Companies Scramble to Speed Up the SET Protocol

The race is on to accelerate SET-and not just in the obvious way.

While MasterCard, Visa, and the technology companies that helped them write the standard for Internet payments continue their uphill push for merchant acceptance, another set of companies is trying to outrun certain technological demons.

Promoters of the protocol for on-line credit card payments-the acronym stands for Secure Electronic Transactions-have barely begun to respond to the fact that it makes computers work too hard.

The card industry's tardiness in getting SET into the field may, ironically, be a saving grace. It buys time to work on systems designed to lessen the work load by literally accelerating the processing.

"The performance bind can be addressed," said Stephen Cohn, a cryptography expert who is president of nCipher Inc., one of several companies selling a potential solution: acceleration technology.

If banks and their vendor-supporters had been too successful at selling SET-based systems, they might have set back the cause. Many desktop computers, particularly the servers that Internet merchants rely on, would quake under the multiple, complex cryptographic calculations that are required to complete a sale. As transaction volumes mounted, buyers would probably be turned off by slow response times.

High-tech companies in the cryptographic acceleration field generated considerable interest last week at the annual RSA Data Security Conference in San Francisco, an event where such problems tend to be acknowledged or confronted before they attract wider attention.

"Most organizations at today's volumes don't have a problem, but they will," said Mark Greene, vice president of Internet payments and certification at International Business Machines Corp., a leading SET seller and advocate.

SET's backers have fearlessly stayed their course. In fact, their acceptance campaign has been making solid gains. Products that comply with the official, full-blown SET 1.0 document are finally on the market, at least a year behind original hopes and schedules.

Dozens of SET pilots are under way around the world and poised to be ramped up. Though the United States has had relatively few pilots, NationsBank performed the first North American SET 1.0 transaction two weeks ago.

The attitude within MasterCard, Visa, their member banks, and the widening circle of "SET partners" is to accelerate marketing and let cryptographic acceleration take care of itself.

By relying on the intricate data-scrambling techniques of cryptography and digital certificates, which are at the heart of the standard, the credit card establishment sought to stamp out concerns about the safety of Internet commerce. Certificate authorities, in many cases, banks, will validate the legitimacy of buyers and sellers and enable transactions to occur without merchants' seeing card account numbers.

MasterCard, Visa, and a consortium that included IBM, Microsoft Corp., and Netscape Communications Corp. decided to build a security framework more closely aligned with credit card risk management procedures than SSL, the Secure Sockets Layer protocol that Netscape popularized in its World Wide Web browser.

"We have duplicated the physical world of credit cards using encryption based largely on RSA public key cryptography," said George Hoyem, vice president and general manager of Verifone Inc.'s Internet commerce division. "Authentication is a must" to assuage the buying public's security concerns, "and SET for the first time allows us to authenticate all three parties" in a transaction: bank, merchant, and consumer.

Mr. Hoyem predicted that SET's "unique certification hierarchy" will prove so effective that there will be calls to use it in other applications.

But SET has paid a price in complexity and computing intensity. That may have hindered its marketing to date, which on-line services observer Scott Smith of Current Analysis, Sterling, Va., characterized as "underwhelming."

John Ryan, president and chief executive officer of Entrust Technologies Inc., the leading public key infrastructure vendor, said he has always been a bit skeptical. Though he supports and even cheerleads-Entrust has an SET product and, he said, a card-issuing customer poised to distribute millions of digital certificates-Mr. Ryan said that his budget for this year anticipated no impact from SET.

Some critics wonder whether it was a case of overkill. Established Web merchants like Amazon.com and Virtual Vineyards have done well under SSL's more moderate encryption regime and have not clamored for SET.

"I don't know of any case where an encrypted credit card number has been stolen off the Internet," said industry pundit and Boston Globe columnist Simson Garfinkel. "I don't think any credit card numbers in the clear (unencrypted) have been stolen off the Internet."

In an RSA conference presentation, Amir Herzberg, a research scientist at IBM's Haifa Research Laboratory in Israel, said SET is a clear improvement over SSL's weak authentication of credit card numbers.

"SET supports the existing credit card infrastructure," he said. "We may lose some things, but the gain from making it easy to deploy can be worth it."

Mr. Herzberg said SET is not without drawbacks, including "limited motivation" of both merchants and cardholders, the vulnerability of encryption keys stored in home computers, the protocol's overall complexity, and what he called "substantial overhead"-about 20 public key operations involved in a single transaction-which bogs down processing.

"An SET transaction is still five to 10 times slower than a non-SET transaction," said Steve Mott, senior vice president for electronic commerce/new ventures at MasterCard International. SET 1.0, he acknowledged, has a scalability problem, but he sees no near-term danger because of the limited volumes.

He preferred to focus on steps the card associations have taken to raise merchants' comfort level.

MasterCard recently announced that as of April on-line merchants' SET 1.0 transactions will no longer be subject to the restrictive "card not present" chargeback rules for mail and telephone retailers. Thanks to SET- mandated digital certificates, the authentication of the cardholder and the finality of the sale will be considered equivalent to those of an in-person transaction.

Visa said it enacted a similar rule last year and argued it was more comprehensive than MasterCard's. But the principle has been reinforced. If retailers take it to heart, then banks can get on with educating their cardholders about electronic commerce and issuing the necessary digital certificates or virtual wallets.

"These kinds of incentives are big-they are the real value proposition," Mr. Greene said. "They communicate that the technology is so secure it will reduce risk in the system. That's a better sell than IBM or any other vendor saying, 'You should use this.'"

The next version, SET 2.0, is likely to accommodate smart card tokens, which can enhance security while providing portability and mobility of cardholders' keys and certificates. It may also address an alternative method of data encryption, elliptic curve cryptography, which has shown promise of making the calculations faster and less burdensome on central processing units.

Speed is not the only benefit of acceleration technology, Mr. Greene said. Like smart cards, it represents a hardware-based approach to cryptography, which is more secure than software.

"IBM is ready now" with a cryptographic accelerator called the 4758, available since last September, Mr. Greene said. Because of a lack of urgency, the product is not one of the headliners in the "e-business" catalogue that embodies IBM's bid for dominance in electronic commerce.

For an entity like nCipher or Rainbow Technologies Inc.'s Internet security group, the catalogue is acceleration. These companies, among the licensees of cryptography conference sponsor RSA Data Security Inc., consider themselves the leaders in the field.

Though Rainbow seems deeper into SET than nCipher, having allied itself with payment software providers like Verifone and Maithean Inc., nCipher is making bold claims. The Andover, Mass., company's CEO, Alex van Someren, told the RSA conference that the nFast 300 can perform 60 SET transactions a second. A 166-megahertz Pentium processor does only two per second.

Accelerated processing is a big part of Atalla Corp.'s pitch. The Compaq Corp. transaction security subsidiary has built its strategy around high- speed cryptography in a piece of hardware that off-loads these operations from merchant and banking systems. Says a company brochure, "There is a big difference between a true hardware security engine and a mere cryptographic accelerator."

For SET, San Jose, Calif.-based Atalla linked up with GlobeSet Inc. of Austin, Tex., a specialist in this type of software. They will get a distribution boost through Hypercom Corp.'s Pinnacle SET product.

"Before Atalla, our keys for SET certificates were stored in disk drives," said Mike Knox, the Phoenix-based point of sale equipment company's product manager for electronic commerce and chip cards. The Atalla hardware-based cryptography "raises the bar in security for the enterprise in SET and is very strategic for Hypercom," Mr. Knox said.

Verifone, the Hewlett-Packard Co. unit that leads Hypercom in the POS market and places great emphasis on SET in an Internet commerce strategy that rivals IBM's, said it will work with Rainbow Technologies to move cryptographic operations on to hardware.

"We are here to make cryptography go faster, whether it is SET, SSL, or something else we don't know about yet," said Rainbow group executive Peter Craig.

He said Rainbow, unlike some other vendors, "only addresses the public key cryptography portion," and he claimed its CryptoSwift is "the only acceleration product actually in the SET marketplace today."

Mr. Ryan of Entrust Technologies was not as concerned about cryptographic processors' readiness for volumes. He said any system based on a network of desktop computers has "incredible scalability" and meeting the highly specific needs of SET certification is relatively straightforward. "The real challenge," he said, "is in the storage and management of directories."

Not to mention market acceptance. Some observers are waiting for MasterCard and Visa to drop another incentive shoe.

"It will be a challenge for banks to convince merchants to switch from SSL to SET," said John Landwehr, director of product marketing for Gemplus Corp. in Redwood City, Calif. The smart card maker follows SET developments closely because it sees a market for chip cards that hold certificates of authentication.

Mr. Landwehr said, "The key would be to lower the discount" that Internet merchants pay to process a card transaction. The card associations can enforce that incentive by putting a preferential bank-to-bank interchange rate on SET items.

Mr. Hoyem of Verifone was insistent on interchange.

Having dealt with the many confusions and complexities, "we are now shipping SET 1.0," he said. "Now we need to drive merchant demand. We are encouraging the card associations to lower (interchange) rates ... . We need to seize the moment, educate the marketplace about how safe it is, and then 'advantage' the users" through pricing.

Without that "advantaging," he warned, "this whole thing could come unraveled."

"This is hardly the first technology innovation in the industry," said Mr. Greene of IBM, which has put aside its SET rivalry with Verifone to promote cross-vendor interoperability "in mutual self-interest."

"They did it before with ATMs and debit cards. They know how to roll out SET."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER