Consumer Use of Digital Signatures Still Far Off

In June, when President Clinton signed a law that gave digital signatures the same legal weight as their pen-and-ink equivalents, the banking industry was jubilant.

E-commerce would flourish in new and unforeseen ways, they said, and banks, as holders of the certificates needed to authenticate digital signatures, would be at the center of it all. Five months later, that vision is still far from reality, but a handful of banks are taking advantage of opportunities in the digital certificate business. Zions Bancorp, which runs a subsidiary called Digital Signature Trust, has been doing the most to promote digital signatures since well before the law was passed, and now some of the companies issuing smart cards are making the technology available to consumers.

American Express Co. was first out of the gate with its digital certificate-carrying Blue card, and FleetBoston Financial Corp. has put them on its chip-bearing Fusion cards.

So far, there are limited uses for the digital certificates on both products, but the companies are planning for a day when consumers use the technology as a matter of course to authenticate Internet transactions - from the purchase of goods and services to the transmission of legal documents and other private information.

While the vast majority of banks have not made public any plans to deploy digital certificates, vendors that hope to profit from the anticipated digital shift are not wasting any time. Barely a day goes by without some sort of certificate-related announcement from a company specializing in online security.

While most merchants, banks, and consumers are for the most part indifferent, technology companies and government officials are eager to get certificates issued and to bring to market applications that will allow merchants and others to accept the certificates for online transactions.

Within the vendor community, there is broad agreement that financial institutions must be the ones to offer and promote digital signatures.

"The key is not technology, it is trust," said Andrew Morbitzer, vice president of marketing for Baltimore Technologies PLC, which develops software for safeguarding digital certificates. "We naturally trust whoever manages our money. If card issuers move first, that may help build momentum for smart cards."

Financial institutions are already charged with securing their customers' personal information and signature templates. At their core, say industry insiders, digital signatures are just a high-tech version of the pen-and-ink signatures banks have safeguarded for years.

Digital signatures are created using cryptography software called public key infrastructure, or PKI. An issuer uses PKI software to place a digital certificate on a cardholder's chip. The certificate is divided into two parts, called a public key and a private key. The private key is kept secret, stored only on the chip in the card, and is usually unlocked by an access code. The public key is shared freely, as others must have it to authenticate the cardholder's signature.

To affix a signature on an electronic document, the cardholder places the card in a card reader, and enters the correct access code, which causes the private key to transmit an encrypted signature to the document's holder. Later, anyone can authenticate the signature using the public key to decrypt the signature and prove that it came from the cardholder.

However, these signature exchanges need further protection. First, someone must take responsibility for thoroughly identifying the individual before issuing the digital certificate. Second, because public keys are freely available, care must be taken to make sure imposters do not get hold of them and hijack messages encoded for legitimate cardholders. Mr. Morbitzer and others say credit card issuers working in concert with payment processors will probably oversee the exchanges.

The government is interested in the technology because it wants to reduce costs by letting citizens conduct business with various agencies online, which can only happen if Uncle Sam is assured, by means of certificate and digital signature, that the transactions are authentic. For the technology companies, of course, there is a blend of philosophical zeal and profit motive.

First Data Corp. of Atlanta was the first merchant processor to announce it would offer digital certificate authentication. Its partner in offering the product is Dublin-based Baltimore Technologies, a certificate authority. First Data will provide the connection to Baltimore Technology servers, which will verify a certificate's authenticity. The vendors say they that together, they can generate and validate digital certificates on smart cards for companies that issue the cards.

Baltimore Technologies already manages the digital certificates embedded on every American Express Blue card and every FleetBoston Fusion card. A Baltimore spokeswoman says there will be more announcements by issuers introducing the chip cards.

Because the system of certificates and signatures is considered safer than the type of security technology used today, industry analysts say smart cards with certificates attached to them can be used to conduct many transactions that still require face-to-face contact and a signature on paper.

"PKI is valuable because it is additive," said Victor S. Wheatman, vice president and research director at GartnerGroup Inc., the electronic commerce consulting firm in Stamford, Conn. "It can be used for more than one thing. If Fleet has additional services and then can add in electronic signatures and encryption, then you start to get there."

Jay H. Lee, senior vice president of e-business strategic development at Fleet Credit Card Services, said his company has big plans for the technology. "The digital certificate validates who you are - it says Jay is who he says he is," Mr. Lee said. "For retail customers, it is likely to be used to authenticate purchases, and it can move into higher-end financial transactions."

Mr. Lee said brokerage customers would be able to use their digital certificates to authenticate themselves when buying or selling stock. Mortgage applicants could use them to sign legal documents online and avoid a trip to the broker's office.

"We are in a unique position to offer people a credential to validate they are who they say they are," Mr. Lee said. Merchants will conclude, "if Fleet says so, I will accept it."

Mr. Lee cautioned that these types of applications are not likely to appear immediately. "Right now, we are simply viewing Fusion as an alternate method to access information," he said. Eventually, he said, Fleet customers may be able to instruct Fleet to block online access to their accounts unless the chip card is presented.

Currently the Fusion card, like Blue, uses its digital certificate to authenticate customers who wish to access a digital wallet stored on the issuer's servers. The FleetBoston subsidiary says it will issue a business version of the Fusion card in December. American Express will not comment on any planned uses for its digital certificate, according to a spokeswoman.

Eventually, Fleet will allow partner companies to offer Fleet cardholders services that require a certificate-bearing chip card. "We will share the chip," Mr. Lee said. Potential partners he named include airlines, which could use the chip for electronic ticketing, and transit agencies, which could let commuters store fare value on the cards.

"It is brilliant for them" to allow other entities to use the certificate, said Mr. Morbitzer of Baltimore Technology. "Fleet gains this invisible but strong power when people start to depend on a certificate managed by Fleet, even if Fleet is not a party. Their brand gets more powerful."

Mr. Lee said these types of arrangements will take time, because consumers still are not accustomed to chip cards. Research shows that great numbers of the people who have signed up for the new smart cards are not using the chip. Fleet aims to use its early-adopter status to gain an advantage when applications for the digital certificates begin to emerge, Mr. Lee said.

"We are trying to get a large number of smart cards into the market," said Tom Johnson, vice president of e-business at Fleet, who compared the growth of smart card acceptance to the growth of consumer acceptance of automatic teller machines. "The first step is to get the cards into consumers' hands, then merchants' interest will begin to grow.

"Banks will issue smart cards first, because we have the Internet where you can begin to use it," Mr. Johnson said. "As more smart cards get out there, you will see clicks-and-mortar companies begin to put terminals out."

After some failed starts using chips for stored value, and unfilled promises of launching multi-application chip cards, digital certificates may offer card issuers another chance to prove that chip cards are useful, said Theodore Iacobuzio, a senior analyst with TowerGroup, a Needham, Mass., research firm.

"With a digital certificate, merchants can positively authenticate the consumer," he said. "Does that amount to enough of a business case in for a smart card rollout in the United States? I don't know."

Online merchants will probably embrace the idea of digital certificates, though consumers may require discounts or special bonuses to be persuaded to use them at first.

Providian Financial Corp., and First USA say that for now, they will not put digital certificates on their new smart Visa cards. But spokespeople for both companies say they plan to place the certificates on chips in the future. For now the First USA chip card is used to store cardholder information, such as Web site passwords and shipping addresses for merchant sites. Providian says it will announce programs for its chip card soon.

Tommy Petrogiannis, president of Silanis Technology Inc., a Montreal company providing software for merchants and financial institutions that want to accept digital certificates for authentication, said that applications for the certificates are coming. Credit card issuers want to find ways to "get beyond simple merchant transactions and into higher-value transactions," he said.

Mr. Petrogiannis said that card companies see particular value for digital certificates in business-to-business transactions. "Think of paper-based applications from purchase orders to leases," he said. "We focus on automating those processes in finance, insurance, government, and Department of Defense" applications.

Digital certificates could allow such transactions to take place over the Internet and take the place of letters of credit and other paper documents, Mr. Petrogiannis said. These capabilities probably will not emerge until late 2001.

"There is a lot of smoke," he said. "I don't know if there will be a lot of fire."


From Our Archive:

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER