New Payment Systems Poised For Primetime

In her May 1, 2000 EC Tech Advisor article Alternative Payment Options: An Overview, Alexis Gutzman covered a myriad of options for e-commerce payments beyond the traditional Mail Order/Phone Order (MOTO) model that''s used with credit, debit, and charge cards today.

In collaboration with Alexis, I''ll be reviewing some of these emerging e-payment options, especially as they relate to SmartCards and other strongly authenticated mechanisms, including Secure Electronic Transactions (SET), EuroPay, Mastercard, Visa (EMV) applications, and e-purse applications like MONDEX.

Reviews of these products often require a good, common understanding of the technology being reviewed. Since neither SET nor EMV are intuitively obvious to understand, it''s critical to set the proper context that helps you to compare oranges-to-oranges when you''re selecting among the multitude of choices. In this segment, we''ll begin with SET by dusting off the old SET specification, revisiting its past and seeing where it''s at today.

New Millennium, New Problems
Now that the heroic efforts needed to remediate the Y2K problems are more or less 20th Century history, the new horizon -- especially for banks -- is computer security. Few people need reminding about the Internet''s inherent lack of security and near daily incidents of Internet abuse remain a thorn in the side of those wanting trusted e-commerce.

SET, the promising payment scheme introduced in 1997, is as revolutionary as credit cards themselves were back in the 1960s, and is slowly becoming just as pervasive. Making cyberspace a safer place to conduct business, SET is expected to boost consumer confidence in electronic commerce and save the banks a bundle in reduced fraud losses. SET focuses on maintaining the confidentiality of information, ensuring message integrity, and authenticating all the parties involved in a transaction.

SET opens the doors to e-commerce, but comes with a price all its own. SET is complex -- very complex in fact. SET not only affects consumer and merchants, it affects the entire Internet community, including private intranet users, and especially B2B site operators. Unlike other efforts aimed at secure e-commerce, SET does require involvement of its participants. SET-compliance takes work on everyone''s part. SET is designed to eliminate all the problems of security related to credit card usage on the Internet; it adds the element of message authentication to assure all involved that they are indeed dealing with those with whom they think they''re dealing.

Using Public-Private Key (PPK) cryptography, SET is a complex arrangement that offers levels of security and protection even higher than those used to protect nuclear missile launch codes.

Digital Certificates
Fundamental to its implementation, each party in a SET transaction requires a digital certificate that identifies him as the legitimate user of a bank card, credit card or merchant account. These certificates contain the user''s public key as well as the account information, and other data necessary to carry out a transaction. Digital certificates can serve as a stand-in for the actual plastic card. The public-private key pair behaves much like the actual signature on the back of the card that''s used for comparison purposes.

Digital certificates are the electronic counterparts to driver''s licenses, passports, or membership cards. You can present one electronically to prove your identity or your right to access information or services online. Digital certificates bind a person''s identity to a pair of electronic keys that are used to encrypt and sign digital information. These certificates are needed to verify someone''s claim that they have the right to use a given key.

The X.509 Standard
The most widely accepted format for digital certificates is defined by the CCITT X.509 international standard; thus certificates can be read or written by any application complying with X.509. SET Certificates are a special instance of X.509 Certificates intended for use specifically for bank card, debit card, and charge card uses.

How Do Digital Certificates Work?
Digital signatures employ public key encryption techniques that require two related keys: a public key and a private key. In PPK cryptography, the public key is made available to everyone who corresponds with the owner of the key pair. The public key can be used to verify a message signed with the private key or to encrypt messages that can only be decrypted using the private key. You can think of these key pairs as the right and left sides of a safe. When it''s locked with the right key, it can only be opened with the left key, and vice versa. The security of messages encrypted this way relies on the ongoing security of the private key, which must be protected against unauthorized use.

SmartCards (to be covered in later segments) are capable of providing the needed protection of private keys on the embedded microchip. The private key portion is protected by a Personal Identification Number (PIN) that''s tied to one SmartCard and no other. The combination of the two is required to gain access --- neither one is good enough on its own. Should your SmartCard be lost, there''s no fear that someone else will impersonate you unless your PIN has also been compromised. As we''re beginning to see, new services in the marketplace are increasingly relying on SmartCards for private key storage and PIN protection mechanisms.