Entrust Inc.'s purchase of Business Signatures Corp. gives the buyer both the pieces it needs to offer banks a full suite of anti-fraud products, and gives another indication that consolidation is picking up in the banking security software market.
Entrust, long been known for its encryption technology, also offers authentication software that protects banking Web sites. Business Signatures complements that with software that monitors activities during online banking sessions.
Others, notably RSA Security Inc., are following a similar path. RSA, which itself is being sold, has acquired two vendors since December, adding both authentication and transaction-monitoring capabilities to its product line and transforming itself from a sideline player in the U.S. retail banking security market to a force.
Bill Conner, Entrust's president, chairman, and chief executive, said in an interview last week that banks were receptive to his company's authentication software, IdentityGuard, but "they needed something more."
Peter Relan, a co-founder of Business Signatures, has become Entrust's chief strategist and the president of its Business Signatures division. He said banks want vendors to provide software that addresses more than one area of consumer online banking security. Potential Entrust customers "were saying, 'Hey, where's the fraud-detection piece?' " Mr. Relan said.
Earlier this year the two companies began marketing their products together. Banks "loved it," Mr. Relan said. "It's doubled our sales pipeline."
Now that they have joined forces, Mr. Conner expects that momentum to build. "We want to disrupt the market," he said.
Entrust paid $50 million cash for Business Signatures - more than double Entrust's second-quarter revenue of $22.1 million. Its purchase of the Redwood City, Calif., company is expected to add about $3 million to $4 million to Entrust's revenue this year and about $10 million in the next 12 months. (Entrust, of Addison, Tex., announced the acquisition and its second-quarter results Thursday.)
Avivah Litan, a vice president and research director Gartner Inc. in Stamford, Conn., said the acquisition makes Entrust "one of the big players" in the banking security industry. "It's a really good thing for the market right now."
Banks want "a big, stable player," and "the problem with Business Signatures is they didn't have credibility and they didn't know the financial services sector," Ms. Litan said. "They needed to be purchased."
A year ago the banking security market was peppered with similar small vendors that offered effective products but lacked credibility. But banks are often wary of working with such providers. Entrust, which is publicly traded, is more reassuring to potential customers because they can get a good idea of its financial health. Now that it has a wider product line, Entrust is even more appealing, she said.
She expects more deals, with smaller vendors like Entrust and Business Signatures teaming up or being bought by larger companies such as RSA. "The security market over all is consolidating," Ms. Litan said. "Everything's up for grabs."
Overshadowing all of this is last October's mandate from the Federal Financial Institutions Examination Council instructing all banks to strengthen their online security by yearend. This has led to a surge in demand for security software, and companies like Entrust and RSA, which have software that banks can use to tackle fraud at several stages of an online banking session, are looking more attractive.
Consolidation in the banking security market is not happening in a vacuum; vendors serving other industries are just as eager to add security to their lineup. RSA, of Bedford, Mass., has agreed to be sold to EMC Corp., a data storage company based in Hopkinton, Mass. That deal expected to close this fall.
Storage and security are also considered a good marriage, because businesses want to know the data they store is safe. In July 2005 the security vendor Symantec Corp. of Cupertino, Calif., bought Veritas Software Corp., which makes storage software. In October, Symantec bought WholeSecurity Inc., an anti-virus software provider whose customers include TD Ameritrade Inc.
Symantec's rival, the anti-virus firm McAfee Inc. of Santa Clara, Calif., has also been building its offerings through acquisitions. Last month it bought Preventsys Inc., which sells software to corporations for risk management and security compliance reporting.
RSA's own acquisitions have made it one of the biggest names in financial security. Though it has been noted for its authentication technology, it has focused in the past on passcode-generating tokens. Though effective, tokens are considered too expensive to distribute to millions of retail customers, and only a few financial companies have done so.
To expand in the financial industry, RSA bought the New York-based Cyota Inc., which provides both transaction-monitoring and authentication software, in December. In April it bought PassMark Security Inc. of Menlo Park, Calif., which made authentication software and was developing transaction-monitoring capabilities similar to Cyota's.
Amir Orad, the vice president of marketing with RSA's consumer solutions division, said his company's decision to become an all-purpose provider of anti-fraud products long predates the Cyota deal, and will persist after the EMC deal closes and more rivals consolidate.
Creating a comprehensive product line, as RSA and Entrust have done, is necessary to attract customers. "Banks want to choose a strategic partner," Mr. Orad said. "They don't want another niche technology provider that will be changed, replaced, and added to every six months."
When RSA bought PassMark, it was quick to integrate PassMark's software with its own Adaptive Authentication product. The upgraded version was completed at the end of June, and a $50 billion financial institution is using it with its employees.
The decision over which product to use to combat online fraud "is not about the FFIEC," Mr. Orad said. "It is about the way you are going to protect your consumers in the next two, three, and four years. The FFIEC is only expediting those decisions."
Nico Popp, the vice president of authentication services for the online security provider VeriSign Inc., agrees that banks "are really looking for an authentication partner."
VeriSign is also trying to expand its product line through acquisition. In May it bought m-Qube Inc., which makes software that enables mobile phones to generate one-time passwords. And in February it bought Snapcentric Inc., which provides transaction-monitoring software.
The Snapcentric software became part of VeriSign Identity Protection, which VeriSign pairs with authentication products such as one-time password-generating tokens from Vasco Data Security International Inc. of Oakbrook Terrace, Ill.
Ariana-Michele Moore, an analyst at Celent LLC in Boston, said companies offering transaction-monitoring will probably draw buyers' attention. Makers of transaction-monitoring products include 41st Parameter Inc. of Scottsdale, Ariz.; iovation Inc. of Portland, Ore.; and Digital Envoy Inc. of Norcross, Ga.
"Financial institutions don't want to go to multiple vendors to complete their solution," Ms. Moore said, and though some have the ability to develop anti-fraud software in-house, most prefer not to. By buying from a third party, "you have a firm that's focused on staying on top of the fraud."
Smaller companies often create innovative products, but when it comes to acquiring customers they are usually at a disadvantage, Ms. Moore said. "You can look forward to some interesting spins on the market from these smaller companies," she said, "but I think the established companies have the upper hand."
