Hacker-proof credit card transactions?
By Albert Pang ZDNet E-Business, ZDNet News
July 9, 1998 10:40 AM PT
URL: http://www.zdnet.com/zdnn/stories/zdnn_display/0,3440,2118577,00.html
Secure electronic commerce reached a milestone yesterday, making it
possible for Uncle Sam to carry out credit card transactions without fear
of being ripped off by hackers.
Certicom, a cryptography software developer, and MasterCard International
unveiled a pilot program under which the online store of the U.S.
Treasury's Bureau of Engraving and Printing (BEP) will be offering up to
200 selected participants the ability to securely purchase collectible
items.
Using a smart card, a smart-card reader, and an electronic wallet based on
elliptic curve cryptography (ECC), the participants will be buying uncut
currency and presidential portraits from the BEP Website.
The central component of this pilot lies in Secure Electronic Transactions
protocol (SET), an emerging technology often touted as one of the safest
ways to conduct credit card transactions over the Internet. However
numerous SET pilot programs have yielded lackluster results because of
large systems overhead and performance limitations of its current version,
SET 1.0.
Placing their bets
What Certicom, MasterCard, and 10 other technology suppliers hope to
accomplish is to place their bets on ECC, which offers efficiency benefits
over other cryptographic algorithms such as RSA Data Security. In other
words, credit card transactions conducted over the Internet using SET plus
ECC would be faster and safer. In the best-case scenario, such
transactions could be completed as securely and quickly as those in a
physical store where a cashier runs a credit card over a reader and
obtains the authorization.
In fact, Certicom, citing preliminary results of a benchmark process by
GlobeSet, says ECC reduces cryptographic overhead in the payment protocol
by 73 percent and performs about 40 times faster on the SET payment
gateway than one without ECC.
Split opinion
Others are skeptical about these claims. "Better performance is always a
good thing, but we haven't seen the benchmark results on ECC," says
Elizabeth Ames, director of product marketing at VeriFone, a unit of
Hewlett-Packard, whose software products have been approved as
SET-compliant by SETco. SETco is a nonprofit organization set up by Visa
and MasterCard to promote the use of SET.
Ames says VeriFone has not decided on whether it will support ECC because
SET 1.0 does not support ECC and the next version of SET 2.0 is going to
be algorithm-independent. Specifications of SET 2.0 will not be finalized
by the end of the year.
However, Jennifer Vancini, director of marketing for e-commerce at
Certicom, says the preliminary benchmark methodology in this pilot has
been audited by SETco and that its ECC implementation is compatible with
SET 1.0. She adds that ECC could be included in SET 2.0.
In any case, ECC, which until last year was considered an obscure
algorithm, could become the impetus behind the broad acceptance and steep
growth of e-commerce in the coming months.
Is ECC going to breathe new life into SET or is secure e-commerce still a
figment of one's imagination? The debate is far from finished.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Oct 27 09:58:30 1998