Even by today's inflated standards that is a huge sum. Visa and MasterCard recently agreed to this Gates- settlement payoff to settle a lawsuit brought by major retailers, including Walmart and Sears.
What does this have to do with information security? At first glance nothing and yet in the longer run everything. I predict that this watershed event will finally herald in the new age of micro-commerce, with serious implications for information security products and services firms.
First, some background on the forces behind the lawsuit. Everybody knows Visa and MasterCard, two of the most recognized brands in the world, thanks to their ingenious (and sometimes even funny) marketing efforts. For the consumer, whether in Bangkok or London or New Amsterdam, it means that "your credit is good" here, reducing friction in the economy and enabling consumers to rack up huge amounts of credit card debt. Behind the scenes, there is a complicated infrastructure of member banks, card issuers and payment systems that are not really relevant except for the following: debit cards have grown increasingly popular in the card mix. Although their usage still pales behind credit cards ($480 billion vs. $1.2 trillion) they are quickly growing (24 percent vs. 7 percent).
Debit cards differ from credit cards in two major ways. First the funds are deducted (hence the name) directly from an associated bank account instead of loaned to the consumer. Second, their transactions should cost much less to process: 0.09 percent of say, a $100 transaction, vs. 1.49 percent for credit cards. The reason is that debit cards use PINs instead of signatures for authentication, which results in a completely automated (and paperless) transaction system. I say 'should' because that was the crux of the lawsuit. Visa and MasterCard were requiring merchants to force both debit and credit cards through its payment system, and charging debit cards the same higher rate to process as if they were credit cards.
With the settlement, retailers will now be able to process debit cards through alternative payment systems like Star (www.star.com), Pulse, NYCE (www.nyce.net) or First Data (www.firstdata.com), using a PIN for authentication rather than the (physical) signature authentication required for credit cards. The implication for secure e-commerce is enormous.
I predict that with the power of the merchants behind them, alternate PIN-based payment systems will flourish, providing cheap, reasonably secure transaction authentication that can be extremely cost-effective for both personal and business use. The use of PINs for online transactions will help reduce the incidence of fraud, which is starting to creep up as the percentage of online transactions rise. Combined with online ordering and fulfillment, the era of secure e-commerce and micropayments can be jump-started once again, having gone into the deep-freeze since the dot-com bubble burst.
The implications for vendors are equally profound. First of all, companies like Transactplus and consortia such as Identrus that were trying to develop their own alternative payment systems can throw in the towel, if any are left around. As the alternate payment systems bloom, companies like PayPal will be able to extend their reach beyond peer-to-peer payment methods and into general-purpose business-to-consumer and business-to-business transactions. Ebay, the parent company of PayPal, has as one of its corporate goals to drive more business-to-business commerce through its auction sites.
Second, PINs will become a standard authentication method, replacing signatures and rivaling passwords as the 'something you know' component for e-commerce. This spells more trouble for providers of digital certificates for payment systems, except in cases of high transaction value. Since the cards themselves represent the 'something you have,' there will also be less pressure to adopt hard tokens in low-transaction value situations.
Companies like RSA Security are responding by investing heavily in smartcard authentication as a hedging strategy should this technology take off. Companies like Arcot are also developing smartcard implementations in software and trying to plug them into the existing payment systems.
A smartcard plus PIN debit card payment system was exactly what Cybersafe embarked on several years ago. It's not hard to imagine that a smartcard-enabled debit card plus PIN with optional digital signature capability could become the de facto standard for all transactions, business and consumer alike. With the standard readers proliferating, the cost of implementing a hardware solution should drop to roughly that of a software-only solution. Plus, the payment systems operators will have a strong incentive to subsidize the cost of the readers and invest in more convenient technology like wireless connections.
What impact does the coming revolution in payment systems have on securing web services transactions? Web services security plays a separate but related role in transactional security. Web services security standards specifications, like WS-Security, are dealing with authentication of unknown parties independent of the payment system infrastructure. WS-Security, for example, allows for many different types of identity authentication, from username/password (or PIN), to Kerberos, to digital certificates.
It's possible that these alternative payment systems will be WS-Security compliant, but since they are likely to be closed, not open systems, the need for extensibility and interoperability is reduced. It is much more likely that early WS-Security compliant systems will be proof of concepts rather than full-blown production systems. There is still value in providing third-party validation, non repudiation and risk management services, which the payment processors, building on the foundation of their alternate payment systems, would be more than happy to provide. Following the money will be the secret to success in the post credit-card hegemony.
Robert Lonadier is president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. He can be reached at firstname.lastname@example.org. RCL does not currently have any relationships with the companies mentioned in this article.