December 15, 1997 Security solutions for business transactions not ready for prime time It's pretty clear by now what's been driving Internet commerce in 1997: More and more companies are seeing unprecedented opportunities to reduce costs by doing business online with their trading partners. In short, it's business-to-business transactions that have accounted for the lion's share of this year's I-commerce activity. But you'd never guess that if you listened to the credit card companies. With their massive marketing machines, they've done an excellent job this year of making sure that their Secure Electronic Transaction (SET) standard has been at the front of every discussion of I-commerce. And now that SET products are finally becoming available, consumers might even have a chance to try out this vaunted new technology. Don't get me wrong: Any technology that facilitates secure, efficient online transactions is a good thing. But SET's hardly the commerce catalyst it's cracked up to be, for one simple reason: The businesses who most stand to benefit from SET are the credit card companies themselves. In fact, most online merchants doing retail business with consumers are perfectly happy taking credit card orders over a Secure Sockets Layer (SSL) connection. And, provided that the merchant then stores that credit card information in a secure server behind a firewall, the SSL approach provides plenty of security for merchants and consumers alike -- and consumers are showing themselves plenty willing to use it. What SET provides is, in effect, an additional layer of authentication to protect the credit card processors and card-issuing banks against credit card fraud. Of course, these credit card companies will provide incentives to their merchants to use SET, most likely by reducing the percentage of each transaction they charge for their services, provided that transaction is conducted using SET. With SET, the credit card companies will have covered a potentially serious liability, merchants will enjoy a lower cost of doing business online, and consumers will be only slightly inconvenienced by the requirement to maintain SET "wallet" software on their PCs. Extranet exigencies But SET is still a credit card processing solution. And there are many purchases for which you just can't use a credit card -- namely, for most business-to-business transactions. Ever try charging a million dollars worth of parts to your Visa? How about the invoice for those 50 Pentium PCs you just ordered -- think you can use Discover to pay that one? The fact is business-to-business transactions have a different set of security needs not addressed by any of the consumer online payment technologies, including SET. Even though the same basic thing is happening -- money is changing hands -- there are different priorities and requirements. For a business-to-business transaction, the most imperative requirement is that both parties need to be sure that the other is who they say they are, and that they're in fact authorized to execute that particular transaction. In addition, most businesses want to be sure that the transaction is strongly encrypted, so it can't be snooped by unauthorized third parties. There are certainly technologies available to assist in this arena. The public key cryptography and digital certificates pioneered by Pretty Good Privacy, Inc. (recently acquired by Network Associates) and now deployed in every Web browser are a good start. But a huge logistical and technological issue remains: How do you manage certificates? Who vouches for their authenticity? (Certificate authorities, of course; but how do you know which of those to trust?) And how do you set up a network of trusts that's robust, easily updated, and most of all scalable, so that it still works when millions of small, medium, and large companies are using it? Maybe we don't need a single, overarching authentication system. Maybe it will be sufficient for each company to implement agreed-upon authentication and encryption procedures with their trading partners. But in either case, we still have a ways to go. And right now, there seems to be a serious dearth of tools to help businesses solve this critical I-commerce security problem. How are you solving the security needs of your business-to-business Internet transactions? Email me with your security concerns. Dylan Tweney edits InfoWorld's Focus on I-Commerce section. Give him a piece of your mind at dylan@infoworld.com. Missed a column? Don't despair -- click here to catch up.