Electronic Commerce Protocols

and

Competitive Strategies:

 

Credit Card Transactions over the Internet

 

prepared for 15.020,

Competition in Telecommunications

 

 

 

 

Joseph Reagle Jr

Brett Leida

 

 

 

 

 

Joseph Reagle Jr. and Brett Leida, 1995.

All rights reserved. No part of this publication may be reproduced, displayed, or transmitted, in any form or by any means without permission of the authors. The authors can be contacted at brett@mit.edu and reagle@mit.edu.

Table Of Contents

1. Introduction

2. The Market for Electronic Commerce

3. The Importance of Technological Standardization

3.1 THE NATURE OF TECHNOLOGICAL STANDARDIZATION:

3.1.1 Standardization Through Market Domination.

3.1.2 Governmental Influence and Standards

3.1.3 Standards Organizations

3.1.4 Commercial Consortiums, Agreements and Alignments -- Open Standards.

3.2 SECURITY AND CREDIT CARD TRANSACTION PROTOCOLS

3.2.1 Communication Layer Protocols

3.2.2 Transaction Layer Protocols

4. Competitive Analysis of Internet Credit Card Schemes

4.1 COOPERATION AND THE INITIAL ACCORDS

4.2 THE CURRENT RIVALRIES AND DISCORDS

4.3 IMPLICATIONS OF TWO IMPLEMENTED STANDARDS

4.3.1 Credit Card Companies and Banks

4.3.2 Software Developers of Gateway Servers

4.3.3 Merchants and the Software Developers of Merchant Software

4.3.4 Consumers and the Software Developers of Client Software

5. Argument - No One Will Dominate the Market on the Basis of the Protocol

5.1 WELL MATCHED COMPETITORS WILL COMPETE FOR REAL PREFERENCES

5.2 NEW TECHNOLOGY CIRCUMVENTS BARRIERS RATHER THAN CREATES THEM

5.3 ALTERNATIVE PROTOCOLS WILL BE VERY COMPETITIVE

6. Conclusion

7. Appendices

7.1 APPENDIX 1 - TIME LINE OF THE STANDARDS BATTLE

7.2 APPENDIX 2 - DIAGRAM OF ALLIANCES

7.3 APPENDIX 3 - CRYPTOGRAPHIC FLOWS

7.4 APPENDIX 4 - THE SSL ATTACKS

7.5 APPENDIX 5 - VOCABULARY

7.6 APPENDIX 6 - COMPANIES

7.7 APPENDIX 7 - MARKET SHARES AND FRAUD RATES OF RELEVANT CC ASSOCIATIONS.

7.8 APPENDIX 8 - ACKNOWLEDGEMENTS

  1. Introduction

The growth of the World Wide Web (web) and advances in the implementation of cryptographic algorithms have complemented the development of each other at an astounding pace in the past five years. Three years ago few knew what the web was; fewer knew anything about cryptography. Today, while few of the people who will use Internet applications understand the nature of the cryptographic algorithms, a break in the ssl protocol (that can be used for transmitting private information such as credit card numbers over the web) has recently made the cover of most major daily papers. The Wall Street Journal has reported on nearly every major story regarding electronic commerce with dedicated attention. Such attention has not been focused on the Internet merely because it is neat, but because of the maxim for doing business in the digital medium: "Follow the money."

Within the past few months it has become obvious that there is a great deal of interest and financial stake involved in the deployment of protocols for the conduct of shopping, for financial transactions, and for various services over the Internet -- particularly the web. Netscape's ipo demonstrated the great optimism and eagerness of investors to risk their money in a potentially lucrative but unproved market. However, Netscape is not the only company providing secure web or commerce products; OpenMarket, CyberCash, First Virtual, ibm, and Microsoft are a few of the competitors in this market. With the announcement by MasterCard and Visa to join with such companies as above and develop a protocol for secure payment over the web, many assumed that one would need only one "card" to play on the Net.

However, in October the alliance broke, and it seemed that a coalition of Microsoft and Visa would compete against Netscape, MasterCard and ibm with each defining a separate protocol to transport credit card and purchasing information from customers and merchants on the Internet to the existing credit card processing networks.

This paper shall address the nature of the burgeoning market, and the major players and explore the strategic and competitive nature of recent events. In Section II, we examine some of the relevant statistics and hype regarding the web. In Section III, we turn our attention to how such protocols often become standards and we then present a brief and non-technical introduction of the protocols in question. In Sections IV we present the characteristics of a market that has a shared protocol and one where the competitors use the standards process and multiple protocols for competitive gain. Finally, in Section V and VI we argue that given the assumption that competition is good and that choice creates welfare, competition over this standard is wasteful for two reasons:

  1. Little to no value would be added to the welfare of the majority of players in the market by having two protocols. The two central, competing protocols, stt and sepp, are essentially equivalent. Hence, no choice in terms of features or capability is gained.
  2. If one player can dominate the market by controlling a standard and excluding others, choice will be lost in terms of those features and characteristics with which people are concerned, namely cost and quality of service.

The Market for Electronic Commerce

    The Internet initially started as a communications medium for researchers in the 1980’s, but since then it has experienced tremendous growth in the type and number of users, hosts, and capabilities. The Internet is composed of 50,000 networks that reach more than 150 countries. Additionally, a recent survey by Nielsen Media Research found that approximately 37 million people in the US and Canada have access to the Internet and 24 million of those people have accessed the Internet in the past three months.

    Historically, most traffic on the Internet was generated by file transfers, and then email. However, within the past year, the use of interactive, hypertext-based graphics browsers, such as Mosaic and Netscape, have become the dominant source of traffic on the Internet. Today, there are at least 100,000 Web servers with approximately 6,000 new servers coming on-line every month. These servers collectively contain almost 12 million individual pages (URLs) with 1 million new pages being added each month.

    Much of this growth is due to the number of businesses establishing their presence on the Web. The "Yahoo" Web directory presently lists more than 23,500 companies and 370 Internet shopping malls. Some of these companies are anticipating a huge market for on-line commerce. A Nielsen study found that approximately 14% of www users have already purchased products over the Internet. Given the present lack of means for secure transactions, one can only speculate about the potential for on-line commerce once these secure transaction schemes are in place. As an indication of the current speculating, the ipo in August of Netscape Communications, a software firm that is developing the most popular Web browser and a secure transaction scheme, made front page of most papers when its stock, which opened at $25/share, jumped to $78/share on opening day. As an indication of the market’s support for a strong future of such technology, Netscape’s stock recently broke the $140/share mark and a two-for-one split was approved by its board of directors.

The Importance of Technological Standardization

The Nature of Technological Standardization:

      Standardization processes and their effects on the progress of technological development is a fascinating topic but largely beyond the scope of this paper. However, we feel a brief explanation of the relevant aspects of this field with respect to our topic is necessary so as to better explain the motivations and actions that competitors have taken so far. For instance, what is to be gained by MasterCard/Netscape offering a protocol to a standards body? Could Visa and Microsoft create a de facto standard? These are some of the questions we shall discuss in the context of the following section.

Standardization Through Market Domination.

        Information technologies are often standardized by a dominant firm in the market. The dominance is a form of market power, often derived from market externalities, or from limited monopolies on intellectual property such as copyrights and patents.

        The example of rsa Data Security is demonstrative of the control one can have over intellectual property. Most cryptographic libraries and functionality used in any application that requires cryptography is licensed from rsa Data Security who stoutly defends what it considers to be its claimed intellectual property rights.

Governmental Influence and Standards

        Within the realm of cryptography, the US government has pursued a controversial policy of limiting the strength of cryptographic algorithms used by companies and citizens of the US -- especially where any of those technologies could be used overseas. The government, through agencies such as nist, can often affect the use of cryptographic standards by requiring that the standards approved by the government be used for all federal projects. This, in turn, advances the use of the standard beyond those with immediate relationships with the government.

Standards Organizations

        Organizations such as ansi, iso, itu, and the ietf are the main bodies (aside from professional societies) where most technological standards setting formally takes place. Each organization has its own history and quirky behavior, and over time many of the organizations have formed a terribly complex structure of relationships. For instance, ansi (American National Standards Institute) coordinates voluntary standards activities, approves American National Standards, and represents the US in many international standards processes, particularly at iso (International Standards Organization) and iec (International Electrotechnical Commission.) The itu (International Telecommunication Union) is a United Nations specialized agency with many of its own committees. One committee with particular relevance to data-networks (X.series) and communications (V.series) is the ccitt (International Telegraph and Telephone Consultative Committee.) These large, national and international organizations are considered to be terribly slow and often highly political.

        The ietf (Internet Engineering Task Force) is the body that sets the standards for the Internet and is now under the aegis of the Internet Society. The ietf process is characterized as being much more informal than the processes of the aforementioned standards bodies. Prior to ietf meetings (which are open to all), Internet Drafts and rfcs (Requests for Comments) are circulated among the interested members of a working group or bof (Birds of a Feather) group for discussion. Anyone may attend meetings and contribute as a member of a Working Group or in the discussions carried out on public mailing-lists. While there is a formal process, generally a characterization of the process is that those protocols that work and are open and interoperable receive more support than those protocols that are closed and lack practicality.

Commercial Consortiums, Agreements and Alignments -- Open Standards.

      While companies can have a great deal of influence in the workings of the bodies above, companies may also form more exclusive consortiums and alliances. Most of the recent electronic commerce announcements can be characterized as one company announcing that it has aligned itself with another company that has a different -- but given the convergence of media and services on the Internet -- complementary focus. Examples of consortiums of Internet companies include the W3C, and CommerceNet; also, financial companies have a long-standing practice of cooperating with regards to automated clearing systems, fund transfers (swift, chips, etc.), and edi (electronic data interchange) systems.

Security and Credit Card Transaction Protocols

      In this paper we are limiting our discussion to those protocols that shall provide security towards extending traditional credit card payment systems to the Internet. We do not address many of the electronic cash or electronic check schemes directly. However, some of those schemes that now label themselves as credit-card schemes hope to be extensible and interoperate with more advanced schemes as they become available. The two levels of protocols we will be considering are those that we characterize as "communication protocols" and "transaction protocols."

Communication Layer Protocols

        Communication layer protocols are those protocols that allow for the properties of privacy, authenticity, integrity, and non-repudiation (pain) to exist at the level of a communications stream or at the level of object being transmitted. For instance, upon entering an Internet mall, one may be authenticated as a user with a valid credit card, and all further communication with the Mall will be kept secure. Such secure communication is carried out by a communication layer protocol.

SSL - Netscape's Secure Session Layer

          Netscape's Secure Session Layer specification was originally released in the fall of 1994 and revisions have been released since. This protocol was designed to provide a secure channel for any tcp/ip connection (http, Gopher, Telnet, ftp, and even s-http) with a simple protocol that could be easily integrated into user-friendly products. This protocol is in wide use today. During the summer and fall of 1995 the protocol was "broken" in a series of embarrassing attacks, and since then Netscape has been eager to point out that the specifications for the protocol have been openly published, and that Netscape welcomes rigorous public bug and security fault testing. They have also contributed the specification to MIT's W3 Consortium and provided a reference implementation for free for non-commercial use, and for a small flat fee for commercial use.

S-HTTP

          Secure-http is a protocol designed by eit and Terisa [see Appendix I for a description of the companies]. Though s-http does provide security at a lower, communications layer, it is different than ssl. For instance, s-http's goal was not to provide a secure channel through which any tcp/ip communication can occur, rather it is intended to extend the functionality of http so that web pages may be authenticated or sent securely from a server to the client as an integral part of http. Also, the specifications and reference implementation have been more tightly controlled than that of ssl.

PCT - MS like SSL

        The announcement of Microsoft's Personal Communication Technology (pct) was made along side the announcement of the Secure Transaction Technology on Sept. 27, 1995 -- at a time that capitalized on Netscape's ssl failures [see appendix 4]. The protocol is very similar to ssl, but Microsoft argues that it has been strengthened by, among other things, unbundling authentication from encryption functionality thus allowing longer keys (greater than 40 bits) for the authentication algorithm.

Transaction Layer Protocols

        The transaction layer protocols act as a mechanism to allow the customer on the Internet to contact a merchant on the Internet and securely purchase goods using the existing credit card processes. The protocols generally operate as follows:

        STT-FLOW.gif (7341 bytes)

        The customer contacts the merchant and asks to see the merchant's credentials. (Note, the initial browsing and negotiation may, in part, be done over the session layer protocols discussed above.) Once the customer sees that the merchant has a certificate signed by a reputable acquiring bank or credit card organization, he then sends his purchasing information along with his payment information (credentials from his issuing bank or credit card company) to the merchant. The merchant can then check the purchase order and the customer’s credentials, forward the payment information to the Internet payment gateway that will then send the information to an existing payment processing network. This in turn performs the operation of authorization or capture (settlement) according to existing protocols.

        1. iKP - IBM
        2. Numerous transaction protocols have been proposed and developed by researchers and companies for electronic payments over the Internet. iKP is a family of protocols that is the basis for nearly all credit card protocols for use on the Internet. iKP itself will probably never be implemented. By having a "family" of protocols, iKP allows for an increasing level of authenticity and security to be deployed as the public key infrastructure of the Net evolves.

          As research progressed, it became clear that iKP happened to be a good model for Internet transactions and that the 3KP protocol would be the more likely implementation. However, the original iKP publication and discussion was not a true specification that could be easily implemented.

        3. NSC - Netscape
        4. Netscape proposed the Secure Courier on July 18, 1995 as the

          "first open, cross platform protocol to create a secure digital envelope for financial data on the Internet. Intuit Inc. and MasterCard International are among companies announcing that they will support the new protocol for securing on-line credit card, debit card, charge card, and micro-financial transactions."

          nsc was also to be capable of supporting what it thought would be a joint MasterCard/Visa security specification for bank card purchases.

          However, nsc is a transaction protocol amazingly similar to iKP. nsc has some implementation differences, one of which is that some of the cryptographic functionality at the transaction level protocol is not used since this protocol is assumed to run over ssl.

          Netscape planned to publish and license Secure Courier to partners in the third quarter of 1995. Additionally, Netscape hoped to leverage the deployment of a nascent public key infrastructure but has been heretofore unsuccessful because of a lack of growth in the public key infrastructure.

        5. STT - Microsoft
        6. For much of the summer of 1995 MasterCard and Visa had spoken of jointly producing a specification for credit card transactions over the Net. However, in late September, Visa and Microsoft announced the Secure Transaction Technology. The protocol itself is very similar to iKP with regards to the technical aspects of transaction protocols.

        7. SEPP - MasterCard

    In less than a week of the stt announcement, the 200 page specifications for sepp was released by MasterCard, ibm, Netscape, gte, and CyberCash. Again, the sepp protocol is related to the iKP protocol and as such, it is also similar to stt. This similarity could be a result of two factors: 1) The involvement of ibm, which designed the iKP protocol on which all the protocols are based, and 2) the close relationship MasterCard had with Visa on developing the protocol prior to MasterCard withdrawing from the Microsoft/Visa announcement. sepp is considered to be more "open" for it has been submitted to an ansi standards body and uses a number of common open standards such as mime messages and X.509v3 certificates, whereas Visa/Microsoft has defined new formats for such functions.

Competitive Analysis of Internet Credit Card Schemes

Having examined the protocols and the standardization processes of those protocols we shall now turn to the analysis of the market in which the protocols exist and potentially compete. The market for secure electronic commerce standards could be characterized by two scenarios:

  1. Cooperative - Credit card companies and financial institutions, software and media companies and merchants will cooperate in the development of an open protocol and messaging format for payment transactions.
  2. Competitive - Credit card companies and financial institutions, software and media companies and merchants will aggressively bundle services and/or content to exploit the payment mechanism, distribution channel (or user interface), economies of scale or scope, and brand of a payment mechanism.

We argue that the players in the market today are not sure which model is the dominant one, and consequently have in a rather confused way, moved from the first scenario to the second. Hence, we provide a brief analysis of each model before presenting our argument that a cooperative effort to establish a single standard for the credit card payment method would create a more competitive market for the services people do care about: cost, features, and quality of service.

Cooperation and The Initial Accords

      As early as February 1995, there was an announcement regarding the alliance between Visa and Microsoft (V/MS) in the development of a secure card transaction protocol. In January 1995, MasterCard and Netscape announced that they were collaborating to develop secure bankcard transaction schemes for MasterCard cardholders and merchants over the Internet (which was expected to be operational by mid-1995).

      However, in June 1995, Visa and MasterCard jointly announced plans to develop a single protocol for credit card payments over the Internet that "in effect, MasterCard has agreed to join -- with minor modifications -- a system that Visa was developing with the Microsoft Corporation." The purpose of the new protocol was to be two fold: (1) to generate certificates for customer/merchant authentication and (2) to secure credit card transmissions over the Internet. To many, cooperation of the two major credit card associations on such a protocol was surprising. However, Newbytes reported that an executive Vice President of Visa, Richard Lonergan, stated, "There are, and there have been, areas where it’s in our best interest to work together," and that he, "... listed other areas where the companies have worked together, including agreeing on traditional point-of-purchase systems in stores."

      These systems are those that allow a merchant to dial any credit card network to authorize or clear a transaction without having to own multiple dial-in terminals for each card association network. A credit card processing flow of such a transaction looks as follows:

      CC-FLOW.gif (5547 bytes)

      A merchant would begin his transaction by running a customer's credit card through a dial-in terminal that would automatically dial the correct network depending on the association being used. The card holder is essentially telling the merchant to tell the customer's card issuer to pay the merchant. The merchant then passes this message on to his acquirer, who then sends it through the Credit Card Association to the card issuer. The return path of the $100 dollars is essentially the same except that each party deducts some amount of money for its efforts. The card issuer will bill the card holder and keep an interchange fee which in this example is 1.3%, or $1.30. However, he must pass the remaining money back to the card association and pay an issuer transaction fee of .07% or $.07. The card association takes the $98.77, deducts a merchant transaction fee (.09%) and returns $98.61 to the acquirer. The acquirer keeps .06% and deposits $98 in the merchants account. The merchant then sees $98 dollars return from the $100 dollar purchase. This charge of $2, or 2%, is called the discount rate and is the basis for much of the competition between the banks of a credit card association. The payment protocols being discussed do not interfere whatsoever with the relationships shown in Figure 2.

      However, a few new charges are expected to be made on the Internet side of operation (Figure 1). A $1 fee will be charged to every issuer for the generation of a Visa or MasterCard certificate for a customer, but the discount rates for the merchants would remain within the normal rate range (1-4%). Additionally, the credit card association would pay for the development of the gateway that interfaces to its current transaction network to the Internet.

      Hence, while MasterCard and Visa are generally viewed as competitors for credit card services, they need not necessarily compete at the protocol level. A single protocol lowers the costs of merchant expenditures on technology (as seen in the point-of-purchase or dial-in systems). A side effect of this is that it also lowers the switching costs of adding or moving from one association/network to another, and it also simplifies processing and consequent costs of banks that issue or acquire for both Visa and MasterCard cards.

      The major motivation for wishing to move quickly on the development of a solid protocol was to reduce the number of credit card numbers being sent over the Internet in the clear. The risk of fraud falls squarely on the constituent banks of a credit card association (aside from a nominal customer fee). As a demonstration of the card companies' concern over this issue, at the time of the joint announcement, MasterCard was considering banning its card from any Internet transactions not using the joint protocol. MasterCard's senior Vice President stated:

      How you make purchases on the Internet with a MasterCard account is for MasterCard to decide... If there are 500,000 merchants on the Internet, we don't want 100,000 of them to keep your credit card number on their computer. We have got to do something to stop that.

      Hence, it appeared that cooperation would be pivotal to bring safe commerce to the Internet -- a benefit to all involved.

The Current Rivalries and Discords

      What seemed to be a collaborative effort to develop an electronic commerce standard by Visa/Microsoft and MasterCard/Netscape in mid-1995 did an abrupt about-face in September. As was previously mentioned, three serious attacks on weaknesses of Netscape protocols were orchestrated or announced on the cypherpunks mailing list.

      While these faults had a high degree of publicity and many decried the lack of security on the Internet, the news failed to have a significant impact on Netscape's stock prices. However, many did not think it was a coincidence that the following month Microsoft and Visa announced that they would develop their own standard for secure communications, stt, that they had been working on since November 1994. With the significant absence of MasterCard and Netscape in the announcement, many considered this to be the end of the large alliance because of infighting between Visa and MasterCard -- and of equal importance -- their respective technology partners Microsoft and Netscape. At the time a MasterCard spokeswoman said, "We're disappointed that Microsoft and Visa have opted unilaterally to take this approach," and implied that the Microsoft/Visa specifications were incomplete and would have a detrimental affect on competition, and as a consequence MasterCard refused to participate. Moreover, at exactly the same time that Microsoft and Visa made the stt announcement, Microsoft announced that it was publishing the specifications for a secure session layer, pct, that Microsoft claimed to be more secure than Netscape’s ssl.

      Several factors contributed to the general public perception that Microsoft’s and Visa’s development of their own standard, stt, without MasterCard and Netscape, was an attempt by Microsoft to create an environment where it would be the sole producer/supplier of software for this market segment. On the same day as the stt/pct announcement, James Clark, chairman of Netscape, asserted that Microsoft had demanded a 20% stake in Netscape and a seat on its board in return for technical information about Microsoft’s operating systems. Such behavior by Microsoft is considered to be typical by many.

      Additionally, the chasm between the two groups of collaborators was further widened when each took a different route to have its protocol become the approved standard for credit card commerce on the Internet. Visa/Microsoft has presented stt to the Network Services Working Group at an ietf meeting in Stockholm over the summer. However, some felt that Visa/Microsoft was merely asking for an ietf stamp of approval. As Dave Crocker, active IETF member, mentioned regarding to the Stockholm meeting and the MasterCard specs, "...the ietf's definition of open is rather more demanding and pertains to control over changes and the decision process for making those changes." Microsoft/Visa have not been willing to relinquish this control for fear of wasting months in slow and politicized standards processes.

      MasterCard/Netscape also presented its protocol to a standards body. In this case, they chose not to go to the ietf, but rather to a body of the X9 ansi banking committee that sets financial network standards. Those concerned about electronic commerce hope that the specific committee, X9A10, will be able to move quickly since its focus shall be devoted to sepp as part of a fast track standards process.

      The path that each alliance chose in the standards process is interesting to consider. Neither alliance wished to relinquish control of its standard to the very public scrutiny of the ietf process. However, neither wished to be seen as a unilateral and domineering force and as such has "marketed" its process as open and interoperable. However, an Internet protocol or interface need not be truly interoperable in the ietf's sense to be successful. Because the underlying protocols of the Internet are based on open standards (TCP/IP), any entity can create applications/protocols to run on top of these open standards and does not necessarily need the approval of its protocol by a centralized body in order to have a successful product. For example, many closed, on-line services are offering Internet gateways and browsers that will allow one to cruise the web without basing their own technology and standards on the credo of openness and interoperability. A successful payment standard could function similarly.

Implications of Two Implemented Standards

      To extend the analysis of a competitive arena, we shall briefly examine each of the types of players and what benefits and complications they could expect from the competition between electronic commerce standards.

      1. Credit Card Companies and Banks
      2. Credit card associations and their constituent banks generally make a very good profit. It was reported in a New York Times article that Lawrence Ausubel, an economist at the University of Maryland, presented results in July to the National Bureau of Economic Research, that showed credit card profits to be nearly 5 times greater than profits made by other banking activities. One of the most significant reasons for this finding is the uncompetitive interest rates charged to consumers who did not consider this rate when choosing a card because they felt they would never be tardy in paying their bills. A recent journal article examined interchange fees and market power in a series of anti-trust cases whereby credit card associations attempted to exclude banks with lower fees from their networks. The journal article concluded that:

        The collective setting of interchange fees and membership rules have drawn close antitrust scrutiny, but as we have shown...credit card joint ventures can have and exercise market power through the collective actions of their members.

        Hence, credit card associations do not wish to implement protocols in any way that would disturb the traditional processes.

        Furthermore, each credit card association would benefit by being able to 1) motivate a user of another credit card to use their own, 2) motivate a merchant to exclusively use their own network in all transactions, and finally 3) to keep their own customers and merchants. They accomplish this by getting to the market the first, and by bundling their protocol with web browsers and applications. For instance, if 70% of the people on the Internet use Netscape, and Netscape supports only MasterCard, then those people will be much more likely to exclusively use MasterCard.

      3. Software Developers of Gateway Servers
      4. Both stt and sepp are open standards such that any software developer can obtain the specifications free of charge to write both the client software and merchant server software. However, it remains to be seen how open the specifications are such that other software developers can write the code for the Internet-Credit Card Network gateway servers. For instance, Microsoft/Visa have urged MasterCard to adopt stt for its own processing. However, we also know that Microsoft is being paid for its server development for Visa by a usage-based fee on transactions occurring over that server for a contractual, fixed period of time. It would seem logical that Microsoft will not be eager for others to develop such software, which could, in a few years, even compete with Microsoft's relationship with Visa. However, we expect that Microsoft will gain a significant first mover advantage and place on the learning curve by being a pivotal player in the development of the specifications, development of payment servers, merchant software, and client software.

      5. Merchants and the Software Developers of Merchant Software
      6. A merchant and developers of merchant software could benefit in a way that is symmetric to the benefits of the credit card associations. A merchant would wish to essentially capture consumers he would not have had to access to before. He could do this by aligning himself with the strongest credit card company (Visa, based on penetration rates) or browser (Netscape, based on usage rates.) web server developers would attempt to persuade merchants to purchase their software with similar reasoning.

      7. Consumers and the Software Developers of Client Software

Browser software is often given away. People wish to tie users of a particular browser to some other service for which someone pays, which may not be the consumer directly. All of the above competitors hope to profit by bundling all possible preferences (browser, credit card company, network type -- Internet or Microsoft Network) of a customer to the preference that the customer will most strongly express. Hence, a customer may have his choice restricted with regards to his lesser preferences.

Argument - No One Will Dominate the Market on the Basis of the Protocol

    In this section we shall present our argument that the above competitive scenario is very unlikely. Though the two alliances could very well attempt to compete on the basis of bundling services with a credit card payment protocol, we shall argue that they shall not gain any competitive advantage and only create higher costs for electronic commerce.

    1. Well Matched competitors will compete for real preferences
    2. By real preferences, we mean that consumers, clients, and software developers will demand a certain quality of service or cost. For instance, customers will want to use the browser that may allow them to change their fonts, merchants may wish to support both MasterCard and Visa, and software developers will wish to fulfill the merchants' desires! Considering the members of each alliance, each with its strengths and weaknesses, we feel neither side will unduly dominate the market. Or at least, neither side will certainly not accomplish this market domination by constructing barriers on the basis of arbitrary preferences -- competing protocols which are all but hidden (transparent) from users and merchants alike and that are functionally equivalent! Also, we do not expect anyone will obtain a overwhelming first mover advantage. The technology is new and the demand is just starting -- both protocols should be operational before shopping on the Internet becomes a significant activity.

      Interestingly, we expect that the credit card companies themselves realize this, for they do cooperate on the message formats and protocols used in credit card processing networks. Visa, MasterCard and Europay have even created a joint standard (vme) for smart card technology. Allegedly, the timing of the contentious announcements were pre-arranged months in advance and the parties were talking hours before the actual announcement. Hence, the broken alliance may have been more of a result of confusion, time pressure, and some non-cooperative egging on by Microsoft rather than any monopolistic conspiracy.

    3. New technology circumvents barriers rather than creates them
    4. Internet technology has profited from interoperability and openness. One must be aware of this before thinking that the technology could arbitrarily limit choice rather than promote it. For instance, given that a merchant really wishes to use a Netscape server, but support Visa transactions, Visa could simply distribute cgi scripts that can implement all the functionality required to use Visa's protocol though it was not implemented in Netscape’s server. A customer could perform a similar tactic. Current payment systems such as DigiCash take advantage of helper-apps. These are applications that automatically pop up next to a users' browser to handle, play or view information the browser does not recognize. This information can be images, MS Word files, sound files, or payment messages!

      Furthermore, technology itself changes at an astounding pace. Some users download beta versions of browsing software on a semi-monthly basis! Hence, consumers are not at all hesitant to move on to the newest technology available and as such the market is extraordinarily dynamic.

    5. Alternative protocols will be very competitive

    There are many electronic commerce protocols in development that provide better features, capabilities, and may not be burdened with the cost structure of supporting the Internet infrastructure as well as the existing credit card processing networks. Check, debit schemes and cash (that may one day support anonymity, transferability, and divisibility) schemes are all well under way to deployment. Thus, if the transaction schemes for secure credit card commerce on the Internet are too complex and expensive for the merchants and consumers to implement, these schemes could be replaced by alternative payment schemes of electronic checks and digital cash.

Conclusion

    We have shown while there may be an impulse to bundle some services (network, payment, and user applications) it may not be wise to base the bundling on a transparent protocol that competes with other functionally equivalent protocols. Such actions introduces a number of costs. If we were to assume that some market power is created by integrating sepp and stt with other services exclusively, this exercise of monopolistic power would increase the welfare of the dominant firm. It would also decrease the general welfare of the consumers (both on-line merchants and customers.) Consumers would not purchase the utility maximizing quantity of the service they desire. Rather, they would purchase a lower quantity of an inferior service -- their choice being arbitrarily restricted. Also, the ensuing lack of competition would create inefficiencies for the allocation of resources that are needed for the development of an efficient electronic commerce market.

    This exercise of market power could occur by establishing "switching costs" that make it difficult for a merchant or customer to switch from one standard to another, or to use both standards at the same time. However, we feel the switching cost will not be prohibitive enough to actually garner significant market power for any competitor. As such, it is a wasted effort which would be better spent on ensuring the continued profitability of credit card transactions. This can be accomplished by developing a single, secure and efficient protocol that the credit card companies will need to rely on to compete with potentially superior, up-and-coming payment schemes.

Appendices

Appendix 1 - Time Line of the Standards Battle

      June 23, 1995 Visa and MasterCard announce plans to develop a protocol for credit card payments over the Internet. Visa's alliance with Microsoft, and MasterCard’s alliance with Netscape are public knowledge. However, even though, "MasterCard and Visa are two companies that are usually viewed as competitors. 'There are, and their have been, areas where its in our best interest to work together,' Richard Lonergan, Visa's executive vice president, point of transaction, said. He listed other areas where the companies have worked together, including agreeing on traditional point-of-purchase systems in stores."

      July 13, 1995 CyberCash and CheckFree announce a joint venture of offering products which can be easily integrated into any browser or merchant server to credit card or debit transactions over the Internet.

      July 18, 1995 Netscape announces Netscape Secure Courier. Intuit and MasterCard announce they will support this protocol in their products and services.

      August 21, 1995 "VeriFone (NYSE:VFI), a developer of automated transaction systems and software, announced an agreement to acquire Enterprise Integration Technologies (EIT), a developer of software and services related to Internet commerce. The $28 million deal is intended to strengthen VeriFone's position in the market of Internet commerce."

      September 27, 1995 - Visa and Microsoft release news related to the stt specifications. MasterCard and Visa are "noticeable absent" from the announcement.

      Microsoft also releases pct, complaining that Microsoft felt uncomfortable with the level of security in Netscape's ssl.

      Fears that Microsoft will charge a transaction fee for every credit card over the Internet are raised.

      September 28, 1995 - News regarding Microsoft's demand of a 20% stake in, and a seat on the board of Netscape becomes widely publicized. On the 27th, "James Clark, chairman of Netscape, asserted that Microsoft had demanded a 20% stake and a seat on the board of Netscape earlier this year in return for giving Netscape important technical data on Microsoft's new operating system."

      October 3, 1995 - MasterCard releases news of the sepp specifications to the world along with its partners ibm, Netscape, CyberCash Inc. and gte. Some of the similarities between it and stt are startling.

      November 16, 1995 - Dave Crocker reports that John Gould of MasterCard formally turned over the sepp specifications to ansi that afternoon at a MasterCard briefing at Comdex. Glenda Barnes, chair of X9F, accepted the specification and reported that the ansi body X9A10 had been formed and would pursue further work on the specification. Of importance with regards to time, was that the specification would be fast-tracked via the DSTU process. The new working group is chaired by Tom Jones of Intel -- previously with ViaCrypt -- and is being carried out in the banking area, X9A, chaired by Mark Zalewski, with cooperation from the security area, X9F. Two of X9F's working groups are likely to cooperate, one on access control and one on network security.

      November 17, 1995 - Microsoft shares drop $4.125 at $89.875 on Nasdaq after the highly regarded money manager analyst Rick Sherlund of Goldman, Sachs & Co removed MS stock from his companies recommended list and downgraded it to "moderate outperformer" status. This action was taken because of concerns over Microsoft's Internet strategy and its competition from telcos, ibm, Netscape, and others in the Internet realm.

Appendix 2 - Diagram of Alliances

       

      ORG.gif (15751 bytes)

       

    Appendix 3 - Cryptographic Flows

    RSA.gif (19269 bytes)

    Appendix 4 - The SSL Attacks

    The first attack upon the SSL protocol was an exhaustive attack on the 40-bit keyspace of the underlying RC-4 cryptographic algorithm. However, this key length is forced upon Netscape and other companies that wish to export their products by the US International Trade in Arms Regulation. The second and third attack were embarrassing to Netscape because they were implementation errors. The second attack was when two students were able to determine the seed of the random number generator used in the protocol -- and hence were able to easily decipher the messages. The third attack was more of an attack on the Netscape browser rather than the ssl protocol and was accomplished by sending a URL that overflowed Netscape's internal field and caused the program to crash with potentially dangerous and directed attacks against the users' computer.

Appendix 5 - Vocabulary

      Taken from Secure Electronic Payment Protocol: Draft Version 1.2.

      Glossary

      Acquirer Financial institution member of MasterCard supporting merchant activity with account relationships with merchants.
      Acquirer Gateway The acquirer gateway is a system which provides electronic commerce services to the merchants in support of the acquirer, and interfaces to the acquirer to support the authorization and capture of transactions.
      Authentication The process of verifying the true origin or nature of the sender and/or the integrity of the text of a message. Authentication in public key systems uses digital signatures.
      Authorization The permission, granted by a properly appointed person or persons, to perform some action on behalf of the organization. This is a process which confirms that a given payment does not raise the account holder's debt above the account's credit limit, and reserves the specified amount of credit.
      Banknet The existing financial network which interfaces Acquirers, Issuers, and (now) the Certificate Management System.
      Browser Software resident on the cardholder processing system (usually a PC) that provides an interface to public data networks.
      Capture Process by which charges are debited to the credit account.
      Cardholder Holder of valid credit card account and user of certified browser software holding a certificate supporting Electronic Commerce.
      Certificate A digital certificate is a special kind of digitally signed message that contains information about a public key and the owner of a public key. A certificate issued and signed by MasterCard binds the public key to the account number.
      Certificate Renewal Process by which a new certificate is created for an existing public key.
      Certificate Request Server Element of the Certificate Management System which provides certificates to cardholders.
      Certificate Revocation The process of revoking an otherwise valid certificate by the entity which issued the certificate.
      Digital Signature Information encrypted with an entity’s private key which is appended to a message to assure the recipient of the authenticity and integrity of the message. The digital signature proves that the message was signed by the entity owning, or with access to, the private key.

      Continued on next page

       

      Glossary (continued)

      Goods and Services Order The price, currency, payment method, and other terms of the transaction.
      Issuer Financial institution member of MasterCard issuing credit card products to individuals.
      Merchant A seller of goods, services, and/or other information who accepts payment for these items electronically. The merchant may also provide electronic selling services and/or electronic delivery of items for sale.
      MIME mime is an Internet standard for the description of multi-part messages, often associated with electronic mail.
      Private Key A mathematical key (kept secret by the owner) which is used to create digital signatures, or to decrypt messages or files.
      Public Key A mathematical key that is available publicly. It is used to verify signatures that were created with the matched private key. Public keys are also used to encrypt messages or files which can only be decrypted using the matched private key.
      Public Key Certificate Public key and identification data signed by a trusted third party to provide authentication and integrity of the key.
      Public Key Cryptography A field of cryptography invented in 1976 by Whitfield Diffie and Martin Hellman. Public key cryptography depends on a matched pair of inverse keys. Information encrypted with one key can only be decrypted with the other. This public key provides a user with the facility to both encrypt and decrypt data or text.
      Root Certificate Certificate at the top of the certificate hierarchy.
      Server Software resident on network interface systems that performs transaction processing and communication support to gateway communication of parties connected to the public data network with parties directly connected to the system.

Appendix 6 - Companies

      The descriptions of the following companies were taking directly from their own web pages when possible.

      CommerceNet - The CommerceNet Consortium is a nonprofit corporation operating under a matching funds cooperative agreement from the United States government's Technology Reinvestment Project (TRP). CommerceNet was proposed to the TRP council in 1993 by the core development team of the CommerceNet Consortium, which includes BBN BARRNET, Enterprise Integration Technologies (EIT) and Stanford University's Center for Information Technology (CIT). Other members include OpenMarket . . .

      URL: http://www.commerce.net/cgi-bin/textit?/index.html

      Cybercash - CyberCash, Inc. was founded in 1994 to assist electronic commerce by now providing a safe and convenient payment service for the Internet. The CyberCash Secure Internet Payment Service makes the purchase of goods and services on the Internet safe and easy for consumers, merchants and their banks. Technology Partners - rsa Data Security, Inc., Sun Microsystems, Trusted Information Systems, VeriFone, Enterprise Integration Technologies Corp., Cisco Systems, Inc.

      URL: http://www.cybercash.com/cybercash/about.html

      EIT - Enterprise Integration Technologies (EIT) is a recognized pioneer in the development of software and services for electronic commerce on the Internet. Soon to be a wholly owned subsidiary of VeriFone, EIT, will be developing technology, products and services for VeriFone's new Internet Commerce Division. EIT has played significant management roles in Terisa Systems, a company that develops, markets, licenses, and supports technologies that make secure Internet transactions possible and CommerceNet Consortium, which facilitates the use of an Internet-based infrastructure for electronic commerce to allow efficient interactions among customers, suppliers and development partners.

      URL: http://www.eit.com/new/employment/

      FTP Software - FTP Software is the award-winning, number-one provider of tcp/ip networking for PCs. A company of 600 with over 150 developers, FTP has the largest independent tcp/ip for PC development and support staff in the industry. FTP also offers custom product development to meet enterprise needs, and is pleased to provide customers with system consulting and integration services.

      URL: http://www.ftp.com/mkt_info/CoOverview.html

      IBM Zurich Security Research Group - The Security Groups of ibm Research in wthorne and Zurich have jointly proposed an architecture and protocols for electronic payments over open networks.

      URL: http://www.zurich.ibm.ch/

      Internet Shopping Network - The Internet Shopping Network (ISN), a division of the billion-dollar television retailer Home Shopping Network, Inc., is the first large-scale enterprise to embrace the Internet as a new medium for conducting commerce worldwide.

      URL: http://www6.internet.net/

      MasterCard - MasterCard International is a worldwide payment systems company of 22,000 financial institutions that issue MasterCard(R) Cards and make available other MasterCard products and services in more than 220 countries and territories around the world. No matter where in the world you are, you're never very far from one of nearly 13 million locations displaying the MasterCard interlocking circles. . .And you'll be happy to know in light of all the recent talk about security on the Web, that we're working to bring you technology that, by year-end, will let you use your MasterCard Card as a safe and an efficient way to pay for what you buy whenever you're shopping at your favorite "cyberstores."

      URL: http://www.mastercard.com/Info/info.htm

      Netscape - Netscape Communications Corporation intends to be the premier provider of open software that enables people and companies to exchange information and conduct commerce over the Internet and other global networks.

      URL: http://home.netscape.com/comprod/netscape_mission.html

      OpenMarket - Founded in 1994, Open Market, Inc., is a leading provider of industrial-strength business solutions for the Internet, helping Fortune 1000 companies to successfully expand their businesses into cyberspace. With a combination of best-in-class Internet business software and industry-specific solutions, Open Market provides the leading product suite for electronic commerce and enterprise-wide applications.

      URL: http://www.openmarket.com/

      RSA - rsa Data Security develops and markets platform-independent software developer's kits, end-user products, and provides comprehensive consulting services in the cryptographic sciences. rsa's two major toolkits, BSAFE and TIPEM, provide the security "engines" for some of the world's most advanced software packages, including Apple System 7 Pro, Novell NetWare, Lotus Notes, Microsoft Windows for Workgroups, and WordPerfect InForms.

      URL: http://www.rsa.com/

      Visa - Visa is the world's largest consumer payment system. It plays a pivotal role in developing and implementing new technologies that benefit its 18,000 member financial institutions and their cardholders, businesses, governments and the global economy. Visa's 420 million cards are accepted by more than 12 million merchants worldwide. Visa/PLUS is the largest global ATM network.

      URL: http://www.visa.com/press_releases/visa_stt_pr92795.html

Appendix 7 - Market Shares and Fraud Rates of Relevant CC Associations.

       

      10 Years of US Charge Volume:

      Visa, MasterCard, AmEx, and Discover

      (in billions)

       

      Visa

      MasterCard

      American Express

      Discover

      Total

       

      Volume $

      Market

      Share %

      Volume $

      Market

      Share %

      Volume $

      Market

      Share %

      Volume $

      Market

      Share %

      Volume

      $

      Trans-actions

      1990

      151.8

      45.4

      93.1

      26.7

      77.6

      22.3

      19.7

      5.7

      348.5

      4.36

      1991

      170.7

      45.9

      98.8

      26.6

      76.6

      20.6

      25.0

      6.7

      371.1

      4.63

       

       

      Fraud and Bad Debt in the US: 1989-1991

      (in millions of dollars)

       

      Fraud

      Bad Debt

       

      Visa

      MasterCard

      Total

      Visa

      MasterCard

      1989

      133.8

      73.0

      206.8

      2416.5

      1808.0

      1990

      189.7

      127.8

      317.5

      3304.3

      2070.0

      1991

      307.2

      198.6

      505.8

      4694.3

      3229.9

      Source:

      Credit Card Management. Card Industry Directory: The Blue Book of the Credit and Debit Card Industry in the United States 1993 Edition. New York: Faulkner & Gray, Inc., 1992.

       

Appendix 8 - Acknowledgements

We would like to thank Elicia Maine, Win Treese, and David Melancon for their knowledge and time that they shared with the authors. Also, a thanks is extended to the participants of the cypher-punks and www-buyinfo mailing lists for providing an information rich resource and forum for the discussion of these issues.