Treasury tests smart cards

The Treasury Department and eight vendors last week launched a pilot to test the use of a smart card security application for World Wide Web-based financial transactions.

The new pilot, announced last week at the E-Gov 98 conference in Washington, D.C., is the first joint Secure Electronic Transaction (SET)/smart card pilot in North America, agency officials said. SET is an industry-standard security specification for Internet credit card transactions.

Treasury's Financial Management Service (FMS) and the Bureau of Engraving and Printing are working with several vendors on the pilot, which will allow up to 200 people to use smart cards with elliptic curve technology to purchase from a Treasury Web site such items as uncut currency, coins and videos of the history and production of money. The pilot runs through Sept. 30.

Treasury is using elliptic curve technology from Certicom Corp., San Mateo, Calif., to secure the various e-commerce processes in the pilot, including the smart card, software client, merchant and gateway servers, cryptographic hardware and certificate authorities that attest to the credentials of the user, merchant and gateway.

Elliptic curve technology is an alternative public-key technology used for digital signatures, encryption and other security functions. Each MasterCard smart card securely stores its user's private key and certificate and generates digital signatures to authenticate the user.

This is the first SET pilot that incorporates the use of low-cost smart cards, said Philip Deck, president and chief executive officer of Certicom. Each card will cost $4 to $6, depending on volume.

"No one's really religious about what cryptography system they use; they just want one that drives the cost down," Deck said. "The ability to use smart cards, to improve the efficiency at the gateway and [to] support multiple algorithms are the chief goals of this pilot. Smart cards...allow us to have a secure physical token...to make sure you haven't got duplicate identities."

In addition to Certicom and MasterCard, several other firms contributed technology to the pilot, including Bixler Inc., Digital Signature Trust Co., GlobeSet Inc., Litronic, Rainbow Technologies, Schlumberger, Mellon Bank and Zions Bank.

Michael Cation, chairman and CEO of GlobeSet, which is providing the SET digital wallet, payment gateway and certificate authority software tools for the proj- ect, said the security aspects of SET have been addressed, and now the technology is moving to real-world deployment.

"We view this as a way of deploying new cryptographic algorithms that are more efficient and [offer] lower costs for merchants and banks and do it in a way that is interoperable with existing SET systems," he said. "Elliptical curve technology allows us to produce smart cards that are cheaper."

Gary Grippo, program manager for electronic money at FMS, said Treasury wanted to participate in the pilot because it is trying to learn more about emerging payment technology. This pilot is interesting because it involves elliptic curve technology, which is one of the "more promising new public-key cryptography systems to emerge in a while," he said.

"This is part of a larger effort to look at all sorts of electronic payments," Grippo said. "We are interested in open architectures for financial transactions. We are interested in hardware-based security for payments. When the government is transacting with citizens, we want to make sure the transaction is secure and the integrity of the payment is not questioned at all."