PUBLIC FORUM ON CERTIFICATE AUTHORITIES AND DIGITAL SIGNATURES: ENHANCING GLOBAL ELECTRONIC COMMERCE W. Lamar Smith Senior Vice President VISA U.S.A., Inc. JULY 24, 1997 Summary It is a great pleasure to participate in this Public Forum on Certificate Authorities and Digital Signatures to offer Visa's views regarding the use of digital signature technology and the establishment of appropriate policies to "enhance global electronic commerce." As a leader in consumer-oriented electronic payments for more than twenty years, Visa has had a substantial and positive impact on both retail commerce and the financial services industry by providing and operating a payment system that provides significant benefits for both the financial institutions that own the system and the merchants and consumers who use the system. Over this time, Visa has worked closely with its Member financial institutions to address their needs for maintaining a secure payments infrastructure in a rapidly changing business environment. Electronic commerce over open networks creates new requirements for authenticating the parties to a transaction as well as ensuring the integrity and security of the transaction data. However, these requirements are simply extensions of the existing infrastructure used by Visa and its members to operate the Visa payment system and manage payment system risk. This infrastructure includes operating rules that establish the allocation of responsibilities among participants, risk control services that help participants manage their exposures, and an overall technology platform that provides secure transaction processing. Visa is currently adding to its operating rules and risk control services to address the new requirements of electronic commerce. In addition, Visa is implementing an authentication and security protocol, Secure Electronic Transactions ("SET"), developed along with MasterCard and other technology vendors, to provide the authentication and transaction security required to support payments over open networks. Thus, SET supplements Visa's existing framework in the payment environment of electronic transactions. A key aspect of this protocol is its use of digital signatures and digital certificates to authenticate parties in a transaction. Since SET is currently being implemented throughout the world, we would like to describe current governmental initiatives, both domestic and international, which relate to digital signatures and may adversely affect the implementation of the protocol. It is most important that any policy adopted by the Administration should be flexible enough to encourage all of the various digital signature models, including SET, that may use digital or electronic signatures and/or certification authority-like organizations to secure and promote on-line transactions. Visa has a strong practical interest in this topic. It is the world's largest consumer payment system and is made up of over 20,000 financial institutions from around the world. It is a common misconception that Visa issues credit cards. In fact, Visa payment cards are issued by our member financial institutions ("Members") to their customers: Members are called Issuers when they play this role. Visa Members may also have a relationship with merchants that allows the merchant to accept Visa cards for payment: Members are called "Acquirers" when they play this role. Visa's global network allows holders of the 560 million outstanding Visa cards to use their cards at 14 million locations around the world. Merchants accept Visa cards as payment even though they may have never seen the Visa cardholder before because they know that if they follow the proper procedures as set forth in the contract with their Acquirer, they will get paid for the transaction. Similarly, cardholders use Visa to pay for transactions because they trust Visa and their Issuing bank. Visa cards enable cardholders to use the same card to shop in over 250 different countries and territories throughout the world, but cardholders would not use their Visa card if they did not trust Visa and their bank. In the physical world, a merchant recognizes a Visa cardholder by the Visa logo on a plastic card. Today these cards also carry a hologram for additional security. A cardholder recognizes a Visa merchant by the decal with the blue and gold banded Visa flag. In electronic transactions, however, a merchant doing business on the Internet cannot look at the card. Similarly, the cardholder has a difficult time confirming the identity of the merchant. To address this concern, Visa and MasterCard, along with leading technology vendors, have developed a protocol for identifying counter parties and securely conducting transactions over open networks. In addition to enhancing the security and integrity of the transaction message, SET uses digital signature technology to authenticate parties in a payment transaction. SET has been endorsed by the financial industry and the payment card industry as a leading standard for commerce on the Internet. Indeed, Visa cardholders and merchants are already using SET in various parts of the world to conduct electronic commerce. Just as Visa and other payment cards simplified and encouraged growth in certain areas of commerce, such as mail order catalogues and hotel and airline reservations, Visa anticipates that SET will facilitate a new era of electronic commerce. Every day, more and more merchants and cardholders are purchasing goods and services over the Internet with Visa cards using the SET protocol. Because SET relies on digital authentication techniques, Visa has a strong interest in that technology and related policies. Many regulators and legislators also have recognized that this technology will play a key role in the Information Age. They, in turn, have begun to propose and, in some cases, enact legislative responses in many different forms. Today, I would like to express some of our concerns about the potential adverse effect of this proliferating legislation on the utility of digital signatures. I. A Paradigm for Digital Signatures Any discussion of policy must distinguish the different environments in which digital authentication technology will be used. There are basically two contexts in which digital signatures are likely to be of particular value -- general public use and private system use. The classic example of a general public use of digital authentication occurs when two strangers with no existing relationship, direct or indirect, want to conduct business electronically -- for example, placing orders or signing contracts -- and need a method of verifying each other's identity or authority. In this context, public use digital signatures and certificates may be the only independent common reference point that allows them to trust each other. Under these circumstances, it is possible that some governmental regulatory scheme will be needed so that it is safe to rely on a stranger's digital signature, although there are certainly proponents of self- regulation and standards as the best approach even to this problem. Visa, however, is more directly concerned with the second category -- private system use. The use of SET on the Internet is an example of a private system that uses digital authentication. Even though the merchant and the cardholder may have never met before, the cardholder is already linked to the merchant by a series of contracts among the cardholder, the Issuing bank, Visa, the Acquiring bank and the merchant. Through these contracts, the terms and conditions for the use of the Visa card have been agreed upon by all the parties before the transaction takes place. Therefore, even though the cardholder and merchant may not know each other, they can confidently conduct commerce because they know they can trust Visa and their respective banks. Adding digital authentication to this set of relationships does not change the relationships; it simply adds a new dimension of security to electronic transactions based on these pre-existing relationships. Just as Visa added the hologram to promote security in the physical world, it has introduced digital signatures to promote security on the Internet. Such an effort to increase security should not be hampered by governments adding a new layer of regulatory requirements that might revise the relationships that already exist among Visa, cardholders, members, and merchants. This is particularly true in the financial sector where governments already comprehensively regulate industry participants to ensure the security and integrity of payment system activity. Instead of focusing on specific technology issues, these regulations concentrate on assuring the overall safety and soundness of financial institutions. Given this existing regulation of the financial services industry, we believe that special legislation to govern the use of digital signatures by private financial systems is unnecessary and could conflict with the current regulatory regime. In fact, the prospect of additional legislative or regulatory requirements may actually deter the adoption of digital signatures to improve security in existing financial systems. When a bank or payment card company thinks about using digital signatures in today's climate, it has to ask itself whether some government somewhere may some day decide to impose regulations that are inconsistent with the system it has deployed. We are concerned that well meant but ill-considered government regulations would undercut the investment we have already made or will unnecessarily drive up the cost to field this technology. Financial institutions hoping to improve payment card security by using digital signatures need certainty about the regulatory environment they will face when those signatures are deployed. The current climate, with its multiplying state and international digital signature regulatory schemes, promises more chaos than certainty. II. The Regulatory Environment A. States Because it is widely believed that digital signatures will play a critical role in the commerce of the future, the states are trying to actively promote electronic commerce by regulating how the technology is developed and used. Indeed, some states have already passed laws and issued guidelines on the use of digital signatures and the extent to which digitally signed documents will be accepted in legal proceedings. As noted above, some general regulation may be appropriate in this area, particularly to establish the rules regarding when digitally signed documents are acceptable in a court of law. However, we are most concerned that individual states will adopt unique, perhaps conflicting, regulatory schemes that could significantly delay and complicate the use of this technology. For example, if every state had different mandatory requirements on the use of digital signatures, a cardholder would have to be able to digitally sign documents fifty different ways to comply with all of the state laws. That would be analogous to requiring the cardholder to carry fifty different versions of each of their Visa cards. This situation could become even worse when the cardholder wants to shop internationally. The states that have already passed laws and issued regulations governing the use of digital signature technology are focused on situations in which the individuals involved in any electronic transaction are not only strangers to each other, but also have no pre-existing contractual basis for their transaction (i.e., the general public use environment). Given this assumption, the states generally have put in place a very robust mechanism to ensure that individuals participating in electronic transactions are who they say they are and that they are inextricably tied to the key pair they are assigned. These regulations call for stringent procedures for verifying an individual's identity before their key pair is certified to them. Perhaps even more fundamentally, these regulations provide detailed criteria that are used to assess whether those involved in certifying users and their keys are trustworthy and can dependably perform this critical function. Finally, the regulations often require certifying entities to maintain and regularly publish lists of individuals who have had their certification revoked. The payment card and banking industries, and the SET protocol they have developed for authentication of parties to financial transactions, operate under a different assumption. For example, in the payment card environment, it is a fundamental feature of the business model for the Issuing and Acquiring bank to know who is participating in an electronic financial transaction. In fact, each bank has well-defined contractual arrangements with its merchants and/or cardholders. Accordingly, Visa Members do not need to use SET digital signature technology to identify customers who are otherwise strangers to them; they know that only those who have already been enrolled in the Visa family, as a merchant or cardholder, can participate in a Visa transaction. Instead, SET uses digital signature technology only to authenticate parties to a particular transaction and to ensure the terms of a transaction are not altered from those that the cardholder and merchant accepted. Additional mechanisms that states impose through their digital signature regulations would be, at best, redundant and costly to implement. At worst they could make electronic commerce with digital signatures practically impossible. B. International Issues The concern regarding the 50 states of the United States may be a comparatively easy problem to address. Much more difficult is the international dimension. Many foreign governments are beginning to regulate in this area. The inherently international nature of the Internet makes this type of regulation just as troublesome as inconsistent state regulation. To take one example, Germany has just passed its own digital signature legislation. The German law contemplates licensing of Certification Authorities based on criteria through which that government will assess the trustworthiness and reliability of candidate certifiers. The cost of the attendant bureaucracy is to be recouped through licensing fees. Certification Authorities are to be subject to government reviews of their business practices and the government may, among other things, forbid the use of technology it considers inappropriate. The legislation is written broadly enough to permit the German government to dictate what is acceptable digital signature technology. There is no clear statement anywhere in the German law that these detailed and expensive requirements are limited to digital signature systems that enable unrelated stranger-to- stranger transactions. Consequently, it is unclear whether private system applications will be required to comply with any fees or bureaucracy required by the legislation. The German government worked diligently to incorporate the views of industry in drafting their legislation. Unfortunately, the complexity of the topic and their decision to introduce a comprehensive solution without recognizing the various business environments has led to concern and confusion in the industry. III. Conclusion Governments everywhere are competing to be among the first to regulate digital signatures. In the rush, many of the best and most practical uses of digital signatures could get trampled. For all these reasons, Visa recommends that the U.S. government exercise great caution in deciding whether and how to regulate digital authentication techniques. In the context of a financial institution's use of digital signatures, for example, the government should recognize that financial institutions operate within an established regulatory framework, that financial institutions manage risks in an overall business context, and that it is unwise to focus on a single aspect of their operations without considering this overall context. More broadly, Visa urges the U.S. government to adopt two specific policies to reduce the risks we see in the current environment. * first, support legislation that would give effect to digital signatures where the parties have agreed to treat them as valid, and would create a federal safe harbor from inconsistent state legislation for "private" systems using digital signatures, so that parties that remain free to agree on how to use such systems; and * second, support "private" use of digital signatures worldwide through coordination with foreign governments to prevent overregulation in this area. -----