Security Strides

As Visa International tries to meet the challenges of transaction security, it has some lessons for wireless carriers.

Joe Chouinard isn't really in the wireless industry, but he understands a market many wireless carriers would like a piece of: secure online transactions.

As Visa International's vice president of new e-commerce channels (www.visa.com), Chouinard is well-aware that for wireless payments to become a “killer app,” the industry first must convince users that it's safe to make a purchase via their wireless devices. That's why he's working to help carriers and banks make m-commerce transactions and payments as secure as possible.

Visa is developing and trialing a specification for securing wireless transactions based on its secure-payment technologies. The specification, developed with input from wireless industry players including Mobey (www.mobey.org), WAP Forum (www.wapforum.org) and Radicchio (www.radicchio.org), will be launched later this year.

As part of its global e-devices initiative, Visa is working to secure universal acceptance into emerging Internet channels. Chouinard said the initiative, which includes a secure transaction and communications platform and solution, was created to ensure that customers would be able to make payments with their Visa cards and access online financial resources using any Internet-capable device, including wireless handsets.

To meet present and future security needs, Visa is building in risk-mitigation measures that are appropriate given the level of exposure. In electronic and wireless environments, there are four areas of concern. One is party authentication, particularly when a consumer and merchant are transacting across a network and are not physically present. Second is data integrity. As the transaction is sent from one end to the other, the data must not be altered in any way during transit. Also important is privacy and confidentiality so that parties not involved in the transaction can't steal some of the details such as card numbers and then use them somewhere else. Finally, non-repudiation, which says that neither party can later deny that they participated in the transaction, is essential.

Many of the same principles that exist in the Internet are being applied and deployed in the mobile space as well such as PKI and browser functionality. All four issues should be important concerns for carriers that want to provide secure transactions for their subscribers, according to Chouinard.

He said the biggest transaction-security challenge for carriers today is market maturity. Although some handsets include wireless-transport-layer security (WTLS) and level-three security sessions, most of them are still in laboratories, not in the marketplace.

“At this stage in the mobile area, we are at the same point that the fixed-line Internet was in ’94 or ’95,” Chouinard said. “At that stage in the fixed-line Internet, browsers were still fairly rudimentary; they weren't fully interoperable; they didn't have the rich robust functions that are there today. SSL to secure your channel encryption was not widely deployed at that point. We're at that point in the wireless space, but I don't think it's going to take us five or six years to catch up.”

Visa currently is leveraging the capabilities that are being designed and deployed for transaction security in the wireless industry. For example, the company plans to build its security standards and mechanisms upon elements within the WAP Forum such as browser definitions, security-construct definitions such as the wireless identification modules (WIM), transport-layer security constructs with WTLS and application-level security that is being integrated.

“As those get further defined and deployed, we'll be in a better position to fully deploy secure electronic-transaction-processing mechanisms as well,” Chouinard said. “The good news is we're not behind. That's largely because there isn't a lot to buy, and there aren't a lot of people buying.”

U-Commerce & Open Standards

According to Chouinard, Visa's vision of universal commerce (u-commerce) allows people to buy and sell anywhere, any time and in any way, using a growing range of devices.

“The practical application of u-commerce in the market is as these capabilities such as PKI infrastructures and channel encryption and browser technologies become widely deployed, we'll be able to leverage those basic capabilities … in multiple channels such as fixed-line Internet, the mobile Internet and set-top boxes for interactive digital television,” he explained.

It also will give consumers a similar experience across multiple channels, and the authentication process will be similar no matter which channels are used.

To further facilitate this ability, Visa is working with key industry and technology partners to develop secure and open payment solutions that give consumers access to financial services and the ability to make payments using their device of choice.

“We have been leveraging pieces of what they're (partners) doing to facilitate secure payment processing,” Chouinard said. “But we have gone into the industry and selected vendors and partners and asked for their review and input because we recognize that our core competencies are not mobile.”

As for carrier partners, Chouinard said they can benefit from associating with Visa, which has more than 1 billion card holders, 22,000 member banks and more than 20 million merchants. Visa cards are used in 56% of online, fixed-Internet e-commerce transactions.

“They understand that secure payment benefits them in a couple of different ways. First, it enables m-commerce and the mobile Internet, from which they're going to derive some (growth) benefits. Second, they understand that if there's a tremendous amount of fraud as a result of insecure payment services, it's going to damage their brand as well.”

In addition, Visa plays an active role in establishing global standards for interoperability in payments and payment security. It's also working to integrate and extend existing industry standards to new m-commerce channels. To help ensure global payment interoperability and open standards, the company is working with several wireless-industry groups.

For example, the WAP Forum is developing global standards for the secure delivery of information and services via m-commerce devices, and Visa is leading the development for its E-Commerce Expert Group. Visa also is working with Radicchio to promote PKI authentication for secure m-commerce transactions.

Visa has partnered with the Mobey Forum to promote wireless financial services and The Global Platform association to promote adding multiple applications from different industries to chip cards as well.

Carriers that hold stakes in fixed line and broadband are most interested in payment interoperability, Chouinard said.

“AT&T Wireless (www.attws.com), for example, is more interested in the multichannel payment arena,” he said. “But wireless-only carriers are beginning to understand that consumers will want to set up a personality that can enable multiple channels on the Web or wireless.”

Secure Transaction Trials

Three wireless carriers in Asia, Europe and the United States currently are trialing Visa's secure payment and transaction specification. User authentication, whether in the server or the handset (the individual carrier can decide which), is the focus. For example, the solution includes a merchant plug-in within the merchant servers that will facilitate transaction processing. The issuers will have to build a server or piece of software and make that available to them by working with the vendor community. This server will help them authenticate that user.

“Depending upon the authentication mechanism that's deployed, we may have to rely on enhanced capabilities in a wireless phone, for example, WIMs,” Chouinard said. “The security mechanisms that we're deploying largely leverage standard Internet technologies. We're building in a very flexible mechanism for consumers to authenticate themselves to an issuer.”

Some consumers, he said, will be comfortable with a password; others will want higher-security mechanisms based on a PIN or symmetric encryption capability or a PKI with a digital certificate. Visa's platform allows a great deal of flexibility.

“With the deployment of GPRS networks, phones will be PKI-capable, and they may want to use digital certificates, whereas in the United States where they will deploy higher-speed networks more slowly, they may want to use simple passwords,” he said.

As for customer privacy, Chouinard said customer information is largely a convenience function; it can be stored either on a server or in the device.

“We're moving to a point where card number in and of itself won't be enough to transact. You'll need card number along with an authentication mechanism,” he said. “We hope to get to a point where card number alone isn't a secure piece of information.”

According to Chouinard, Visa is interested in the capabilities carriers can bring to the table relative to authenticating card holders and/or subscribers.

“The biggest issue for carriers is credit-risk management,” he said. “Putting a Coke on your phone bill is one thing; putting an airline flight to Hong Kong on there is something else.”