Electronic Commerce

Online transactions may be the biggest opportunity yet for the neglected chip-loaded cards.

by / April 30, 1999
Two years ago, Utah investigated the use of a smart-card driver's license. The idea was to have a license that could store biographical, insurance, medical and health information about the driver on a microchip embedded in the license. But the project was quickly killed by the Legislature after consumer groups and the media voiced concerns about privacy and "Big Brother" government.

"No one has dared to touch the issue since then," said David Moon, Utah's chief information officer.

North America, especially the United States, hasn't embra-ced smart cards, the plastic cards with built-in microchips. Whether for storing money or information, use of the cards has never caught on. Around the world, however, smart-card use is growing rapidly, 30 percent annually by some estimates. From Europe to South America to Asia, smart cards are used for payphones, wireless telephony, Internet access, banking, healthcare and pay TV. Drivers' licenses with silicon chips are beginning to appear in certain countries.

In the United States, however, smart-card use has been extremely limited, mostly in pilot projects and limited applications. But the scope of smart-card business in this country could expand thanks to the rapid evolution of electronic commerce. Industry experts and government officials believe that smart cards could provide the means to overcome one of the biggest hurdles facing electronic commerce: authentication. With digital signature technology embedded in a smart card, a user could simply swipe a card through a reader to authenticate themselves and their transaction.

"Smart cards are one of the few tools for maintaining privacy and security and are more trustworthy than software on an unsecured network," said Donna K. Farmer, president of the Smart Card Forum, a 200-member organization of card manufacturers and vertical industry users of smart cards based in McLean, Va. "The cards are an enabler [for electronic commerce] because they are fast and easy to use."

Many Cards, Few Uses

Similar in size to today's plastic credit, debit and payment cards, smart cards contain an embedded silicon chip that can simply store data in memory or perform as a microprocessor. Memory cards gained popularity in Europe, where they have been used to pay for phone calls and other small cash transactions. Since then, they have been used as access-control devices and for authorizing certain banking transactions.

Some of these applications have produced significant benefits, cutting telecommunications costs and
reducing fraud for the companies that use them while providing convenience for customers. More than 676 million cards, costing from 80 cents to $15 apiece, were used worldwide in 1996, according to the consulting firm Frost and Sullivan, based in Mountain View, Calif. An estimated 3.4 billion cards will be used worldwide by 2001, according to Dataquest, a San Jose-based market research firm.

In the United States, however, barely 3 million smart cards can be found in the wallets and purses of Americans. The failure last year of a high-profile smart-card test on the Upper West Side of Manhattan has only reinforced the image here of smart cards as a solution in search of a problem. According to Farmer, using smart cards for stored value, as in Manhattan, when a well-developed infrastructure for payments involving credit and debit cards already exists never made a lot of sense.

Where smart cards are expected to catch on is in the field of security and authentication for electronic-commerce transactions. As electronic commerce becomes more sophisticated, involving everything from applications for mortgages to tax filings, users are going to require greater levels of security to ensure that their transactions are protected from tampering. More importantly, parties involved in sensitive transactions will want to be sure the other party is who he or she claims to be.

Digital signatures can provide this level of authentication and security through encryption, but it requires the use of software on the open Internet as well as an infrastructure for managing the public keys that allow thousands, perhaps millions, of people to electronically sign documents and forms. Smart cards offer a way around the software and infrastructure problems.

Smart cards make it easy to digitally sign documents, and they are fast. Cards also are safer than software solutions because the user carries his encryption information with him. It's not stored on a hard drive, therefore vulnerable to crackers. Finally, smart cards are portable, allowing a user to maintain digital security and identity regardless of location. With smart cards, a user can send digitally signed e-mail from different computers.

Infrastructure and Standards

Using smart cards for securing and authenticating online transactions has yet to happen on a broad scale. A significant problem is the lack of infrastructure. For smart cards to work, they need readers. Currently, PCs don't have built-in readers, though manufacturers are expected to add them to some PCs in the next six to 12 months, according to Farmer. She also mentioned that some smart-card companies are developing readers that plug into existing computer ports.

Another problem plaguing smart-card adoption has been the lack of standards. Not only in North America, but throughout the world, smart cards don't work with different systems. Proprietary technology has stifled interoperability and made it harder to create multiple-application cards.

Multiple-use smart cards could be especially important to government, according to the General Services Administration, which has been evaluating and testing the technology for several years. A taxpayer could use one card for health visits, cash benefit withdrawals, food stamp purchases, public-transit rides and so on. According to Farmer, smart-card companies have already adopted American National Standards Institute requirements to smooth the way toward uniformity.

Another development on the horizon is Java, a portable programming language that works across different operating systems. Java could pave the way to interoperability and open the door to multiple-application cards. Farmer sees more trouble in linking smart-card applications with the relevant IT systems that can make the cards more useful.

"I think the real problem won't be standards, but making sure that whole systems work together," she said.

But the real headache could be entirely nontechnical. The smart-card industry and the user community, including banking, retail and government markets, have to promote public awareness of what smart cards will and will not do. Almost every government agency that has become involved with smart cards has had to address public concerns about privacy. Utah learned the hard way what happens when misinformation about the technology raises fears. "It was the biggest barrier in our case and it was due to a lack of understanding and education," said CIO Moon.

Farmer agreed that education is the key to overcoming the public's perception of the technology as some form of Big Brother.

"So many of our records are digital. That's not done by the cards," she said. Putting personal information on a card shifts the security risk away from the porous Internet, according to Farmer. Instead of having that information on unsecured networks, it remains with the person. If the card is lost, the likelihood of someone finding it who has the time and tools to decode and remove the data is extremely remote.

"They are like PCs in a pocket," she added. "Their portability makes the data they carry safer, not less so."

Tod Newcombe is the author of Electronic Commerce: A Guide for Public Officials. Additional information is available by contacting Lucinda McKevitt of Government Technology at 916/932-1300.