Have you ever wondered how we are going to identify one another as we move further into the cyber world in which Internet and other such gateways to anonymous Electronic Commerce become ubiquitous, and we all become strangers to one another until otherwise positively identified?
Yeah, me too. I havenít thought much about it either. But, the truth is, we are standing on the technologyís edge and the plans are being drawn out before us. The question is, will we be comfortable in this new community being created, and will we know how to get around? For most of you, it is important that you have more than a general idea of these concepts, because your customers will be asking you the questions when they get lost. (You are planning to include eCommerce in your service and product mix, right?)
Of course, one of the first questions is about security and what the nature of the risk really is. Arenít Internet transactions already very difficult to steal, because they travel all over the Internet in pieces? Do merchants need to add security to their Web sites, and if so, is SSL enough? Will Visa and MasterCard require commerce-enabled sites to have SET, and will the implementation costs of SET be worth any potential savings in Interchange?
One thing that will help shape answers to these questions is the value of the information being exchanged. If the information is of minimal importance and can be seen by anyone, then little or no identification protocols will be necessary. If it is of more importance, and carries critical confidential financial information, then we must be sure that only the proper recipients receive it and are able to read it. This process will require layers of security measures such as encryption, electronic signatures, and even digital certificates.
You are probably already involved in setting up encryption for your physical merchants, selling PIN-based debit acceptance, and providing PIN encryption, even though you may not yet have personal knowledge of the process. As more virtual payments take place, and more of the evolving new payment mechanisms go looking for ISOs to be their low-cost feet-on-the-street, you will find that these concepts will be discussed more often, perhaps creating barriers to market entry or eliminating some sales opportunities for your business.
While the concepts of electronic security may seem difficult to understand and perhaps unnecessary to some of us, for businesses to have comfort in this new world of anonymous eCommerce we need Privacy, Authentication, Integrity and Non-repudiation or denial of electronic transactions.
If you havenít heard these four eCommerce needs defined before, they mean that as we send transactions electronically all over the world, we must maintain privacy for all involved. We must also be able to authenticate who the parties are, both the seller and the buyer. We must be able to assure that the data sent, in particular the financial data, has not been tampered with along the way. Finally, we must be able to assure that in the end, the parties have no reason to say that they didnít send or receive the message, services, or payment.
The developing acronym for this is P.A.I.N: Privacy, Authentication, Integrity, and Non-repudiation. This of course is more Retail eSpeak Authorization Language, making this whole subject somewhat of a R.E.A.L. P.A.I.N., but nonetheless, we need at least a 10,000-feet familiarity with the subject.
One of the first principles that we must understand is that some very forward thinking people believe that in the future of eCommerce, being proficient at Cipherspace, (not cyberspace), is going to define the real players. What this means is that Digital Cryptography will be synonymous with eCommerce.
Accepting the fact that only a small number of people in this country (or the world for that matter) will ever completely understand all the complexities of electronic security (who really understands SSL.)1 We should all know why it is necessary, what the process is, and what protections the various methods actually provide.
So letís start with the basics. When we as individuals first learn math, we learn to add. The reason is that addition is fundamental to subsequent and higher math. We next learn multiplication, which is built on the previous knowledge. We learn, as an example, that 2+2+2+2 is also 2x4. Now, I know I may already be losing the math-challenged audience, but stay with me.
First off "encryption" is like "addition," it is a basic function, and "Digital Signature." is like "multiplication". This means that Digital Signatures are another way to perform (higher function) encryption. As a basic encryption process, we can move each letter in the alphabet four characters to the right, making an A into an E, a D into an H, etc. We can then render a message written with this cipher key (4) and the message receiver can decipher the message by translating it on their end. This of course requires that all message originators and receivers have the "key" and that the same "key" will both encrypt and decipher.
After we have mastered addition and multiplication, we learn to factor. This means we learn that 2+2+2+2, is 2x4 and can also be expressed as 23. Digital Certificates are similar to factoring.
To gain an understanding of Digital Signatures, we must accept that sometimes it will not be enough to be able to decipher a message, but rather we will need to know beyond a doubt who sent the message. This means that we must change the key pairs from being Symmetric (same key to encrypt and decrypt) to Asymmetric Key Cryptography, in which the key pairs are not the same.
Hereís how it works: The sender signs with his private key, and your trading partner verifies the message with the sender, or initiatorís public key. Any tampering is detected by using message digests, or what are sometimes called Hash totals, determining the characteristic of the message mathematically. So, this means that a Digital Signature is an algorithm (or cipher) using the originatorís private key. It allows your partners to verify that a message or payment instruction came from the sender and it was not tampered with along the way. In case of a dispute, anyone can mathematically prove whether the message came from the sender, based upon the senderís public key.
So, as you can see, Digital Signatures are simply encryption expanded, with Digital Certificates being Digital Signatures amplified to a higher power.
Now that we all have that, letís consider the question of message routing and what the need actually is for encryption. Prior to the Internet, payment information generally traveled on traditional key switched lines, or what are sometimes called circuit source and target, or end-to-end communications. The call originated at one end of the line, and traveled directly to the receiver on the other end. With the invention of TCP/IP (an Internet protocol that breaks up messages into small packages which each travel in different directions, only to be restored on the other end) these transactions are generally more secure today than on previous switched traffic.
While TCP/IP enabled Internet routing creates some security, SSL includes how many packets there are to the process, so the recipient can be assured that the message was not modified along the way.
While we may not all fully understand internet security, and certainly most of us will not be called upon to actually set-up SSL on a server or ever debate the merits of the SET protocol, we should understand that some people in our industry believe that digital certificates will eventually change everything we now think we know about payments.
How, You Say?
Throughout history, the cost of a single transaction has had a direct relationship with the size of the firm. In most cases businesses are looking over their shoulder for the new enterprise which will have significantly lower costs, because that company can make them obsolete. So it could be with the emergence of Internet transactions which carry a Digital Certificate.
Imagine transactions floating throughout the world that have zero communications cost. Imagine still that the transaction denomination is but a fraction of a cent, and each has a digital certificate. This means that in essence, they become electronic bearer bonds. Now imagine that the certificate authority is the U.S. government.
With this design, all other forms of payment could be eliminated. No need for interchange, as in credit cards today, because the message is the payment, and the payment is the message. Checks are just authorizations to pay, based on a signature, and forwarded to a drawee bank. Imagine the check is an encrypted message digitally signed and authenticated and the message is the payment, due to the certificate authority backing or guaranteeing the transaction.
For those who see a cipher-based future rather than a cyber-based future, financial services will develop along the following lines:
All enterprise time not spent maximizing the benefits of the Web (from the reduction of communications cost to the improvement of our customers ability to help themselves to our data about them or our services) is a waste of time.
All actions should be directed at eliminating everyone between our product/service and our customer. One-on-one is the only future.
Since the name of the game is "Nothing but Net," and costs decline by 50% every 18 months on the Web, all other business models will fail if their costs do not also decline three orders of magnitude every 18 months.
In writing this story something occurred to me. Can you imagine being among a few people who had just become aware of the invention of the light bulb, and then having someone (thinking out of the box) say that some day there will be a city in the western desert that will use millions of these. In fact, they will really do nothing more than spell out words, and make the night into day.
Then, of course, some traditionalist would ask, why? And the answer would be because it will scream out "leisure time" to all that come near, and it will operate 24 hours a day, 365 days a year.
While all of these thoughts may be too Star Trekkie for you, security, signature, and certificate authorities all have these possibilities in their future.
Closing Thought
I recently heard someone say that all the fun stuff that is happening on the Internet is the result of "out of the box" thinking. We must keep reminding ourselves that the money is in the box.
1 Secure Sockets Layer, a 128-bit encryption method.
