For better or worse, the element of anonymity is one of the big fascinations of the Internet. Unfortunately, the ease of misrepresenting one's identity, or even creating a fictional "virtual persona," goes to the core of bankers' fears about electronic commerce on the Web.
Compared to the overall bank card market, purchasing over the Internet is nascent at best. But it is growing fast. In a report published this month, New York-based market research firm Jupiter Communications estimated consumers spent $1.2 billion on-line last year, and 80% of the payments were by credit card. Jupiter projected 1997 cyberspace spending at $2.3 billion.
This is no trivial matter for banks and their credit card associations, MasterCard and Visa. It is squarely in their interest to prevent cyberfraud, as federal regulations limit a consumer's liability for unauthorized credit card use to $50.
Near-term, the bank card industry hopes to solve the Web identity crisis with SET, the Secure Electronic Transactions communications protocol designed to make the Web safe for consumers, merchants, and their banks.
There is a degree of transaction security in an existing protocol called SSL, for Secure Sockets Layer. Incorporated in most Web browser software, it allows for transmissions of credit card numbers in an encrypted format. Unlike the heavier-duty SET, this protocol authenticates neither the consumer nor the merchant at the receiving end.
SET would close these gaps with software-based digital certificates that clearly identify who is who in the transaction. And when SET is in effect, cyberspace merchants would not even see the credit card account numbers, further protecting banks from possible fraud.
Bankers and retailers only recently began testing SET, and a small number of merchant certificates have been issued. These merchants are testing their end of the system by stuffing Secure Socket Layer transactions into the SET format.
But analysts say the true test for SET will come when consumers get into the act, relying on full-fledged certification infrastructures with trusted "certificate authorities" regulating and ensuring the system's integrity.
International Business Machines Corp. is issuing a small number of certificates to Danish MasterCard-Eurocard customers in an SET pilot launched in December, but an end-to-end system in the United States-with digital certificates issued to all parties in a transaction-isn't expected until the end of this year at the earliest.
Meanwhile, consumers blithely continue to buy books, airline tickets, compact disks, and other commodities on-line, using Secure Sockets Layer-or no data security scheme at all.
To some observers, this is the $64,000 question: How will banks convince consumers to install yet another piece of software for safeguarding their payments?
"Understanding this notion of public key cryptography is no trivial issue. There are not that many people in the banking industry that fully understand it," said David Stewart, an electronic commerce consultant with Atlanta-based Global Concepts Inc. "Consumers are just not going to get it, it's that simple."
Mr. Stewart, whose firm has done research for both MasterCard and Visa on consumer acceptance of on-line payments, added that banks will have to adhere to the maxim "keep it simple stupid" when educating consumers about SET.
"I envision MasterCard and Visa taking out a TV ad during next year's Super Bowl with a slogan like, 'It's now safe to shop on the Internet,' " he said. "It's going to take something like that if SET is ever going to reach the mainstream." This article previously appeared in American Banker's Web Site
