Techniques: On-line Entrepreneur

How to make financial transactions as secure on-line as they are in the real world

Every new technology has its bogeyman. "Electricity had Frankenstein. Nuclear power had Godzilla. And the Web has hackers," says Jason Olim, the 28-year-old president of CDnow, an on-line retailer based in Jenkintown, Pa. Hackers are an evil Olim can't afford to ignore: his three-year-old company sells approximately $6 million worth of CDs and cassettes a year over the World Wide Web.

Of course electricity and nuclear power are still very much with us, so perhaps it's not surprising that the number of companies doing business on the Web increases every day. Forrester Research, of Cambridge, Mass., reports that within the next five years, revenue from on-line shopping in this country is expected to balloon from $518 million to $6.6 billion.

Still the question remains: Can a business's on-line transactions be as safe as conventional sales? Yes, say the half-dozen Internet-based retailers we interviewed. Every one of those companies--which have been doing business on-line for one to three years and have annual sales of up to $24 million--reported zero incidence of electronic-transaction theft. And all agreed, based on their front-line experiences, that the threat of Jolt-eyed hackers intercepting credit-card numbers via network "sniffer" software is way overblown.

It used to be that many security-minded consumers would shop on-line and then go off-line when it came time to make the purchase. But that practice is changing. For example, when on-line computer retailer Cyberian Outpost, based in Kent, Conn., opened for business in 1995, roughly 20 percent of its customers phoned in their credit-card numbers rather than run the risk of sending them over the Internet. Today only about 1 percent of the company's sales are made over the phone, says company president Darryl Peck.

One reason customers feel more confident buying goods on-line is the growing use of new technology designed to make Web-based transactions more secure. Practically all major on-line retailers now use a protocol called secure sockets layer (SSL), which scrambles credit-card numbers and other electronic data so that they're useless to un- authorized recipients. SSL, developed by Netscape Communications, comes built into most Web-site-development software, including Microsoft's Internet Information Server and Netscape's own Enterprise Server. And most browsers, including Microsoft's Internet Explorer and Netscape's Navigator and Communicator, also "speak" SSL.

SSL's main job is to encrypt words and numbers into a jumble of alpha-numeric characters that can be "unlocked" only by the computer at the merchant's end of the transaction. Each SSL-enabled server is installed with both a coder and a decoder, and the encryption code they generate is unique to that system. When a consumer using an SSL-compatible browser gets ready to buy something from a retailer's Web site, he or she sees a message (like "You have requested a secure document") or an icon (perhaps a lock in the corner of the screen). The user then enters a credit-card number, and the server's coder automatically scrambles it. In theory, hackers could get at that code, but the numbers can't be unscrambled without the decoder that comes with the server licensed to the seller.

Prices for SSL-enabled Web-server software range from zero for Microsoft's Internet Information Server 3.0 (free distribution is part of the company's strategy to solidify its position as an Internet player) to $1,295 for Netscape's Enterprise Server 2.01. An advantage of Netscape's software is that it supports both Unix and Windows NT; Microsoft's product does not. If your current Web site doesn't support SSL, you can retrofit it with a product like SecureWeb Toolkit, from Terisa Systems, in Los Altos, Calif. If you don't have an in-house technology manager who can install the server software, enlist the help of a reseller or systems integrator. The Computer Security Institute, in San Francisco (415-905-2626), can provide references for security experts.

Just because you're using SSL doesn't mean you're ready to hang out your electronic shingle. Your financial institution will want you to register your company with a certification authority so that your on-line banking transactions are secure. Certification authorities are the notaries public of the Internet; you may have heard of VeriSign, of Mountain View, Calif., which is one of the largest. These organizations require you to complete a series of forms establishing your identity; afterward they assign your company an electronic signature, a coded paragraph of numbers and letters that works much like a password or handwritten bank-card signature. Whenever you conduct a Web transaction, the bank contacts the certification authority to verify your electronic signature.

Another emerging protocol designed to safeguard on-line credit-card payments is secure electronic transaction (SET). After initially proposing different protocols, two factions--one led by MasterCard and one by Visa--have agreed on a single standard whose goal is to smooth credit-card transactions between merchants and financial institutions. The Wells Fargo Bank, based in San Francisco, was one of the first to sign on with SET.

SET works much like SSL, except that the retailer never sees customers' credit-card numbers. As soon as customers send their financial data to a Web site that supports SET, the numbers are scrambled. The retailer sends the scrambled numbers to its bank, which then uses SET-compliant software to decode the information. The bank, rather than the retailer, gets the authorization from the credit-card company and deposits the purchase amount in the retailer's account. SET is a boon to sellers because it clears credit-card payments very quickly.

In the real world, payments are made not only with credit cards, but also with cash, checks, and fund transfers. The Internet has its own alternatives to plastic. Digital money--based on technology from DigiCash of Amsterdam--is already being issued in the United States by the Mark Twain Bank of St. Louis. This model--called "Ecash"--works more like a withdrawal from an ATM than a credit-card transaction. Consumers who want to use digital money must open an account with the bank and obtain the appropriate software. Whenever they want to make a purchase on the Web, they first go to the Mark Twain site and withdraw the amount required. Instead of receiving plain-and-simple cash amounts, they are given "electronic coins," snippets of scrambled computer code similar to those produced by SSL or SET. The buyers then copy the code into a participating retailer's Web site. Using DigiCash software provided by the bank, the retailer reads enough of the code to verify the coins' worth and the bank's guarantee. The retailer then sends the electronic coins back to Mark Twain Bank, which credits the retailer's bank account. The two biggest advantages of digital money over credit-card sales are anonymity for consumers and low processing costs for retailers.

To date, however, the digital-cash concept has not been warmly embraced by a critical mass of consumers. CDnow has received next to zero in digital cash since it began offering that payment option earlier this year, Olim reports. Other on-line retailers, including Cyberian Outpost and Computer Literacy, based in Sunnyvale, Calif., say they'll begin accepting digital cash as soon as customers request it. Cyberian Outpost's Peck thinks it may take years for consumers to become comfortable with digital money.

Some retailers say they actually feel more at ease doing business on the Web than in a regular store. Anyone buying a product on-line must provide a shipping address, and that information could help authorities track down the culprit if, for example, a credit-card number turns out to be stolen. "In a physical store, the credit-card thief just walks away, and I'd never be able to get hold of him," says Chris MacAskill, president of Computer Literacy.

But for Internet commerce to thrive, buyers must become as confident as sellers. Many retailers expect that will happen as soon as the newness of both the medium and the players wears off. "Perception about security threats is the only problem with Internet security," CDnow's Olim says. "If consumers are buying from a company with a recognized name, there is no fear factor."

Alan Joch is a writer and editor based in Francestown, N.H., who specializes in emerging technologies.