[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Copyright violations
Happy New Year.
Associated Press: Monday, December 23, 1996
Three Credit Card Firms Seek To Promote Internet Shopping
Three credit card companies on Monday announced an agreement on chip card
standards in an
effort to promote shopping on the Internet.
Europay International, MasterCard International and Visa International
said in
a statement that they'll
integrate in chip bank cards a technology developed for safe electronic
payments.
The agreement is based on the Europay-MasterCard-Visa specification,
which
established the
financial industry's first global chip card payment infrastructure, and
on
MasterCard and Visa's
Secure Electronic Transactions specification for magnetic stripe-based
card
transactions.
Guido Heyns, director of 'smart card' development at Europay
International,
said in the statement
that the Belgium-based company believes chip cards are the most secure
and
consumer-friendly
solution for making payments on the Internet.
Steve Mott, senior vice president of MasterCard International, agreed.
'Consumers and merchants
want to conduct transactions over the Internet in a safe manner. By
integrating
chip and electronic
commerce technologies, we are offering them the opportunity to do so as
quickly
and practically as
possible.'
An open comment period on the new standard will begin in the third
quarter of
1997, according to
the statement.
American Banker: Monday, December 23, 1996
As the Technology Advances, Security Debate Still Rages
By JEFFREY KUTLER
In one of the more startling public statements by a banker in 1996,
Citicorp
chairman John Reed
said it would take two generations -- 50 to 70 years -- for on-line
electronic
banking to gain full
public acceptance.
Taken out of context, his remarks to a Treasury Department conference on
electronic money
sounded like an invitation to complacency, or a dose of disinformation
from one
of the world's more
aggressive purveyors of electronic financial services.
But Mr. Reed chose his words carefully, citing a lesson learned from his
30-plus years at Citicorp:
Banking markets, and society generally, take time to change. He seemed to
suggest that
high-technology advocates can become so enthralled with the elegance of
their
systems and
convinced of their viability that they overlook the most common of all
constraints: consumer
behavior.
"Privacy and security are at the top of the list" of consumers' concerns,
the
Citicorp chief executive
said. "They won't deal with anyone who doesn't give them assurance."
While
"some early innovators
will be your electronic banking customers," he said, "the average
consumer is
not there yet and isn't
going to be there" for some time. "This is not a question of economics or
efficiency. It is a question of
trust. The consumer will have to trust you. The Internet is fundamentally
flawed in that regard."
Essentially alone among the major U.S. banking organizations, Citicorp
has been
openly wary of
Internet security and refrained from joining the rush to interactive
banking
and monetary transactions
via the World Wide Web. Mr. Reed and his senior technology officer, Colin
Crook,
have publicly
expressed interest in and enthusiasm for the Web but not yet for
transactional
purposes.
When Mr. Reed was asked during the Treasury conference in September when
Citi
would offer
Internet banking, he replied, "Not until it's secure." "There is no
absolute
security," said Mr. Crook,
perhaps the only banker raising concerns about an "information warfare"
attack
on the banking
system. "It is a risk management issue."
The Citibankers contend the risks of cyberspace are fundamentally
different
from those in other
payment systems, and have yet to be addressed.
"Security will be more demanding than even the government itself is used
to,"
Mr. Crook said at the
Treasury meeting
serves more customers via personal computer than any other, through
conventional dial-up
connections and with software it developed more than a decade ago.
Citibank also has placed a bet on a digital currency for on-line
transactions,
the invention of one of
its own vice presidents, Sholom Rosen. The bank claims it will be more
secure
than competing
alternatives like Cybercash Inc.'s Cybercoins, Digicash Inc.'s Ecash, and
the
Mondex
smart-card-based system.
Putting considerable prestige and intellectual firepower behind its
cautionary
principles, and behind
the notion that the issuing of electronic currency should be reserved for
regulated financial
institutions, Citicorp has kept alive a debate that is likely to resound
for
months if not years in public
policy circles, with effects not just on the battle for technical and
competitive superiority but on the
very consumer behavior Mr. Reed is trying to gauge.
Consider some recent twists and turns: The U.S. government continues to
struggle toward a policy
on data encryption, the technology crucial to on-line transaction
security,
that would be agreeable to
the high-tech community while addressing national security and law
enforcement
concerns.
A May 1996 report by the National Research Council of the National
Academy of
Sciences --
Citicorp participated in and vocally endorsed the study -- criticized the
government for being
backward with its restrictions on encryption, particularly regarding its
export.
(See related article on
page 14A.)
Hewlett-Packard Co. in November announced its International Cryptography
Framework, the first
"strong encryption" method to get U.S. export clearance. While the
framework is
adaptable to
various and changing government policies, it did not fully resolve the
controversial issue of access to
encryption keys.
An information security team at the National Security Agency produced a
monograph (excerpted at
left) critical of the degree of anonymity built into Digicash's Ecash.
The NSA,
of course, is part of the
establishment attacked in the National Research Council report.
Digicash and Mondex, which is being taken over by MasterCard
International,
continually trade
charges about their degrees of anonymity and security. Both sell
anonymity of
payments as a
necessary analogue to cash. In that Digicash's anonymity appears more
absolute,
it may raise more
governmental concerns. But Digicash, the brainchild of the renowned
cryptologist David Chaum,
accuses Mondex of not being "true electronic cash."
First Virtual Holdings Inc., an Internet payment pioneer, does not trust
Web
security; its transaction
data flow instead over private E-mail. By contrast, Cybercash Inc.
chairman
William Melton is so
confident of the available technology that he tells bankers: "Security is
essentially done. Just tell your
customers, 'Don't worry, we'll take care of it.' " (He is more worried
about
privacy as a political
flashpoint.)
Enter the central banks of the Group of 10 industrialized countries, the
constituents of the Bank for
International Settlements in Basel, Switzerland. This august global
regulatory
body has signed off on
a moderate, largely laissez-faire approach to the electronic evolution of
money.
A task force empaneled by the G-10's payment and settlement systems
committee,
which is headed
by Federal Reserve Bank of New York president William McDonough, spelled
out
its conclusions
in a 64-page booklet, "Security of Electronic Money," dated August 1996.
The task force was generally impressed by existing security capabilities,
particularly those
incorporating hardware components like smart cards. The report took the
eight-member task force
less than a year to complete.
Chairman Israel Sendrovic, the New York Fed's executive vice president of
automation and systems
services, asserts that this was no rush to judgment. He personally did
due
diligence on all of what he
calls "the usual suspects" -- the electronic money schemes not mentioned
by
name in his report (but
presumably in this article).
In a recent interview, Mr. Sendrovic stressed that there are no
absolutes.
"There is no such thing as
one secure measure," he said. "It's a combination of measures, and the
combination of measures
changes the risk management of an attack."
His measured response to a lot of questions - pertaining to money
laundering or
the market potential
of electronic currency and how it is to be regulated -- was, "It
depends." He
did say, in response to
the recent flurry of questions about smart card security emanating from
Bellcore and other research
laboratories, that the cards were advertised as "tamper-resistant, not
tamper-
proof."
Mr. Sendrovic said his panel has disbanded, satisfied with its work and
having
gotten positive
feedback. "Then again, it didn't break new ground," he said. "Remember,
it was
designed not for the
cognoscenti but for the Group of 10 governors.
"We stay in close touch and follow these things," he said of the task
force,
adding that it may have
cause to renew its inquiry in a year or two. Though the task force
acknowledged
"comprehensive
security risk assessments of the entire system" are still lacking, it
said they
are within reach.
And its words lacked the alarm or urgency of, say, the Citicorp
contingent.
Sholom Rosen, inventor
of Citibank's Electronic Monetary System, characterized the risks as
"very
high" and not yet fully analyzed. Digital cash gains legitimacy when it
is interchangeable with other forms of money, he said, but its
interactions with those systems -- how an attack on one mechanism would
affect others -- must be studied.
And he said he believes the answers do not lie in technology alone but in
the
fundamentals of the "three pillars of security" -- prevention, detection,
and containment. Where Mr. Rosen sees enormous hazard, Mr. Sendrovic
retains faith in barriers to entry, as might be expected of someone who
has worked with the dependable Fed Wire for many years.
To be legitimate, electronic money "has to be cleared," he said. "At some
point it has to get into the payment system." Is "the payment system" at
risk of infection from the new forms of money? Based on what we know so
far, it depends.
ABA Banking Journal, 12/96
SMART CARDS POSE TAX PROBLEM FOR MERCHANTS
A consensus is emerging that the success of smart cards hinges at least
as much on merchants accepting them as on consumer acceptance. Increased
tax liability is one reason for merchants' muted enthusiasm -- besides
the fact that merchants are the only ones so far being asked to pay for
using smart cards."There's a resistance to forms of payment besides
cash," said Bruce Brittain, whose firm Brittain Associates, Inc., polled
merchants that participated in the smart card test during the 1996 Summer
Olympics in Atlanta. Some merchants admitted to understating their cash
receipts so as to reduce their tax burden, he said. (Smart cards leave an
electronic audit trail by recording deductions in card value each time
merchandise is purchased.) On the flip side, franchisors may push for
the adoption of smart cards in their stores, since some Atlanta operators
told Brittain, "We want to collect more fees from our franchisees." (The
franchisor's cut of the receipts will be reduced if the franchisee
understates his receipts.) Other sources said they heard the same thing.
The wish to under report receipts may pose a greater obstacle to smart
cards when they undergo their next major test in New York City next year,
because more "Mom and Pop" stores will be participating, Mr. Brittain
said.