Hold on to your virtual wallets, secure electronic commerce on the Internet—long promised but never quite delivered—is suddenly a lot closer to being real. IBM, MasterCard, Microsoft, and Visa have formed an alliance to support a new standard for providing secure transactions over the Internet. The new standard, Secure Electronic Transactions (SET), is based on public-key cryptography and digitally signed electronic certificates issued by credit card companies and banks. Customers will send these certificates to merchants who will use them to authorize the transaction with the credit card company or bank. Microsoft, lately quick on the trigger, has announced that it will build digital signature technology into its MS-Windows operating system.
Most of us think nothing of handing a credit card over to a merchant in the physical world, but hesitate to do the same in the virtual world. This is something I’ve never quite understood, and I’ve chalked it up mostly to the resistance of commercialization inherent in the Internet culture. Another part of the problem is related to the difficulty Net-based businesses experience in dealing with credit card companies and banks to obtain a merchant account. Add to the mix the historical lack of support for new electronic commerce technology by merchants, credit card companies, and the banks and it’s no surprise why Internet-based commerce has been mostly ignored.
All of this is changing rapidly, of course. A Forrester Research study on Internet-based commerce reports revenue from online transactions has grown from US$240 million in 1994 to US$350 million in 1995. Forrester projects that worldwide online transaction revenue will reach US$6.9 billion by 2000.
In order to be truly successful through worldwide implementation, electronic commerce on the Net must be available to users in two basic forms:
- A mechanism to support non-anonymous transactions; similar in scope to those transactions for which we use checks, debit cards, and credit cards in the physical world.
- A mechanism to support anonymous transactions; similar in scope to those transactions for which we use cash in the physical world.
There are two emerging leaders that will likely provide the foundations for both forms of electronic commerce. Both of the leading systems are based on public-key cryptography and digital signatures.
Public-key cryptography is, simply put, a method by which two mathematically related keys—one public and one private—are generated. An electronic message locked with one key can be unlocked only with the other key. Think of it as better living through mathematics. Public keys are distributed far and wide, private keys are kept secret. If you use someone else’s public key to encrypt a message, only that person can decrypt and read it. Similarly, people use your public key to encrypt messages meant only for you. You use your private key to decrypt messages that have been encrypted with your public key.
Digital signatures are used when you need to keep the contents of a message from being changed, but don’t necessarily need the contents of the message to be encrypted. Digital signatures can be used in electronic commerce to verify the authenticity of a transaction.
VeriFone
If you’ve used a credit card in the last couple of years, you know who VeriFone is even if you’ve never heard of it. Those little grey boxes with the keypad and LED display that the stores swipe your credit card through? That’s VeriFone. And VeriFone intends to have as big of an impact on commerce in cyberspace as it does in physical reality. The company’s SET-based software—vWALLET, vPOS, and vGATE—has gained support from both MasterCard and Visa as well as Wells Fargo Bank.
Using the VeriFone system, when a user purchases an item on a Web page with a credit card, the transaction is initiated by the vWALLET software, which communicates securely with the vPOS software on the Web host.
The vPOS software then sends the encrypted transaction information electronically to the vGATE software on a secure VeriFone host in Menlo Park, Calif. The transaction is decrypted and verified and the verification information is encrypted and returned to the vPOS software on the Web host.
The transaction is completed with a transfer of the information from the vPOS software on the Web host to the vWALLET software on the customer’s computer.
All of this happens in less than a second. The entire VeriFone software suite is scheduled for release in the third quarter. Pricing for VeriFone’s vPOS software is set at US$1,500 per license, but it’s unclear if that price is per server or per location. Pricing for the vWALLET software hasn’t been announced, but I’ll be shocked if it’s not distributed freely over the Internet with vPOS licensees footing the bill for generating and issuing each user’s unique cryptographic key pair.
DigiCash
There are times when only cash will do. Don’t think so? Try this example. Maybe you want to purchase a book or a couple of magazines, but you don’t want to be (a) identified as having made the purchase and/or (b) inundated with unsolicited email from the merchant offering news of sales on similar merchandise. And then there are relatively small transactions—the mythical Internet micro-transactions, like buying a single article—that will presumably take place on a regular basis in the future. Electronic cash has to be untraceable, and so long as a customer can unequivocally prove that she did or did not make a particular payment, without disclosing any other details about the transaction, no one should have a problem with anonymous transactions.
The leading vendor of software for conducting anonymous transactions on the Net is, and will likely continue to be DigiCash. DigiCash’s electronic cash system, ecash, is based on public-key cryptography and digital signatures and is available for MS-Windows, UNIX, and Macintosh users.
When the ecash program is launched, it runs in the background. A palette that provides a continuously updated display showing the amount of money remaining in the account and a toolbar used to access transaction functions is always available on the desktop. Money can be deposited and withdrawn to and from the ecash account in a manner similar to an Automatic Teller Machine (ATM). Ecash payments are made either when a request for payment is received or when the user initiates a payment transaction. Similarly, ecash can be received from anyone else using the ecash system.
All transactions—withdrawal, deposit, payment, and receipt—are individually logged on the user’s computer, providing a private record of all ecash spent and received. Thanks to the mathematical wonders of strong public-key cryptography, all transactions are both secure and private. The bank that issues ecash knows only that a withdrawal from the user’s bank account has taken place. While the ecash is serialized to prevent it from being spent more than once, it contains a “blind signature” so there is no way to tie an ecash serial number to any individual.
0 responses. Comments closed for this article.