SET Protocols Wait in the Wings for Wider Adoption

Accepting a customer's credit card online can be a risky proposition. You don't know the person at the other end of the e-connection, so you don't know whether the card is really theirs to use. Visa and MasterCard have been pushing a solution to this problem for years. It's called Secure Electronic Transaction (SET) protocol and it was first offered in 1997.

The only problem with the SET solution is that few businesses are using it. "SET has been in the experimental stage for years, with the backing of Visa and MasterCard," says Crown Management Services CEO Chuck Crawford. "However, for technical reasons, and for lack of enthusiasm, it hasn't happened."

"One of the primary reasons is there is a standards war going on with no clear winner evident, including SET," Crawford continued. "The second reason is that for SET to work, the issuing banks need to issue a unique ID to each card customer, which only could be issued in person, obviously, for security reasons. This would be a massive and expensive undertaking."

SET proponents include Microsoft Corp., IBM, CyberSource Corp. and CyberCash Inc., but even their support isn't enough to garner wide acceptance for the protocol. A recent article in Computerworld provides some reasons that SET has failed:

Since it's the merchants who pay for credit card fraud, banks don't have an incentive to adapt SET.
Y2K problems are garnering the most attention. "That's where most of the financial sector's IT money has been going the past two years, " Alan Clark of the IBM Software Group told Computerworld.
When SET debuted, merchants felt the massive security features and cost to implement was too great. According to Computerworld, this left credit card associations favoring "relaxed SET-mandated security requirements in favor of milder schemes."
Due to credit card associations efforts, rival digital cash schemes have not been widely accepted.
E-commerce wants to make it easier for customers to use credit cards online, not scare them away.
Even though online purchases are growing, it still is a small source of income for major U.S. corporations, making SET adoption less important to their needs. Plus, many companies developed their own protection methods before SET arrived.
It's a matter of perception; businesses feel that the Internet is supposed to be a cost-cutting tool, so security measures don't receive priority in the IT budget.
(Source: Computerworld)

Additionally, consumers using SET need to download the information on their computers. Because it's not transferable to another computer, it has proven to be another drawback.

"Frankly, I don't think SET is moving fast enough to be the default standard. However, Visa and MC have the power to force this on the market at any time, even if its not popular," Crawford said. So far, the two credit card companies haven't made that final push.

In the meantime, Secure Sockets Layer (SSL) is the most widely accepted security tool. Crawford explained, "SSL is not the same thing at all as the concept of SET. All SSL does is encrypt the data transmission between a web site and its credit card processor, using digital certificates and decoders on either end. There is not thought with SSL of issuing identities to customers, per se."

SET is a complex process that follows these steps:

Cardholders obtain a SET-enabled digital wallet, available from various vendors (like Microsoft) or financial institutions.
Cardholders then register to receive a digital certificate. During the transaction, the SET software validates both the user's and the merchant's digital certificate before completing the transfer of payment information.
Transaction takes place between cardholder and merchant. At the time of purchase, the merchant asks for payment and the customer enters the credit card information, which prompts SET to send out the corresponding merchant and user certificates. Then SET encrypts the information for transmission. The merchant's financial institution will decrypt the information for payment into the merchant's account.
(According to Visa, "It is possible for cardholders to shop securely using SET without digital certificates. While this limits the merchants' ability to authenticate the cardholder, the SET payment transaction will still be completed according to specifications.")
The merchant's financial institution requests an authorization from the customer's financial institution, in one final layer of protection. The sale is confirmed following final authorization.

Some experts believe that SET's much wider use in Europe may eventually affect U.S. merchants. As Crawford pointed out, "There are many tests of SET going on, and have been for years. Large merchants, some in Europe, have been experimenting. I do not know how they could be very successful, since the real implementation takes nearly universal distribution of the identifier technology on the cards and with the cardholders. Having just a minority number of cardholders might work in a test tube, where they typically will shop at one large merchant, and therefore benefit from SET as a customer loyalty device."

In May 1999, SETCo (the consortium that manages and promotes the SET standard) implemented several extensions to the SET protocols, intending to accelerate and streamline its deployment in the marketplace. One of the extensions is intended to prevent redundancy in systems and provide a smooth evolution from SSL to SET.

As Crawford noted, "There is definitely a need to have a more solid identity of on line purchasers to avoid fraud. SSL, as it is now, does not address that at all -- but no doubt will remain competetive on the data transmission end of things. Unless Visa and MC end up mandating SET, SET will be competing against other solutions for secure identity--perhaps smart cards, perhaps other solutions like SET that are pursued by private sector organizations."

The growth of the Internet, especially over the last few months, shows that e-commerce is no longer small potatoes , even for the largest of businesses. With this growth comes the need for greater security for both consumers and businesses. When Y2K issues become just a memory, it's possible that more corporations will determine whether SET should be adopted.