When you've been involved in public key infrastructure (PKI) technology as long as Tom Manessis has, you learn a few things - mostly the hard way. Like how PKI by itself won't solve any business problem, and how it's important to keep things simple if you expect PKI efforts to gain traction.
|Visa's Tom Manessis, an eight-year PKI veteran, is taking another stab at the technology with Visa's 3-D Secure.|
Manessis, VP of eCommerce Authentication for Visa International, has been dealing with PKI for eight years, the past six years with Visa. It was 1995 when Visa, MasterCard and their partners embarked on the Secure Electronic Transaction (SET) initiative. SET is a protocol intended to enable online transactions by providing for authentication and the secure transport of payment data across the Internet. Its implementation proved to be complicated, however, which led Visa back to the drawing board. The experience also provided the company some valuable insight into what kinds of security measures will and won't work in an online business environment, lessons that other companies can take advantage of.
"What we failed to consider was what the market was willing to adopt and how our business process works," Manessis says. "In the past it's been, 'I have PKI, now how am I going to apply it within my business?' It really should be the other way around."
"I would call SET a PKI-heavy implementation of a payment protocol," Manessis says. SET requires digital certificates to be issued to every participant in the transaction: the cardholder, the merchant and the merchant's bank.
SET also requires a hierarchy of trust, with SETCo - the company formed by Visa and MasterCard to govern SET - as the root certificate holder. The idea was that SETCo would issue certificates to participating members, including Visa and MasterCard, which would in turn issue certificates to their member banks. Banks would issue certificates to merchants and cardholders.
Among the challenges Visa faced with implementing SET was timing. "We introduced it over five years ago," Manessis says. "The Web was still developing, merchants were trying to get their brand name out there, and security wasn't at the top of their list."
Another problem was that banks were charged with doling out digital certificates, which were delivered inside a piece of SET software known as a wallet that also carried encryption keys and SET message sets.
"We have more than a billion cards in the market today," he says. "Banks aren't in the software business, so distribution of wallets became an issue early on."
In some countries where security was more of a concern, SET took hold despite its shortcomings. In others, such as the United States, where business practicalities outweighed security issues, it never caught on.
A couple of years ago Visa went back to the drawing board and looked at the problem from a fresh angle. It broke the problem down and focused on the main goal it was trying to accomplish - that of authenticating the cardholder. Visa also had a few other requirements based on its SET experience: send no software to the cardholder, and enable cardholders to authenticate from anywhere using any type of access device.
"We decided we could do that using a number of authentication mechanisms, including passwords, chipcards [or smart cards], PKI, etc., depending on what the bank wants to deploy to its cardholder," Manessis says.
The result of this renewed effort is 3-D Secure, which is a lighter implementation of PKI that is the foundation of the Visa Authenticated Payment program, launched in June. Customers fill in payment data at merchant sites in the usual fashion, via an encrypted Secure Sockets Layer (SSL) connection. The merchant then sends a message to Visa to find out whether the customer is enrolled in the 3-D Secure program. Visa responds with a message indicating whether the cardholer participates and, if so, provides a Web address for the bank that issued the card. The merchant then ships a message to the bank asking for authorization, along with transaction details such as the amount.
The bank will then pop up a window to the cardholder indicating which merchant is asking for a transaction authorization and for what amount. The customer approves the transaction in one of a variety of ways, depending on how the issuing bank chooses to implement the system. Options range from simply entering a password to swiping a smart card. If the authorization is valid, the bank sends a message to the merchant saying the transaction is approved. That message is digitally signed by the bank and verified by the merchant, creating an audit trail for the transaction.
"So the cardholder has no software and no certificate," Manessis says. "It works just using a password, so it can work on the Internet via a PC, a mobile phone or whatever."
If a given merchant isn't set up for the 3-D Secure program, the customer will just see traditional payment screens without the popup message from the bank.
As compared with SET, 3-D Secure is vastly simpler to implement for merchants and banks because Visa created a server software package that includes all the required components. "We've hidden the PKI element. It's just part of the application," Manessis says.
Banks install the server and, as part of the installation process, the application requests a certificate from Visa. "Once they get the certificate back, they're up and running." Likewise, it takes merchants as little as four hours to install the software required for them to process payments, he says.
3-D Secure gives member banks choices in what they want to deliver to cardholders. Visa has launched a smart card program, for example, that is compatible with 3-D Secure. In that case, the cardholder has a digital certificate that provides an extra layer of protection.
The program also supports multiple vendors' PKI products. There again, it is up to a member bank to choose which products it wants to use. "Each of the banks have different vendors they use," Manessis says. "You name them, we're probably using them."
Looking back on his experience with PKI, he says the key lesson learned is that you can't attack a PKI implementation solely from a technology standpoint.
"We feel we're more successful now than in the past because we have a clear understanding of what we need to do from a business perspective," he says. "PKI is still very beneficial to what we're doing. We just need to apply it in a more appropriate manner."
Manessis says PKI vendors also have some work to do to make their products easier to implement.
As an example, he cites the ability to customize certificates. Visa issues roughly 10 different types of digital certificates for uses such as encryption and digital signatures. He would like to be able to create a template for each type. "I can't do that with most off-the-shelf packages we're seeing today," Manessis says. Consequently, each certificate has to be created from scratch.
At first he thought Visa was merely ahead of the curve, and that vendors would catch up to such requirements. "But it's been five or six years now. We can't be the only ones that have this type of need."
Another issue is application integration. "PKI and authentication by itself is useless. It has to be integrated with appropriate business applications," he says. "That's where PKI has fallen short and still hasn't reached expectations."