Want CNET to notify you of price drops and the latest stories?

"Super CA" rules on table

Final negotiations are under way with CertCo, a bank spinoff, on how to implement a "super certification authority" required by the SET protocol.

2 min read
Major credit card companies are in final negotiations with CertCo, a spinoff of New York's Bankers Trust, about how to implement a "super certification authority" required by a protocol for secure credit card transactions over the Internet, according to industry sources.

Under the protocol, known as SET (Secure Electronic Transactions), a certification authority is an independent, trusted entity that issues digital certificates that vouch for the identities of parties in electronic transactions. SET, now being finalized by Visa and MasterCard, requires a digital certificate from a CA to identify both merchants and buyers.

SET also requires a "super CA" that would certify the various card brands that handle Internet credit card payments, such as Visa, MasterCard, American Express, and others. Among other things, a super CA will allow the systems of various card issuers to operate with each other.

Because Visa and MasterCard are fiercely competitive, neither wants the other to hold that power, so the draft SET rules set up an independent committee to act as a super CA. Two industry sources called the super CA "political" because it was necessary to separate long-feuding Visa and MasterCard.

CertCo's contract will be to recommend software, hardware, and business procedures for managing the digital certificates of the various card brands. At this point, CertCo would not operate the super CA; that decision will be made later.

The super CA would authorize new credit card brands to issue digital IDs by giving them a master certificate. It also would manage the master certificates of issuers like Visa and MasterCard, renew those certificates when they expire, and revoke the digital ID if a card issuer decides not to handle Internet transactions.

Also bidding on the contract were GTE's CyberTrust unit, which is the CA for MasterCard and American Express, and VeriSign, which will issue Visa's digital certificates to merchants and buyers.

If CertCo lands the final contract, it would boost the start-up's standing. The company has talked about providing SET-related services to banks and credit card processors.