mwotw

Building Trust in Electronic Commerce

by Jack Mardack

Published in Credit World, July, 1997

Introduction

According to analyst predictions, the volume of purchases made electronically over the Internet will expand from $131 million in 1995 to as much as $600 billion by the year 2000, accounting for approximately 8% of all retail purchases worldwide. As companies of all sizes and in all industries gear up to do business on the Internet, technology leaders worldwide are working together to build the requisite electronic commerce infrastructure — this infrastructure spans everything from the networking technologies that will tie businesses together, to the software applications that will permit them to engage each other in commerce. While making electronic commerce a reality has posed an assortment of technological challenges, the issue of transaction security has received the most public attention. Both businesses and consumers have held it up as their most serious concern. The fear of hackers and fraud and financial exposure has taken a measurable toll. But the security challenge has also been the focus of the most innovative and creative inter-industry collaboration. Leaders in the technology, financial and credit card industries have spent the last several years creating the critical security component of the electronic commerce equation.

The Issue of Security

The mainstream acceptance of online shopping hinges on convincing consumers and merchants that the Internet is secure. This is a logical next step, now that many individuals and businesses have acknowledged the value of the Internet as a personal tool or as a means to pursue new business opportunities. As sudden as the Internet’s rise to popularity was, it still followed the same cycle of assimilation as any other “brand new” technology before it, albeit a dramatically abbreviated cycle. While many early adopters were quick to investigate the Internet phenomenon, there were others who waited. Likewise today, there are people who use the Internet every day, but who still do not choose to conduct their most critical personal transactions online. There are also companies that are reluctant to evolve their purely informational Web sites to the next level — commerce enablement. Security is the linchpin for both.

Answering the Challenge: Trust + Technology

For industry leaders, such as IBM, who have championed electronic commerce, the security challenge is being tackled in two ways: 1) developing new technologies and 2) communicating a message of trust. On one hand, shoppers and merchants must be assured that it’s safe to conduct transactions online. On the other, the technologies and products needed to make good on that promise must be created and brought to market. Arguably, the more difficult of these two tasks has already been achieved. Thanks to IBM and others, businesses now have the technology tools they need to conduct secure electronic commerce. And to ensure that these electronic commerce products from different manufacturers work smoothly for customers all over the world, a powerful, new online security standard has been developed.

Matching Companies with Solutions

Whether you are a fairly small, technologically unsophisticated company, for whom a user-friendly out-of-the-box e-commerce solution is most appropriate, or a large corporation with an extensive IT infrastructure, the most sensible approach is evolutionary rather than revolutionary. IBM advocates an incremental approach to electronic commerce technology, so that the investments a small company makes today are not wasted when they wish to grow tomorrow. And likewise, the IT investments a larger company may have made yesterday, should be put to work today. Where possible, any existing back-end, inventory management or customer data systems should be salvaged, and worked into the total electronic commerce solution. And for small business with little or no IT structure to build on, entry-level systems permit them to start simple and grow fast. Small companies can begin by setting up a Web site to advertise their brands, then move quickly to more advanced electronic commerce applications for connecting with suppliers and vendors over intranets and extranets, and ultimately move on to selling over the Internet using secure e-commerce technologies. The idea is to match a company with a solution that is appropriate to that company’s size, its industry, its level of technological sophistication and its specific e-commerce goals.

SET: The Glue that Holds Secure E-Commerce Together

Providing businesses with the tools they need is only part of the answer. To provide truly universal transaction security, there was a need to develop a unifying standard. Worldwide and multi-industry efforts to bring mission-critical security to online transactions have come to fruition in the Secure Electronic Transaction (SET) standard. SET was developed specifically to make the electronic commerce infrastructure as secure as possible, while ensuring maximum interoperability between the various parties involved in a typical commercial transaction.

Authored by Mastercard and Visa, with the assistance of a number of technology industry partners including IBM, SET is an open standard, multi-party protocol for conducting secure bank card payments over open networks, such as the Internet. Current security protocols, such as Secure Sockets Layer (SSL), reduce the risk of credit card information being intercepted, but they do not authenticate the cardholder, merchants or banks involved. Neither does SSL provide for digital signing of credit card purchases. SSL and similar protocols do not protect users from on-line fraud, such as Internet sites specifically set up to obtain credit card numbers for illegal purposes. Nor does SSL prevent stolen, expired or otherwise invalid cards from being used. An honest shopper may securely send his credit card number to a fraudulent merchant, just as a legitimate merchant may receive a stolen number from a thief. In the absence of face-to-face certainty, SET permits the parties involved in a transaction to verify each other’s identity.

SET uses digital certificates to perform all this identity checking. Each authorized party in a transaction receives a digital certificate, and they are unique like fingerprints. When a shopper decides that he wishes to make a purchase, the online store’s merchant server software will communicate with the shopper’s computer to see if there is a SET-enabled wallet available. If there is, the wallet will open and present the shopper with a selection of payment methods. Ultimately, this will include various types of electronic money, checks, etc., in addition to credit and debit cards. The shopper’s wallet will then send the payment card information to the merchant in encrypted form, as well as a digital certificate, which establishes the validity of the account number for that cardholder. The merchant’s system will receive both the certificate and the encrypted card information. If the certificate is confirmed to be valid (by an external certificate authority) then the transaction goes on to the next step. The merchant however, never has access to the card information. The process of exchanging digital certificates is repeated between the merchant and his acquiring bank, then again between the acquiring bank and the cardholder’s issuing bank. Other than the cardholder, only the issuing bank has access to the card number, to determine account status, credit limit, etc. If the account is in good standing and has enough purchasing power, then the purchase is approved. If not, then it is declined.

The mechanics of this multi-step operation are transparent, simple and quick. Because the verification/authentication of parties in a SET transaction is an automatic “online” process, more security means more convenience. Unlike SSL, which requires that the merchant go “offline” to transmit a consumer’s card information to the acquirer, SET executes the 3-way exchange instantaneously, providing the shopper with immediate confirmation that his purchase has been approved. This process is actually faster on the Internet than its physical
world counterpart. So, by virtue of the security and convenience it provides, SET has succeeded in its basic aim — to make the use of payment cards on the Internet safer and easier than using them in the physical world.

Sending a Message of Trust

For all its technological success, the SET standard would fail if only its authors know how well it works. The merchants and shoppers who will put their faith in SET must base that faith on something more than technical details. Even the most robust and secure system will go unused if people don’t feel comfortable — if they don’t trust it. But where does that trust seem to reside naturally? To whom do people give their most sensitive financial and personal information with practically no concern? To banks, credit card companies and other financial institutions. Mastercard and Visa were the first such institutions to link their names to the SET initiative. It has been their support of SET, and that of leaders in the technology industry, which has won the endorsement of financial institutions all over the world. IBM has worked on ground-breaking SET pilots with a number of these, including: Chase Manhattan Bank, Mellon Bank, Amalgamated Banks of South Africa, Danish Payment Systems, Inter Europa Bank (Hungary), Banesto (Spain), Visa Finland and Banco do Brasil. The endorsement of these organizations is an essential part of SET’s success. Not only does it contribute the validation and reassurance that shoppers and merchants require, but it also ensures that the existing financial infrastructure will work with all these new electronic commerce technologies. Technology providers, such as IBM, worked closely with the institutions that would ultimately become the processors, validators and executors of electronic commerce transactions to develop the technologies that bring to e-commerce the same reliability and security associated with traditional commerce transactions.

Conclusion

Even the earliest steps toward electronic commerce made it clear that no single technology provider could do it alone. The very scope of the effort needed to make electronic commerce successful requires that contributions by leaders in many industries. In some cases, competitors are working side-by-side. Unprecedented alliances have been forged. Companies large and small are working together to make the various parts of the e-commerce whole come together cohesively. And we are succeeding. But not just by stringing network connections between consumers, merchants, banks and payment card processors. The technology is only a means to an end. What we’ve really done is make it possible for all these parties to interact in ways that are convenient, efficient and secure, in ways that make traditional commerce simply feel old fashioned.

ibm | e-commerce | security | encryption

This entry was posted on Sunday, October 2nd, 2005 at 2:10 am and is filed under Essays, etc., Business, Marketing, 1997. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.