home departments features forums


All SET?


related features
SETback teaser tech tutorial teaser

Follow-up 		BY BILL DENSMORE
Posted June 30, 1997

Will you use your credit card on the World Wide Web? IBM wants to make sure the answer is "yes."

IBM ran a TV ad during the NBA playoffs that shows three men discussing how one of them had just purchased something on the Web. A woman walks in and expresses dismay about a credit card being used across the Internet. But it's OK, the youngest man says -- his merchant uses the Secure Electronic Transaction (SET) protocol.

While the ad doesn't delve into its specifics, the SET protocol is essentially a set of written standards that describes how credit-card associations, banks, merchants and consumers should implement credit-card transactions across the Web (see related SET tutorial). The first officially sanctioned version of SET-enabled transaction software, written by Terisa Systems, Inc. (now owned by smart card maker Spyrus), became available June 1. It was given birth by a coast-to-coast collaboration among financial titans: Visa International, Microsoft Corp., IBM, Netscape Communications Corp. and MasterCard International.

Neither did the ad explain that SET will eventually require online credit-card users to possess a new form of identification called a "digital certificate," an electronic identity vouched for by a trusted third party such as a bank. The protocol was designed to all but eliminate the risk that you aren't who you say you are when you conduct business with banks, legitimate merchants and credit-card companies on the Internet.

"They tried to make sure that you could do some things in SET that we take for granted in the ordinary commerce world, like making sure you can buy something and then return it and unwind the transaction," said Carl D. Howe, an analyst at Forrester Research, Inc. in Cambridge, Mass.

But IBM wasn't trying to explain all that. In fact, if it were up to IBM and other promulgators of the protocol, SET would become such a familiar brand name that no one would question what it means. They would just know that it indicates "trust." To reinforce the brand notion, the card associations are holding a gala event on July 18 in San Francisco to unveil a new SET trademark. SET software vendors will have to have their product certified by an independent authority that Visa and MasterCard have established and will be required to license and use the SET trademark if they pass muster.

callout 1 We're clearly not there yet. In fact, merchants and analysts don't yet understand how SET benefits anyone but banks and the credit-card companies, unless banks and card associations lower transaction fees as a carrot to see it widely adopted. A few merchants are threatening to announce on July 4 a campaign to bolt from the card-association fold. And no one is sure yet how SET certificates are going to get into the hands of consumers to make the system work. Finally, it is possible that other payment mechanisms will emerge for settling Internet purchases directly to bank accounts, bypassing credit cards all together. And already a debate is brewing over whether the current version of SET includes a cryptographic engine, painfully slow on current hardware.

Some analysts actually see SET working at cross-purposes. "SET will completely backfire, [especially if] you stick it on the TV and tell [consumers] only SET is secure," said Chris Stevens, an analyst at the Aberdeen Group in Boston. "Not every [merchant] will work with SET overnight, so the immediate perception will be that sites without SET will not be secure."

In fact, Stevens said, the SET originators might have been better off promoting the Internet as a secure environment and managing the risk, rather than splitting hairs over security technology, especially since SET covers only a small piece of the whole security picture: "It only covers consumer-to-merchant [commerce]," Stevens said. "The real problem with security is that there's too much, not too little. There are too many competing standards."

SET's supporters say the protocol's technology basis is tried and true, and any bugs will be worked out in trials during the next six months or so. And anyway, they add, anything that will unite major financial and business interests around a common standard is vitally important for that reason alone, whatever its underlying technology.

"The proof of the pudding eventually has to be [whether it is] interoperable" among vendors, said Steve Mott, senior vice president in charge of SET implementation at MasterCard. "And that is where we are certain we still have a lot of work. It's not going to pop out at the end of nine months as a perfect baby that everyone can be happy with. Software, particularly Internet software, isn't perfect at birth."

One fact that can't be overlooked is that an estimated $100 million of Internet commerce was completed in 1996, most of it via credit cards, without the benefit of SET. This has some businesses wondering why SET is needed and warning that if the credit-card vendors want to see it adopted, they are going to have to provide a financial incentive to merchants and consumers by lowering transaction fees.

The card associations acknowledge that Internet commerce using SET is aimed at cutting the potential for fraud losses. But they decline to predict whether this will result in a lower percentage taken out of each merchant's transaction. Lower transaction fees could also make credit cards viable for settling smaller transactions, but no one expects the current credit-card infrastructure to handle so-called "micropayments," charges of less than $1 for pieces of information or software a la carte.

callout 2 "The proper incentives would be a rate structure that is more favorable for transactions that are SET-compliant," said Tim Knowlton, Internet merchant-card services manager at Wells Fargo Bank. "If you look at the history of changes in the credit-card industry, they are always driven by (changes in rates). We certainly expect that SET will reduce [merchant] fraud."

From a technical standpoint, SET is unnecessary, according to some analysts and merchants. They say the Internet browser protocol Secure Sockets Layer (SSL), combined with existing forms of user authentication, may be adequate. SSL already encrypts credit-card numbers sent across the Internet to a merchant.

But SET goes a step further. It hides the credit-card number from the merchant who is accepting it, forwarding it only to the issuing bank for authorization of the charge. Thus the value of SET is that it eliminates a potential human source of fraud at the merchant level.

"The goal of SET is to have the risk of an Internet transaction become equal to a card-present transaction," said Cathy J. Medich, Internet commerce marketing director at VeriFone, Inc. and a former executive director at CommerceNet, an industrywide consortium.

At the same time, "merchants would rather sell something using SSL at a higher discount rather than lose a sale because the customer wasn't SET-enabled," said an executive at a key credit-card processor who requested anonymity.

Executives at LitleNet LLC, a Lowell, Mass.-based electronic clearinghouse, said they're finding that merchants are more interested in SSL than SET. And John McCombie, technical leader for LitleNet's Internet commerce solutions, said he is reluctant to invest engineering time in SET because the standard is still evolving.

"We're not going into the SET thing yet," agreed Shital Anagol, senior software engineer at OnSale, Inc., an Internet-based hardware auction business. OnSale uses credit-card processing services from CyberCash, Inc., which uses SSL encryption. "I think the only thing that will come out of it is standards."

Rob Reesor, senior software engineer at Virtual Vineyards, a Palo Alto, Calif., Web-based wine merchant, added, "We're seeing it as something that will definitely come into play down the road a bit. We would like to have something that is standard."

Perhaps a bigger issue is getting digital certificates into the hands of users. SET, which is largely a protocol for consumers and perhaps for employee-purchasing cards, will require a user to possess such a certificate.

"Using certificates with SET is going to delay its acceptance because it assumes that people will be interested in getting these certificates," said Stan LePeak, a vice president at Meta Group, Inc. in Stamford, Conn.

callout 3 Some experts say that future versions of Internet browsers sold or distributed by Microsoft and Netscape will include software that permits the program's owner to connect to a bank or other Web site and download a SET certificate after providing the required identification. Or banks may simply permit downloading of the certificate-generating software from their Web sites. "The software will be distributed, we believe, directly by software vendors and can be distributed by banks as well," said Stephen M. Herz, senior vice president of Internet commerce at Visa.

So far, the only entity that is mass-marketing the sale of digital certificates (SET and non-SET) is VeriSign, Inc., which said it had issued 750,000 certificates by the end of April. But VeriSign's certificates are intended more for proof of identity than proof of financial responsibility.

If banks jump on the SET bandwagon, they could set up customers to download SET certificates to their home computers. But until that happens, merchants may want to press ahead with SSL-secured transactions.

Putting aside the question of whether SET is needed, vendors are beginning to offer it in the marketplace. On April 9, IBM unveiled what it said was the industry's first SET-enabled merchant server, Net.Commerce Version 2.0. In late April, the first cross-border SET-based transaction was carried out between the charge-card company Europay Norway and Denmark's PBS to order an airline ticket from Norway's Braathen Safe airline. IBM provided the technology.

Early users of Net.Commerce will include Brel, Dai Nippon Printing Co., L. L. Bean, Hoffmaster, the Danish Payment Systems (PBS), Ingram Micro, United Parcel Service, Inc., Borders Books & Music and Arena di Verona, IBM said.

IBM is also providing SET technologies to the e-Comm group, a consortium of leading French banks and Visa International. And approximately 100,000 customers of Japan's Fuji Bank are scheduled to try out their debit cards through 1998 in a pilot using IBM's server and digital certificate technologies. The Fuji test is unique because it involves IBM designing an extension of the SET protocol for PIN-based card transactions.

IBM's early lead in the SET software prototyping sweepstakes may soon start to erode, however. In a one-two punch, Hewlett-Packard Co. announced in May it would purchase VeriFone, a vendor of electronic payment software, and a week later said it would align nonexclusively with Microsoft to sell end-to-end electronic commerce systems to banks based on the SET protocol. It announced prototype efforts with Bank of America and Sumitomo Bank, among others. VeriFone's Medich said HP will focus on linking bank legacy systems to VeriFone payment software. Banks will get an end-to-end system for $600,000 to $800,000, Medich said.

callout 4 VeriFone, which makes the gray point-of-purchase "swipe" terminals that millions of merchants use, is working hard to come up with new products that will also enable digital commerce. These include a "personal" automated teller machine (ATM) that would allow consumers to load "cash" onto their smart card from home. HP is aggressively moving to install smart card readers on computers it sells.

Also entering the SET gateway software sweepstakes is Austin, Texas-based GlobeSet, Inc., which is behind a test site launched by Wal-Mart Corp. on June 2 in cooperation with American Express Co. and GTE Service Corp. First Virtual Holdings, Inc., the first micropayments vendor on the World Wide Web, said June 2 it will incorporate SET as an option in its payment system.

From another corner of the world, South African-based BankGate Team has developed a SET 1.0 system that bears an important distinction: It's free.

Rather than merchants and banks making a significant capital outlay, BankGate will customize, install and maintain the product for each institution at no cost. Instead, customers pay a transaction fee. The system includes four components: a certification authority, wallet software, a merchant server and a payment gateway.

In terms of pilots, MasterCard said it knows of 22 planned SET pilots in 11 countries. Visa is collaborating on some of those and also has a pilot with 30 banks involving much of the European marketplace. It has other tests running or ready to run in Singapore, Taiwan and Japan.

But as of June, only one U.S. bank had announced involvement in a SET pilot. The Chase Manhattan Bank NA and Wal-Mart are enabling selected employees to purchase merchandise from Wal-Mart Online using a SET-enabled Wal-Mart Chase MasterCard. IBM is providing many components of its CommercePoint payment software, while First Data Corp., an electronic payment processing vendor, will provide credit-card processing services. Later this summer, the initiative will be expanded to Chase, First Data and Wal-Mart customers.

As for the scarcity of announced U.S. pilots, the card associations say U.S. banks are just more secure in their markets, more willing to take a wait-and-see attitude on new technologies and more wary of making announcements on tests and experiments than their international counterparts. More skeptical observers theorize that the largest U.S. banks may be wary that SET will give the card brands a permanent place in the digital commerce marketplace -- a role that may not be required if banks can interoperate with one another directly.

The U.S. marketplace is critical not only because of its size but also because credit/debit cards are so prevalent. In the international marketplace, so-called "smart" cards are already commercialized, and the assumption is that electronic transactions will be adopted quickly in those markets.

"The rollout plans that the banks have is really critical," Verifone's Medich said.

callout 5 One analyst at a major accounting firm said he is watching Integrion Financial Network, a consortium of 16 U.S. banks and IBM formed last year with $60 million in capital, to see whether it emerges with a plan for electronic commerce interoperability. Integrion has access to half of the U.S. consumer base and 60% to 70% of merchants, the analyst said. If bank ATM cards, for example, could be used across the Internet, the need for the credit-card association as an intermediary would fade.

"A lot comes back in transaction fees to the card associations," the analyst said. "There is the possibility that electronic commerce models will kill 20% to 40% of the credit-card associations' revenue streams. If Integrion can build a model that can do intraconsortium clearance, they don't have to go into the card associations at all. They could do clearance at significantly less cost than today."

The card brands hope that Integrion is focused on streamlining check-processing and electronic data interchange-based payments, not on the credit-card market. IBM said that is not the case exclusively. Integrion's board is said to be working on refining its mission, which has not been clearly articulated in public. In the end, however, banks appear poised to remain at the heart of the process, either through their ownership of the card associations or as arbiters of financial transactions through other intermediaries.

"Is the payment system going to be disintermediated?" asked Ed Jensen, president of the bank-owned Visa International Services Association, when asked for his opinion on the idea of nonbank players entering electronic commerce. "There are lots of people that are speculating that. I don't think it's even close to a possibility of happening when you look at the total scale of the payment system. If you want a safe transaction, you are going to need a certificate from a bank."

Whether or not you believe SET is destined to live a life with purpose, it is guaranteed a life of importance merely because of the stature of its parents. The world's credit-card issuers are banking on the SET protocol to extend their central position in world commerce onto the Internet, eliminating the threat of merchant fraud and reassuring consumers. At stake is not so much the future of Internet commerce but how quickly it materializes and who benefits most financially.

Densmore is a freelance writer in Williamstown, Mass.


If you enjoyed this article, you may also want to see our companion magazine, Emmerce, which appeared in the April 28 issue of Computerworld. Contact Editor Alan Alper to receive a complimentary copy. You can also subscribe to Computerworld now to receive all future issues.


top of pagehome
@Computerworld 		departments features forums info list

@Computerworld | Emmerce Home | Departments | Features | Forums
Our Mission | E-mail | To Subscribe | Archive | About the Site | The Staff




© Copyright 1997 by Computerworld, Inc. All rights reserved.
@Computerworld is a service mark of International Data Group, Inc.