Screening Out Suspects

Developers offer security tools to B2B companies.

Although there is no stampede to change core business-to-business e-commerce infrastructures in light of last months terrorist attacks, some B2B exchanges are looking to beef up security measures.

To foster increased security, CyberSource Corp. and Metastorm Inc. have begun adding new security features to their B2B software.

Electronic payment company CyberSource last week rolled out its Export Compliance service, which helps B2B and consumer e-commerce companies comply with government anti-terrorist export regulations.

The service, available now, automatically adds the names that appear on government lists of people and organizations banned from exporting U.S. goods to its electronic payment authorization and fraud screening software. The denied-parties screen in that software is an automated, real-time cross-check of online or call center orders against the U.S. Office of Foreign Assets Controls Specially Designated National and Denied Persons lists that include terrorists and blocked individuals or organizations, said officials, in Mountain View, Calif.

Additional federal lists cross-checked by the service include the Department of Commerces Entity list, which screens foreign end users involved in proliferation activities for the development of weapons of mass destruction; the Embargoed Countries List, issued by the Bureau of Export Administration; the International Traffic in Arms Department List, issued by the U.S. Department of State, which includes people who have been convicted of conspiracy or violation of the Arms Control Act; and a Sanctions List, issued by the Office of Foreign Assets.

Separately, Metastorm, of Severena Park, Md., enhanced the security of its e-Work business process management software by incorporating advanced fingerprint recognition technology from Biometricate Ltd. Last week, the two companies announced a partnership that will enable enterprises that incorporate business partners and customers in intercompany workflows to more securely identify who is involved through a biometric fingerprint identification system.

While Metastorm developed a digital signature infrastructure earlier this year, some customers were looking for additional transactional security measures, company officials said.

Some e-marketplaces and their customers are also looking to new legislation to ease the burden of added security. However, others dont think the increased wiretapping authority sought by U.S. Attorney General John Ashcroft will do enough to ensure that their sites are not used in nefarious activities. In the mostly anonymous world of B2B e-commerce, additional measures need to be taken—particularly in the case of companies that sell products that are useful to terrorists, they said.

"Biometrics really ensures that the person in front of the computer is who they say they are," said Michele Hincks, spokeswoman for ChemConnect Inc.

The San Francisco-based chemical exchange already has proprietary screening software that ferrets out unwanted individuals from its customer list, as defined by the FBI and State Department warning lists. It also uses digital certificates, encryption and other authentication software to ensure that buyers, sellers and the operators of the market know exactly whom they are dealing with.

Even so, ChemConnect is reviewing its policies and procedures in light of the terrorist attacks to plug any existing hole. "We do recognize that security is not something that you do once and leave it alone. You really need to keep up on it," Hincks said.

Metastorm has already incorporated the biometric technology into its platform for the U.S. Department of Defense, a large customer, according to Metastorm CEO Avi Hoffer. Metastorm also counts as customers 22 of the 28 civil departments that make up the Department of Justice, Hoffer said.

"There are those [departments] that may want to adopt biometric security—the FBI, INS [Immigration and Naturalization Service]—but it will take longer," Hoffer said. "Whereas in the DOD, the requirement is so much higher and the funding is a different level."

Don LaValle, director of strategic business operations and IT at Sharp Electronics Corp., of Mahwah, N.J., said that even though his company spent $2 million on B2B initiatives over the last two years, it wont be affected by whatever security legislation is passed. Thats because it does only about 1 percent of its business over the Internet. In addition, Sharp, which supplies major companies such as Cisco Systems Inc., knows its customers.

"Any time we do any real, true B2B, its done through a secured link. And we know who the person is that we are doing business with," LaValle said.

Parametric Technologies Corp., a Waltham, Mass., designer of B2B collaboration technology used in government projects, does not plan to beef up security in its software. Chief Technology Officer Jim Heppelmann said he is making sure PTCs software behaves well when used on VPNs (virtual private networks).

"Were not using the public Internet for classified information exchange, [rather] it would be some type of [VPN]," Heppelmann said. A VPN "can be even more secure than FedEx. But you may have to spend more money for a VPN and encryption," he said.

Whatever is done to increase security, it will cost something. "Further down the road we will have to address cyber-attacks as one of the many things [terrorists may perpetrate]," said Jim Ehrenreich, senior manager of cybercrime prevention at PricewaterhouseCoopers, in New York. "There is a cost associated with that. ... To have businesses raise their security will cost a lot of money."