Tech Talk


William Dan Terry

IP News (Internet Edition) Spring 1997

Charge! Wait!

There has been a lot of discussion, research and testing of means to handling purchasing over the Internet. After all, for the Internet to serve as a conduit for commerce, it needs to handle the transferring of payments. For now, Internet technologies only provide two basic, commonly used ways for transacting commerce: credit cards using secure Web browsers in conjunction with the matching Web servers (at least in the United States) and credit cards in the open.

Secure Web Servers

For secure Web servers, commonly known as commerce Web servers, to work they must employ what is called strong encryption. Strong encryption refers to the relative difficulty in breaking the encryption. What is 'strong' changes as computer hardware and software continually improve. Currently commerce Web servers are primarily produced in the United States, which has laws against the export of strong encryption. This is not conducive to international commerce.

US commerce server producers are now being offered one way out. They would be able to use stronger encryption internationally, but they'd have to design a back door in the system within two years. Not a thrilling prospect to those most concerned about privacy and security.

Open Credit Card Transactions

The Internet poses a whole new dilemma to transmitting credit card numbers safely. While the consumer is not liable for more than US$50 in the case of credit card fraud (in the United States), the credit card industry still bears the brunt of financial losses. Those interest rates and yearly fees that many consumers pay, and the fees that vendors pay don't just cover the operation costs and profits for the credit card companies. They cover the losses due to theft and fraud. If the cost of offering credit card services increases significantly due to theft and fraud on the Internet, you can bet that the costs are going to be passed on to the consumer somehow. Go to the Visa Website, and you'll find numerous warnings against using your credit card number in unsecured Internet transactions.

At a restaurant or store, the consumer may not know the person into whose hand the credit card has been passed. But the consumer is comfortable with the transaction mainly because of two assumptions. One is that the establishment is reputable since it is in business. The other is that, even though the employee is unknown to the customer, the establishment places trust in the employee.

Credit card use over the phone or via postal services varies around the world. In places known for safe transmission, it is based on known and trusted employees and technology from end to end. Between the employees and the technology there is a means for accountability.

Unfortunately for commerce, it's actually one of the strengths of the Internet which makes unsecured transactions a problem. Communications on the Net are robust since its topology is designed to dynamically route a communication from one computer to another. Therefore, the route of a credit card transaction is not static, nor controllable, and, given that the Internet is not a single entity, but a loosely collaborative network of networks, the credit card transmission security is not accountable. A message from Vienna, Virginia, USA to neighboring McLean can cross the entire US including over 20 computers under the auspices of numerous unknown companies with unknown Internet security and employee hiring practices. This opens up a lot more potential for credit card number theft than the employee at the restaurant.

Where Does This Leave Us?

Certainly commerce Web servers are one way to go within the US as now there are ones available which securely communicate with the two most popular Web browsers, Netscape and Internet Explorer. And depending upon possible companies outside the US producing commerce Web servers with strong encryption and how the cryptography export issue plays out in the US, international Internet commerce will find some means of getting strong encryption technology.

Another option which works internationally is to perform all ordering, including purchasing and delivery information, except the credit card number via the Internet and use the phone system to only provide the credit card number associated with the order number (maybe the last four credit card number digits).

On the Horizon

New systems for secure Internet commerce are in the works including third party clearinghouses and cybercurrencies. These will be a part of the Internet future, but aren't ready for full business now.

IP News Spring 1997 Table of Contents IP News Title Page ©1997, NetPubs International