When it comes to introducing technology to consumers, "transparency" is a mantra for financial services companies. This means that the stuff should be easy for people to use - so easy that its mechanics are invisible to the average customer.
But so far at least two of this season's most talked-about financial services-related technologies - smart cards and digital signatures - are positively opaque. Judging from American Banker's frustrating and abortive efforts to execute transactions using either of these technologies, it seems likely that even the most committed consumer would have trouble getting these tools to work.
Most probably, financial transactions by wireless device fall into the same not-ready-for-prime-time category. Bankers are always lamenting how the screens on handheld contraptions are too small, and the available bandwidth too limited, to invite any but the most rudimentary transaction.
Technology has improved rapidly during the Internet era, so transparency may evolve. But before banks start promoting the security of chip cards and the legal weight of digital signatures in earnest, they must address the issue of user-friendliness or risk souring the public on what seem to be promising technologies.
To check out the technology products, American Banker tried to perform two tasks that seemed modest: buy something on the Internet using a smart card and sign a piece of e-mail using a digital signature.
Unfortunately, despite repeated calls to customer service and the best efforts of a news editor who writes about technology, neither goal was achieved, though perhaps the experience may offer some object lessons for bankers as they deploy these products.
EXPERIMENT NO. 1
Using a smart card
Back when smart cards were instruments of stored value, using them was simple: You handed one to a sales clerk who inserted it into a point of sale terminal, and the amount of your purchase was deducted from the dollar value stored on the chip. Though merchants found this a headache and consumers did not cotton to it, the process was, at the very least, fairly transparent.
Today smart cards have been repositioned as authentication tools for online commerce that can solve the problem of insecurity - or perceived insecurity - in Internet shopping. Smart cards are being issued by four U.S. card companies: American Express Co., Providian Financial Corp., FleetBoston Financial Corp., and the First USA division of Bank One Corp.
The smart cards on the market today are normal magnetic-stripe credit cards but with microprocessor chips added. Theoretically, when used in conjunction with a smart card reader, some downloaded software, and a willing merchant, these cards can do online transactions in a more secure fashion than when someone simply types in an account number on an online order form.
But anecdotal evidence and surveys say few people are even aware of the enhanced functions of the chip cards, let alone using them.
The American Express Blue card has been on the market the longest, and this is the product American Banker tried to use. After being approved for the card, we went to the Amex Web site to get the free card reader (which can only be ordered after the card arrives), only to be confronted with several potentially stymieing questions, such as whether we preferred a reader that attached to the USB port (universal serial bus) or parallel port.
Since this was for an office computer, the technology support staff was nearby and advised using the USB port.
When the reader came, it was cute. We imagined it would look like an ungainly pencil sharpener with a card-shaped slot, but instead it looked more like a sleek plastic vest pocket. It plugged easily into the USB port and came with a handy adhesive attachment to hold it to the computer base. A small green light blinked reassuringly at the top of the reader, as if to say, "OK - I'm working."
A CD-ROM that accompanied the reader walked us through the software installation. Several times we hit dead ends and needed to reload and reboot our computer, but eventually the digital wallet seemed to be configured, and a little blue icon that said "AE" nestled comfortably on the on-screen toolbar.
After browsing a list of online merchants that accept Blue, we opted to buy a book from an online bookseller. While American Express has pages of Web sites that are meant to explain how to use Blue, it still seemed a bit murky, so we called the customer service number that came with the smart card reader brochure, 1-888-BLUE-741. A service representative swiftly referred us to a different '800' number.
Instead of making the second call, we decided to go to the merchant's Web site and start shopping. After proceeding to the checkout area, we put the Blue card in the reader and clicked the AE icon. After some trial and error, we were able to get the digital wallet to fill in the merchant shipping form, though it would have been much faster to do so manually.
Then it was time to pay, and the Web site asked for the credit card type, number, and expiration date. Unfortunately, nothing in the American Express software seemed to generate that information, so after clicking on everything we could find, we threw in the towel and called the second '800' number.
The representative who took the call had difficulty understanding the problem, so she passed it to a colleague, Linda. She told us that at many Web sites, Blue card users must punch in their account numbers manually. Doesn't this defeat the purpose of getting a reader and a smart card, we asked? Well, Linda said, it's a policy set by the merchants, and American Express cannot control it.
We asked: If we're still typing in our account numbers and sending them online, how is the chip card transaction more secure? Linda assured us it was: "It's more secure because you're in a secure area."
When asked how we could tell that we were in a secure area, Linda said that the light on top of the reader would be green continuously, not flashing, whenever the card was in it. Unfortunately, our card was in the reader, but the green light was flashing, not steady. "You may have to do a reader diagnostic," Linda advised. "Just follow the directions for doing that."
EXPERIMENT NO. 2
Using a digital signature
Last year, when the E-Sign law took effect, it was a happy day at Digital Signature Trust Co., the Zions Bancorp subsidiary that sells certificate technology to banks and other companies. Once a customer has a digital certificate (which authenticates their identity), he or she can use the digital signature linked to that certificate to sign legally binding documents such as closing papers for loans.
The federal government, which wants to save money by doing business with citizens online, is hoping that certificates will take off. Banks, which want to be at the center of the Internet economy, are increasingly interested in issuing certificates to their customers.
To get a TrustID certificate from Digital Signature Trust, a person (or business) can visit its Web site (www.digsigtrust.com), and provide some basic personal information, including driver's license number, address, Social Security number, and so on. The cost is $24 for a certificate good for one year.
After an application is submitted, the company does a database check, much as a credit card firm would research a person who applied for credit. People whose certificates are approved get an e-mail confirmation, followed by a letter in the mail giving them instructions and an activation code.
The letter is a little difficult to follow. First, it says, you must retrieve your TrustID certificate, which you do by visiting the company's retrieval Web page and typing in your activation code and the passphrase you created during the initial application. You must use the same Web browser and computer you used to apply.
The letter also gives you an account number and asks you to keep it handy. This turns out to be good advice, since the customer-support area of the Web site does not quite explain how to translate your freshly downloaded digital certificate into something that can be used to affix a digital signature to an e-mail.
Happily, the customer service folks at Digital Signature Trust are cheerful, eager to troubleshoot, and more knowledgeable-sounding than the people at American Express. "Did you set up a personal cert or a business cert?" was the first question asked. "What kind of server do you use?"
The first patient representative we reached did his best to guide us in the manipulation of the certificate we thought we had downloaded. Sadly, the commands he saw on his screen were not the same ones we had on our screen. "I forgot how to work with such an old browser," he chuckled. Finally, job responsibilities forced us to abort the conversation.
Later, a second customer service representative was equally determined to get our certificate working. "The personal certificates are the S/MIME certificates," he said casually. "You need S/MIME appropriate for Outlook or Netscape, so we have to configure your incoming mail server. What you have to do is set up the mail client."
Again, our software was not the latest version, and the representative struggled to help. Midway through the conversation, he sent an e-mail with step-by-step instructions, but it did not apply to the program on our desktop. Though he would have continued experimenting, we decided at a certain point it was time to give up.
Though these experiences are not meant to indict the technologies or the companies proffering them, they do suggest a few lessons.
One is that the technology really should be as transparent as possible, or people are not going to use it or stick with it. Another is that banks that offer such newfangled products must be prepared to back them up with extremely sophisticated and comprehensive customer support channels - and must keep in mind that keeping such experts on hand in the call centers is costly.
Ideally, in a few years the kinks will be worked out, and smart cards and digital certificates will be in relatively widespread use. Until then, hang on to your checkbook and quill pen.
From Our Archive: