Visa U.S.A.’S Maccarthy Details Security Initiatives for M-Commerce at FTC Workshop
“All The Protections That Visa Offers To Its Regular Online And Brick-and-Mortar Customers Will Be Available To Its M-Commerce Customers”
Washington, DC, 1/23/2001


Visa U.S.A. Senior Vice President Mark MacCarthy today outlined a number of security initiatives the company is both employing now and will soon bring on line to protect wireless or “mobile commerce” (m-commerce) consumers. Mr. MacCarthy’s comments came at Federal Trade Commission workshop examining emerging wireless Internet and data technologies and the security issues they raise.


“Visa brings the same strengths to m-commerce consumers that it has brought to other online and brick-and-mortar customers, namely, brand strength, global acceptance, unsurpassed payment and technology infrastructure, security, and most important, consumer protection. We think the use of a Visa card in the mobile environment is the most convenient, simple and secure method of payment in the mobile environment,” MacCarthy said.


Mr. MacCarthy noted that a recent study showed 73 percent of mobile phone users trust their card issuer to handle mobile commerce billing, as opposed to the operator handling the transaction. He further pointed out Visa’s “zero liability” policy, as well as other measures, further protected consumers from fraud.


“All the protections that Visa offers to its regular online and off-line customers will be available to its m-commerce customers. ‘Visa Secure Commerce,’ a series of online security measures that, taken together, protect cardholders and merchants alike - from the start of an online transaction to fulfillment of an order - is also applicable to m- commerce customers. In particular, our zero liability will apply. This policy eliminates consumer liability in cases of unauthorized use of Visa cards for both online and off-line purchases. In addition, we are moving new programs such as Visa’s payer authentication service into the mobile environment as quickly as possible,” MacCarthy said.


MacCarthy explained m-commerce will be consumer-centric, providing consumers with a variety of relationships.


“As the market matures, the customer will remain at the center of m-commerce. Device manufacturers, wireless operators, merchants, content providers and payment facilitators such as Visa and its member institutions will all maintain a relationship with the customer. No one player will hold the entire relationship with the customer,” MacCarthy said.


MacCarthy also told the FTC workshop that wireless e-wallets will be very important to m-commerce customers.


“The phone key pad is small. Inputting payment information is not convenient or easy. Payment information needs to be seamlessly and securely entered into the merchant payment page. Mobile wallets can ensure that m-commerce is convenient for customers, MacCarthy said.


MacCarthy emphasized Visa U.S.A.’s outstanding track record on security on fraud. He noted that over the past decade the company had reduced an already low fraud ratio even lower.


“In 1992, the ratio of fraud-to-sales on Visa cards was just .15 percent or 15-cents out of every $100. That has now dropped to a record-breaking .06 percent, or 6-cents out of every $100, as of last year. These reductions in fraud have gone down even as Visa card volume has soared,” MacCarthy said.

Allan Carey, senior analyst with IDC's information security services, says that the main drivers behind the hasty attitude adjustment on MSPs by these and other organizations include:

The growing shortage of IT professionals with that all-important security expertise;

the increasing number of threats resulting from the Internet;

and the marginal costs of outsourcing security needs versus building in-house capabilities.

"A multitude of vertical industries are turning to managed security services," he adds. "Some of the early adopters of managed security service have been the financial services, government and telecommunications industries."

Organizations wrestling with business-to-business (B2B) and business-to-consumer (B2C) activities, and now mobile commerce happenings, are all too aware of the technology dangers they face at the moment, compared to a year ago when talk focused on Y2K. Denial-of-service attacks, breaches, viruses, insider assaults and other reported events have raised the ire and sparked the consciousness of corporate executives. Widespread adoption of broadband technologies for corporate use has also highlighted the need for stronger Internet security, says Vincent Salas, director of marketing for WatchGuard Technologies, an Internet security solutions and services provider based in Washington.

On top of this, the "massive complexity" of technology these days is really proving to be quite a conundrum for organizations in every marketplace, says Jim Reavis, chief technology officer of SecurityPortal, an international online security consulting firm specializing in news and information services and headquartered in Washington. "Companies cannot solve the problems by relying on systems administrators, and they either cannot find or cannot afford to hire security personnel," he further explains.

Hiring costs are big factors when it comes to deciding whether to outsource or not, says Jason Alley, director of industry marketing for California-based Xcert International, Inc., a vendor offering products that secure B2B transactions and web communications. Not only is it easier to keep up with evolving threats using an outsourced model, but companies can save hordes of money as well.

"Adding an internal security specialist to the staff alone can add costs in excess of $100,000 in salary [expenses] before you account for investment in technology, training and retention," he says. "Outsourcing requires a far less up-front fee, [while] other regular fees associated with the service are predictable and, therefore, manageable."

Much of the time, when companies - especially the smaller ones - try to address their security issues in-house, they end up being much too reactionary in allocating the time and resources needed to protect their networks, adds Selwyn Joffe, president and chief executive officer with Netlock Technologies, Inc., a global security solutions and services provider headquartered in California. When these internal efforts fail, corporations logically turn to MSPs to rescue them. With this decision, he adds, they end up implementing a security strategy that saves on time and investment, improves their overall security, and allows them to keep control of their networks and data centers.

Above and beyond problems associated with time and resources, simply trying to decide what products to use when implementing a security plan internally can leave managers puzzled, says Tom Teeple, CyberSafe's general manager of managed security services, and Mark Allers, vice president of business development for the company.

"There are a dozen different security verticals with hundreds of point products/solutions in each vertical. This creates a tremendous amount of confusion for the CEO, CFO, CIO and risk managers as they try and map the security requirements to the business objectives," they say. "Managed security service providers have eliminated the confusion by integrating the different vertical products under a single offering. This offering is appealing to companies as they can now budget according to the annuity charged by the services provider. More importantly, the company will only need to manage one service level agreement (SLA)."

What's on the menu?

Most MSPs offer several different security services, while some specialize in administering and managing a select few. Counterpane's Schneier says that organizations seeking help can outsource anything from policy development and forensics to installation, implementation and vulnerability assessment.

"We find that monitoring is the service most in demand," he adds. "While it is important to have a good firewall, good security policy, good forensics and good vulnerability assessments … it is vital to have vigilant monitoring. If you think about the three Microsoft break-ins [that occurred in recent months], all would have been caught by a monitoring device."

Depending on the needs of the company, executives should be clear on what security solutions and policies their business demands and what options the providers are laying out before them.

"The Internet has forced everyone to rethink their IT spending," says Bob Hansmann, product security technologist for Trend Micro, Inc. "Combined with the 'people,' 'time' and 'money' challenges IT departments have always faced, a great opportunity for the outsourced services market will exist for some time." Hansmann further says that Trend is partnering with many MSPs to offer anti-virus security as part of existing outsourced services such as managed firewall, email or groupware, or simply managed anti-virus.

"Security is a complex issue. With Y2K practically ancient history, IT managers have come to the realization that security is the next big thing. … As the use of MSPs becomes more prevalent, customers will also become more sophisticated in that they will demand more sophisticated solutions. … Since companies do not have the necessary expertise to address the growing information security problems in business today, organizations will focus on three main security services: assessment and design of infrastructure, maintenance and 24-by-7-by-365 monitoring of the system," says Netlock's Joffe. "In addition, customers will demand more dynamic services to secure communications."

For now, though, services available vary. Gilles Samoun, chief executive officer and chair of Qualys, Inc., an online network security services provider, says that vulnerability assessment services (VAS) are another of the predominant offerings bouncing around the industry right now. This area, he adds, typically includes:

Scanning networks for weak spots against the over 600 known vulnerabilities;

providing recommended fixes for vulnerabilities that are discovered;

updating the database with new vulnerabilities discovered and distributing these to clients.

"Though Qualys itself works with partners who actually perform any fixes to a network if a client cannot do so for themselves, this hands-on element is a separate, but important piece of the outsourced VAS marketplace," he explains.

At the start of the MSP trend, many providers helped set up, administer and monitor security mechanisms, but when questionable activity arose they only provided alerts to a client's IT manager or department - they did not remedy the situation themselves. Nowadays, however, companies are demanding that their providers not only monitor systems for problems, but also solve the problems. It's after the resolution, or very near to it, that administrators then want to hear from their MSP.

"Without consistent safeguard management, network configuration can eventually drift and weaken to the point that a company loses awareness and control of the traffic that is allowed access to the network. … A security plan is useless without a quick response," says Craig Robinson, chief operating officer of METASeS, an Internet security consulting firm offering various services. "METASeS trains response team members so they are prepared to respond rapidly to problems and achieve recovery with minimal interruption to IT functions."

Some such services with which many professionals are familiar include anti-virus, firewall, VPN, intrusion detection and filtering provisions, say CyberSafe's Teeple and Allers. "However, as the security market matures in authentication, authorization and access control, the existing security service providers will expand their offerings to accommodate for the market opportunity," they add.

The widening of those services must come much sooner than later, say some experts. What MSPs are presenting to prospective clients right now is missing a key area, says Nebraska-based CorpNet Security President Rick Shaw.

"While IDS and scanning services are common to help address hacker attacks, the number one threat to every organization today, a company's employees, is being ignored," he contends. "Managed awareness training will be critical due to federally mandated regulations, like the Gramm Leach Bliley (GLB) Act that is affecting financial and insurance industries, and the Health Insurance Portability and Accountability Act (HIPAA) that will be affecting the healthcare industry. In addition to regulations and standards, the issue of due diligence will be critical as privacy and information security can be a significant liability."

Though Shaw advocates awareness training, he warns that actual implementation of such a program will prove difficult since companies are missing the personnel to actually oversee and run such training on a continuous basis. The answer to this, he adds, will be an "effective and efficient" intranet managed service.

"Any organization utilizing the Internet or any form of electronic transmission for business or allowing their employees to access the Internet should be a potential candidate for managed security service in one form or another," he explains further. "A hybrid of internally supported security solutions and managed security service is probably the best solution."

Even now, security solutions are a combination of products and services. This trend will only continue to make itself felt as the number of security and privacy issues facing the business community rise, says Dave Morrow, director of investigative services of the newly created Fiderus, a North Carolina-based consulting firm specializing in security and privacy solutions.

"Specifically, services surrounding helping companies develop integrated privacy and security policies, architectures and safeguards, as well as determining how to react to breaches of security or privacy, from inside or outside the organization, will be critical," he says. "The challenges of maintaining security in the wireless environment are also going to be substantial, especially as the number and variety of wireless devices available increases."

Deciding What's Best

"The biggest problem with security programs today is the absence of an actual program," says Jeff Johnson, president of METASeS. "This includes the existence and use of policies, procedures, standards, and training and awareness programs. This is where e-security managers receive their biggest return on investment, yet it's typically the lowest budget item. An Internet security management system provides real return on investment, real value and protects against liability and due-care lawsuits."

In spite of the potential benefits that could result from a move to outsourcing, there are still follow-up items that must be sorted out. After corporate executives have determined that MSPs may partly or entirely resolve their infosecurity quandaries, managers must thoroughly research prospective MSPs' experience and track records, find out if these providers have tied up best-of-breed partnerships with technology providers, and, most importantly, settle on their own corporation's business requirements.

In the latter step, says Allen Vance, president and general manager of managed security services for ISS (Internet Security Systems), it is imperative that managers have a clear plan that is detailed and diligently researched, for this will form the basis of the service level agreement. Too, IT managers should make sure that the SLA is "backed by financial payment to the customer when violated."

When it comes to putting security policies and tools into practice, adds Robert Booker, vice president of security solutions for Syntegra, Inc., a global e-business consulting and integration division of British Telecommunications plc., organizations should decide if outsourcing will enable them to respond more quickly to incidents or reduce costs associated with daily management of their security. Too, they should be certain to decide if any regulatory or fiduciary responsibilities would be fulfilled better when security needs are answered internally.

Moving On Up

Noting that information security is no longer seen as the "sacred" component of operations that must be incessantly guarded from service providers, Booker contends that outsourcing security to specialists in information security or the managed service area "is not seen as an erosion of the control of the information security organization. Instead, this allows the company's information security staff to focus on the business requirements, such as policy management and compliance, as well as support investment in new cutting-edge security technologies that are enabling business initiatives."

And there will be no loss of innovative technologies to protect information. Forward-looking vendors and service providers, all over the globe - from the U.S. and Canada to countries in the U.K. and Asia Pacific countries, like Japan - will continue striving to offer more proactive solutions to organizations. It happens too frequently these days that offerings are less than dynamic.

"Companies in the past have treated [security] as static. Proper security entails both tactical daily work, as well as a strategy whereby it is integrated into every aspect of the business," explains Timothy Bowen, senior product marketing manager of VPN and Internet security services for Massachusetts-based Genuity. "In doing this, companies are finding it difficult and tedious, and it requires lots of expertise and resources that they don't have."

Yet other problems crop up when more organizations than not use inadequate security resources to tackle a huge amount of work, says SecurityPortal's Reavis. In addition, the only staff on hand to confront these problems are often focused on the business of their company. Rather than heading the malicious activity off at the pass, they end up spending more time squelching lots of fires after the happening.

Based on this, it was only a matter of time for firms of all sizes to begin entertaining thoughts of outsourcing security. After all, explains Counterpane's Schneier, companies always turn to service providers in the real world.

"People don't have their own police force - the government maintains the police force. Even gated communities that have their own private security, contract out the job," he says. "Every building outsources its guard services. And it's not just that these capabilities are not core: every bank in this country hires another company to drive its money around town. In our society, we outsource things when they are complex, important and distasteful. Security fits all three. As computer and network security is viewed more and more as a piece of overall security, outsourcing becomes more and more attractive."