Whether for superstitious reasons or just to avoid the inevitable groans, experts in data security were long reluctant to use a certain, pertinent pun. But now it can be officially uttered: SET is set.
Secure Electronic Transactions, the Internet payment protocol hashed out by MasterCard, Visa, and a sometimes unruly bunch of technology providers, went up on the card associations' Web sites in June in what was labeled as its final form.
In other words, the standard was ready for prime time. Software developers could begin incorporating it in systems being designed for electronic transactions. And thus began something of a race to make SET- secured card payments a reality, at least in a test mode, by yearend.
The principals were too busy and running too fast to celebrate their hard-won accomplishment. There was far more work to be done, and in their haste to get to it they may never have adequately explained the document's true significance.
The SET advocates met their objective. Getting past their internal divisions, they wrote specifications for on-line credit card transactions and were unanimous in their endorsement. Relying on data encryption and digital certification of buyers, sellers, and bank processors, they erected several barriers to electronic thievery.
They did not make the Net safe for all commercial and monetary activity. Nor did they silence a number of critics who still raise warning-flags about the Internet's inherent vulnerabilities, even those addressed by SET.
The development of the protocol was well-chronicled. Probably too well from the standpoint of MasterCard and Visa, which had hoped that their mid- 1995 move to cooperate - on the assumption that payment security should not be a competitive venue - would lead to a rapid conclusion of amicable, low- profile deliberations. The diplomatic initiative derailed in the fall of 1995 when Microsoft Corp., sitting on Visa's side of the table, failed to reconcile with the opposing camp that included two of Microsoft's market adversaries, International Business Machines Corp. and Netscape Communications Corp.
After a couple of months of fence-mending, the negotiations were declared back on track Feb. 1. Within a month the working draft of SET was completed, supposedly drawing the best features from the initially separate MasterCard and Microsoft-Visa proposals.
As the June deadline approached, most of the organizations directly involved in SET - they included GTE Corp., Science Applications International Corp. (SAIC), and companies associated with the data encryption leader RSA Data Security Inc. - announced they would provide products and services implementing the protocol.
Verifone Inc. hit the ground running June 18 with a comprehensive electronic commerce package that it said would be the "first implementation" of SET, supported by numerous strategic allies from the SET circle and beyond. Said Verifone's Internet commerce division chief Roger B. Bertman, "This will help the industry benefit more quickly from increased Internet transaction volumes and allow us all to begin learning by doing."
Verifone had reportedly pressed to join the SET team, only to run up against the members' desire to stay small. But Verifone was very plugged in, and Mr. Bertman's "learning by doing" could have been their motto. By implication, publication of SET was just one more beginning.
At the heart of SET is data encryption technology, specifically that provided and championed by RSA of Redwood City, Calif. In the encryption field, science meets commerce. The plodding of the scientific method tempers businesses' drive to get products to the market.
Further complicating any venture into encryption - the mathematical technique for scrambling messages to prevent unauthorized reading - is the overhang of public policy. RSA and its progeny have chafed at federally imposed limits on cryptographic systems, particularly on the length of the code-defining keys they can export. While most financial activities are not hindered by the government's concern about "strong encryption," any banking or payment-related activity is surely to be scrutinized by that industry's regulatory establishment.
It is only 20 years since the advent of public key cryptography. Improvements have been continuous, at least theoretically enabling the guardians of secure data to stay a step ahead of criminal pursuers. That SET could come together in a few months of concentrated effort is testimony to the strength and durability of the concept.
As in academic tradition, what is tested and proven wins out. MasterCard's and Visa's pre-SET attempts, Secure Electronic Payment Protocol and Secure Transaction Technology, "didn't incorporate enough of preexisting security standards," said Allan M. Schiffman, chief technology officer of Terisa Systems Inc., a Los Altos, Calif., company formed in 1995 by RSA and several other investors to develop secure systems for Internet commerce.
"In dealing with crypto, it's nice for stuff to be out and analysts to take a shot at it," said Mr. Schiffman, whose company was intimately involved in SET and said back in April that it would build the protocol into its client and server toolkits. "Older standards that aren't broken are what crypto-developers want."
SET's reliance on the proven didn't stop the sniping.
Lee H. Stein, chairman of First Virtual Holdings Inc. in San Diego, designed his Internet commerce system such that payment data flow via a private communications channel rather than the World Wide Web. First Virtual is not yet ready to bank on encryption. SET may be a step in the right direction, but it didn't sway Mr. Stein.
"Sensitive financial information is never to be on the Internet," Mr. Stein said at the Cyberpayments '96 conference in Dallas in June. "Has anyone here yet seen a hierarchical, encryption-based certification authority working at the consumer level?"
Jerome Svigals, a California-based consultant and long-time advocate of smart cards, criticized the lack of portability of the customer certificates required for an SET transaction. Designed to be embedded in a personal computer, the certificates, or digital signatures, might better comport with the credit card transaction model by being stored on smart cards.
Aharon Friedman, chairman and chief product developer of Digital Secured Networks Technology Inc. in Englewood Cliffs, N.J., has expressed concern about the software-only nature of SET. He said it requires a hardware component to be fully secure.
Mr. Friedman, a one-time SAIC research physicist who founded his network security company last year, also said too much of an SET message is in clear text or subjected to "hash functions" that do not provide the high security levels of encryption.
"Unlike hardware, software can be bypassed using a computer," Mr. Friedman said. He has suggested that a hardware-based approach be incorporated into SET at "a more elementary level" so that all the text can be encrypted.
"He put it aggressively," Mr. Schiffman said of Mr. Friedman. "What he says is not wrong, but it was not unaccounted for" in SET revisions.
Other SET defenders have pointed out that the three aforementioned critics have vested interests in, respectively, off-Internet payments, smart cards, and hardware. Mr. Friedman said he is a few months away from a hardware-software solution that would be economical for PCs and even laptop computers, but he was not ready to talk about specific pricing.
More fundamentally, the SET group had to grapple with classic questions of appropriateness. The security measures had to fit the potential crimes, at a reasonable cost.
As new electronic payment media develop, "people are going to realize that they can't guarantee 100% security," Geoffrey Baehr, a top network technology official at Sun Microsystems Inc., said at a banking conference earlier this year. "Instead, they will aim their development work at 100% acceptance of risk, and assume there is always some amount of fraud.
"It happens, and there isn't much you can do about it other than best efforts."
Focusing on the framework for card payments, the SET group put its best efforts toward standards for transaction software and the ever-critical authentication of cardholders, merchants, and banks, based on the digital certificates issued and maintained by "trusted parties." A big selling point is that merchants don't see buyers' credit card numbers; the system transparently validates them.
RSA Data Security has a central, commercial interest in how SET develops and has taken on an associated, almost public-service responsibility for coordination.
"SET is definitely the way to go to secure bank card transactions," said Kurt Stammberger, RSA's director of technology marketing. "We believe it will be huge. Otherwise we wouldn't have built a toolkit around it."
Indeed, the "RSA Encryption Engine" brand will be on Verifone's software products - vGate, vPOS, and vWallet - the first of what should be many SET- related licenses.
Because there will be a proliferation of on-line products, especially the virtual wallets at the consumer level, Mr. Stammberger said "RSA's role will be to make sure all the wallet implementations talk to all the merchant implementations and the banks."
"Building cryptography is not trivial, but getting all the right people talking to each other can be even more of a challenge," Mr. Stammberger said.
Meanwhile, Verisign Inc., spun off by RSA 17 months ago, is going after the certification piece of the business. In July it announced it was chosen by Visa International to provide Internet authentication through the member banks. Building a global infrastructure for the encryption-based certification product it calls Digital ID, Verisign views the Visa deal as a big mass-market opening for digital signatures.
"The financial services industry is leading the charge in bringing Internet commerce to the consumer," said Verisign president and chief executive officer Stratton Sclavos, who has also signed breakthrough licensing pacts with Microsoft and Netscape. He expects market availability of his "high-volume, scalable-to-the-millions" product "as soon as SET is ready," by early next year.
MasterCard designated the CyberTrust unit of GTE Corp., one of its partners in the SET project, as its private-label certificate provider. The announcement, within days of Visa-Verisign in late July, prompted some one- upmanship. MasterCard senior vice president Steve Mott predicted GTE would be "bigger, better, and faster" in the market.
Visa U.S.A. president Carl Pascarella wanted to underscore that the Verisign-GTE face off means healthy competition, not a return to the earlier SET dissension.
He said the card associations rejected the idea of a single certification authority because it could have been monopolistic. And while Visa members can now choose Verisign, and MasterCard members GTE, they could also be their own "CA" or pick from other suppliers.
"Visa and MasterCard agreed to pursue different certification options," he said. "The technology will be more robust, and it will minimize the impact on issuers and acquirers.
"Things are changing so fast, we don't want to be in the position of driving stakes into the ground. Our concern right now is to protect the banks, and SET does that."
