of Cyberflex development kits we have sold, we expect 1998 to be the year in which interoperable multi-application cards will hit the streets in volume applications," he said.

The Java-based Cyberflex 2.0 technology enables multiple functions- credit, debit, electronic purse, loyalty, etc.-to coexist and be readily upgraded on the cards.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER