E-Commerce @nywhere

Theory: Wireless e-commerce will be the biggest thing since, well, wireless data. Reality: Maybe so, but carriers likely will foot the bill for a lot of upgrades, and there's no guarantee that they'll get any more revenues out of it than additional airtime.

There are at least as many visions of wireless e-commerce as there are vice presidents looking for the right business model, and each vision determines how much the network and user devices must be upgraded to accommodate it. In Europe, for example, subscribers can charge train tickets and sodas to their wireless bills using vending machines that communicate with the handset via short-message service (SMS) or, in the near future, Bluetooth.

"When Bluetooth or other local communication becomes available on handsets, this will transform the handset into a true electronic wallet," said Patrice Peyret, Sun Microsystems director, consumer and embedded. "For over-the-air e-commerce, nothing needs to be changed. SMS is sufficient for most transactions. For proximity e-commerce (such as) using the phone as an e-wallet at the point of sale, then cash registers (and) vending machines need to be equipped with Bluetooth, IrDA or other interfaces."

But U.S. carriers likely won't import the European model without a few changes. For one, credit-card penetration is much higher here, so the ticket probably would be charged to a credit card or a bank-run electronic wallet within the phone.

"You start getting into discussions of payment processing," said Fritz Von Mering, Boston Communications Group vice president of corporate development. "That's not necessarily an area of expertise for carriers, but it is for the credit-card companies. They'll weigh in with their opinions and influence."

Carriers seem to agree. "Banking in the United States is very aggressive and very much wants to have that wallet," said Janet Boudris, BellSouth Wireless Data senior vice president of strategic marketing. "Portals have been talking a lot about that wallet both for Internet-based services as well as wireless services. But they've also been talking about billing it to credit cards as opposed to them doing the collection. I think we would be more likely to work with a bank or credit-card company to do that."

Even so, there's another hitch: Transactions worth less than $1 are a losing proposition. "The cost of processing the credit-card transaction would probably exceed 80 cents," said Alan Young, vice president of e-citi, Citicorp's e-commerce division. "Clearly, for micropayments, you need to look at another way."

One alternative is to make the SIM card into the wallet, which would download, say, $50 worth of credit in one transaction and then debit the 75 cents for the soda. It's feasible that the carrier could run the wallet in order to ensure a slice of those transactions, but that involves a lot of back-office work, such as billing and maintaining relationships with the companies that it bills for.

Even so, many carriers appear unwilling just to provide a pipe for e-commerce.

"I want my piece of it," said Richard Lynch, Bell Atlantic Mobile executive vice president & CTO. "I'm not going to do that for free."

PRETTY GOOD SECURITY? Despite some well-publicized urban legends about using baby monitors and scanners to eavesdrop on PCS, e-commerce companies apparently don't see the air link as the weak link.

"The biggest concern isn't with the air link so much as what happens with the data once it gets into the terrestrial link," said Mike Mills, vice president of business development at Aether Systems, which developed wireless solutions for Charles Schwab and Merrill Lynch. "Sometimes, wireless carriers will send packets through the Internet using various types of networks (such as) frame relay and ATM. I think there's a little concern about losing control of those packets from the carrier onward."

One point of concern is the gateway between the wireless network and the Internet.

"At that point, everything is brought back into the clear, and then it's encrypted to go to the phone," said e-citi's Young. "In order to change the protocols and the applications, you need to decrypt everything because you can't change an application when something's encrypted. Even if that data center is the securest thing in the world, it's still potentially a point of compromise, and it's something outside the bank's domain of control. That's something we want to work with operators to help address."

Audit trails help with fraud detection, troubleshooting and resolving disputes. By one estimate, 3% of credit-card transactions are on-line, but that 3% generates 47% of disputes. Auditing likely would be the responsibility of the e-commerce company rather than the carrier.

"Any tracking that occurs is at the application layer," said Tom Trinneer, AT&T Wireless director, product strategy and planning.

Another safeguard is a digital certificate, which resides on the device and works in conjunction with a digital signature to "sign" the transaction and authenticate the identity of the person doing the transaction. The application server looks at the certificate, verifies the user's identity and then proceeds with the transaction.

"Later on, if I call Merrill Lynch and say, 'I didn't do this trade,' they will say, 'No, there is proof that your signature is on the transaction,'" said Nagy Moustafa, Diversinet president & CEO.

One hurdle is reducing the certificate to a size that can fit on a wireless device. Diversinet's, for example,is only 100 bytes, which should fit on everything from a RIM pager to a SIM card.

The jury remains out on whether digital certificates and signatures are necessary.

"I think customers are comfortable with passwords and log-ins," said Aether's Mills. "I see (digital certificates) as being down the road (but) not too far down the road. Our customers aren't demanding it, and their subscribers presumably aren't, either."

At the very least, digital certificates streamline the transaction process by eliminating keystrokes, which can be clumsy and time-consuming under current form factors. That alone could help stimulate e-commerce by making the experience more user-friendly.

One alternative is to have the gateway confirm the user's identity to the application. WAP version 1.2 uses that approach.

"It's basically a mechanism whereby there's a certificate that's stored in the network, and it identifies the user and a phone," Trinneer said. "That's accessible to external applications."

Having the gateway vouch for the user's identity might raise a few eyebrows.

"It's a little curious how people will (say) it's such a problem (to) authenticate the device and not the user in a wireless environment, but then cookies are okay (for wireline e-commerce)," Trinneer said. "The Internet runs on cookies."

For now at least, e-commerce companies appear satisfied with current safeguards.

"The back end of the Phone.com server talks to the various content sites using RSA security," said John Yuzdepski, vice president of product management and development at Sprint PCS, which carries Ameritrade. "We use standard security algorithms there. Right now, we have plenty of content opportunities without having to enhance our network."