Rarely does an entire industry make common cause in timely fashion the way the major credit card companies and their technology suppliers did with Internet payment security.
MasterCard and Visa, American Express and Discover, IBM and Microsoft, Netscape and others managed to agree on SET, the Secure Electronic Transaction standard. It was supposed to make the Internet safe for commerce and give consumers at least as much confidence as they have when presenting payment cards in stores.
If anything was going to open the floodgates of mass-market electronic commerce, SET was it.
It did not quite work out that way. As much as the coalition may have accomplished technically over three to four long years, its major contribution has begun to look more like a can of worms. The companies have faced accusations of mismanagement and ineffectiveness, and were forced back to drawing boards more than once.
As a case study of good intentions and unintended consequences, SET raises issues that the stewards of banking and payment systems have been confronting forever, but now with a greater, high-technology urgency. These issues, to be explored in this and two articles to follow, revolve around security and confidence and whether banks can maintain their hold on the tangible and intangible aspects of both.
The issues arise in familiar contexts-business growth and innovation, competitiveness and risk management. New technologies magnify them to a point where the right moves can pay off handsomely for all concerned. By the same token, missteps can squander market shares and give competing companies and industries a chance to control what used to be rightfully and indisputably in bankers' steady and dependable hands.
The SET experience would suggest the jury is still out-a scary prospect given the acceleration of Internet time and bankers' increasing preoccupation with other matters, both technological (year-2000 fixes) and strategic (including mergers, product diversification, cost cutting, and reallocation.)
But this implies that SET still has a chance to deliver, and its backers have not lost the faith. They acknowledge that they did not meet the early expectations, but they continue to maintain that once electronic commerce takes off-Forrester Research of Cambridge, Mass., is now projecting $1.4 trillion to $3.2 trillion of business and consumer sales by 2003-something more drastic than today's common denominator of SSL data encryption will have to be imposed.
"SET was viewed in the past as a product for e-commerce, and that was the wrong positioning," said Arthur Kranzley, senior vice president of electronic commerce, MasterCard International. "This was a technology intended to secure payment transactions over the Internet."
Steve Herz, senior vice president of Visa International, who stands with Mr. Kranzley on the SET firing line, described it as an "infrastructure initiative" of considerable complexity. "It requires consumer, merchant, and bank software that has to work together and be deployed broadly around the world."
A lot easier said than done. Visa, MasterCard, and their partners are in hot pursuit of interoperability, whereby all forms of SET software can interchange payments as readily as do card-swipe terminals and point of sale networks. That task has required efforts above and beyond the writing of technical specifications, to the point where SET Secure Electronic Transaction LLC, the joint governing body nicknamed SETCo, is sponsoring an "interoperability festival" for vendors.
Vendors are indeed working diligently on interoperability and other fronts. Mr. Herz also pointed out that interest in SET, even enthusiasm, is high outside the United States, which has been as blase about this as about that other side of the future-payments coin, smart cards. More than 150 Visa banks in 39 countries are experimenting with SET or planning to use it, as are at least 78 MasterCard members.
PBS, the Danish payment systems company that raced to be the first to demonstrate SET in 1996, has essentially made it mandatory for on-line purchases. Two weeks ago, when the BOC Group launched a virtual shopping mall with 19 merchants in Hong Kong, SET was a part of it. In that part region this is the rule, not an exception.
Given this international dimension, North American organizations "have to have SET on their road map," said John McGuire chief executive officer of Trintech Group, an Irish-American payment software company that was in the first wave of winners of SETCo certifications.
"It is great technology, but it is not ubiquitous-it takes time for that to happen," Mr. McGuire said. "It needed an infusion of commercial reality. Now the marketing folks are taking over."
Mr. Kranzley contended that the internationalization of retailing will be a big spur to SET because, simply, merchants want to get paid. Because SET assures nonrepudiation-a consumer cannot fraudulently or otherwise deny after the fact that a valid payment order has been entered-an on-line small business "won't have to worry and can go ahead and ship the goods," Mr. Kranzley said.
Mr. Herz is buoyed by initiatives to improve and streamline the digital consumer wallets and other necessary links in the SET chain. Wallets will be embedded in Microsoft and Netscape browser software, for example, and America Online is planning a wallet service to ease its members' electronic purchasing.
"This is an evolutionary process," Mr. Herz said. "A lot of focused things are coming together that provide a springboard for future growth."
"Electronic commerce is in the de novo stage," said Mr. Kranzley, who collaborates with Mr. Herz in the administration of SETCo. "We are not seeing anything like the transactions we will be seeing in two or three years with more and more acceptance. The technology will change substantially in the next couple of years to make SET easier and more transparent to the user."
"Think about how easy it is to activate a credit card when you get it in the mail," said Mark Greene, vice president of electronic commerce at International Business Machines Corp. and a participant in the SET process since the beginning. "If it is any more complicated than picking up a phone, it is not going to fly."
He said IBM's strategy around its recently SETCo-certified consumer wallet is aimed at "mass enablement," a goal shared by Cybercash Inc., GlobeSet Inc., Trintech, Verifone Inc., and others among the 19 that have enrolled in the compliance testing program that leads to the posting of the SET "seal of approval" on software and Web sites.
Realistically, Mr. Greene said, not until next year will retailers embrace SET for its privacy, message integrity, and nonrepudiation benefits. Just as many bankers are preoccupied with year-2000 upgrades, major retailers will put longer-term projects on hold until after the Christmas rush. He said SET has too much bottom-line potential-attacking losses that some merchants have been reporting at anywhere between 10% and 50% of on-line sales-to be ignored.
Such logic and optimism have not swayed at least three classes of critics: technologists who fault the way SET works; the computer industry press, which tends to be opinionated and to jump on any failure to deliver on promises; and, most troublesome of all, retailers.
Technology debates have raged since before there was an SET. In the initial Internet commerce flowering of 1994, Visa started a project with Microsoft called Secure Transaction Technology. MasterCard, IBM, and others had Secure Electronic Payments. The decision on the acronym SET was one of the first made when the two groups joined forces the next year. At one point they broke apart, and it took a few months to regroup. Some critics say the program never got over that rough start.
By late 1997, as the full-scale SET 1.0 version finally made its way into the market, even proponents were forthright about its drawbacks. Wallets were anything but simple. Because the process revolved around digital certificates and exchanges of digital signatures among parties to a transaction, computers-particularly those at merchant sites-could get bogged down in cryptographic operations, slowing response times if not turning off customers entirely.
There were, and are, solutions. Digital wallets have become "thinner"- easier on personal computers' hard-drive capacity. Cryptographic accelerators can speed those complex data-scrambling calculations that deter hackers and criminals. A study just completed for SETCo by Gartner Group concluded that the "compute-intensity" problem is more manageable at reasonable expense than many people thought.
For further enhancements there is SET 2.0 to look forward to. Because that could be a year or two away, people are not waiting to figure out how to make the certificates work on smart cards or with the alternative cryptographic calculation method called elliptic curve.
Sue Pontius, president of Spyrus, a Silicon Valley data security company that has been in the SET inner circle and owns one of the wallet certifications, finds it all too complicated.
"The consumer is impatient," she said, suggesting that the industry ought to move toward the interactive television notion of set-top boxes with smart card slots to facilitate shopping. "We can't wait for SET 2.0."
"To an engineer, SET makes a lot of sense," the technology writer Simson Garfinkel said in a 1997 column for HotWired. But he concluded it was ultimately just "a full-employment act for highly paid software engineers."
"It's a technically sweet solution to a number of problems that don't exist in the real world of electronic commerce," Mr. Garfinkel said.
Tim Clark, an influential technology commentator on CNET's news.com site, views SET as not only overengineered but unnecessary as long as there is no discernible security hazard. (See excerpt on page 18.)
Jerome Svigals, a one-time IBM industry consultant, smart card advocate, and frequent critic of the bank card groups, said he cannot make sense of SET even from an engineering perspective. He said the digital certificate vendors and card associations are too caught up in preserving their market positions to arrive at a more workable solution. And he sees holes in the underlying certification process, including no way to guarantee positive identification of a certificate holder and no assurance against merchant misuse of a submitted certificate.
"People who have deployed user-name and password-based systems know they are fraught with risk-management pitfalls," said Anil Pereira, marketing director of Verisign Inc., the leading SET certificate supplier. "Certificates are many orders of magnitude more secure"-assuming issuers do their due diligence.
He and others in the information security industry say that certificate issuance, policy setting, and management of expirations and revocations are all rapidly advancing arts and sciences-and provide an ideal business opening for banks that want to perform a digital service akin to what they do with, say, signature card files or letters of credit. That was the rationale behind the American Bankers Association's recent establishment of a for-profit subsidiary, ABAecom, to initiate a financial industry public key infrastructure.
Shawn Abbott, chief scientist of Rainbow Technologies Inc., a cryptographic acceleration specialist, said that such a PKI is essential to assuring that the keys for locking and unlocking protected data "belong to who we think they belong to."
"Where is a well-definable trust infrastructure?," he said. "MasterCard and Visa seem like a great place to build a PKI. That's what SET is."
Mr. Abbott acknowledged the considerable "bootstrap problem," which seems to try the patience of many who want to do Web business now.
In a ComputerWorld article last March, answers to questions posed about the viability of SET included "I don't know" (Judy Neuman, vice president of interactive media, Eddie Bauer Inc.) and "I don't think we need it" (Brian Sugar, new-media director, J. Crew).
"SET did more harm than good," Robert Olson, co-founder of the pioneering Internet wine merchant Virtual Vineyards, told American Banker. "It's too hard to use.
"I need to know who is on the other end. The problem with wallets is that you don't know. A kid can get hold of it."
Scott A. Walters, manager of business development for Ordertrust, a processor of on-line orders for 1-800-Flowers, SkyMall, and others, said brand-name retailers have made their peace with the lower-level SSL-Secure Sockets Layer-encryption protocol and are perceived by buyers as properly safeguarding card numbers and other sensitive data.
"If I'm buying from somebody reputable, I'm comfortable my credit card is taken off the server," Mr. Walters said. "Once an Ordertrust order is received, it is not on any network."
The fastidious risk manager does not accept partial solutions or assurances. Mr. Herz of Visa said Virtual Vineyards, Amazon.com, and several other merchants did not help the security cause much when they recently pledged to cover any of their customers' on-line losses. The key is "ubiquitous, global, and universal trust" that only SET, usable without restriction and able to authenticate any store regardless of size, can accomplish.
"For me, as a cardholder, what is my risk? $50," said Ms. Pontius, referring to the federal liability limit. Education is needed to get consumers over the "fear factor."
"Today's marketing is so tied to the brand on the plastic that people haven't grasped that the brand is what comes up on the screen or at a kiosk," Ms. Pontius said. "The card is about liability."
"We support SSL. It is part of our best practices," said Mr. Kranzley of MasterCard. "But there is a real problem of fraudulent merchants and a lot of repudiation. There are valid merchants who may not protect credit card numbers. SSL doesn't protect against that."
SSL, from this viewpoint, uses passwords and encrypts a transaction session nicely, but it does not fully bend to "the transaction model." It also does not mask card numbers; with SET, merchants never see an account number, closing off a major route to fraud.
"SET is meant to actually create transactions," said Steven Cohn, president of nCipher Inc., a developer of acceleration tools. "We need a lighter protocol to do that, but this is what SET does that SSL cannot."
"SSL gets the job done, quick and dirty" said Mr. Abbott of Rainbow. "It is one reason for the slowness of SET. But as Internet business gets bigger, plenty of people will be interested in SET."
Mr. Pereira of Verisign said "SSL at least gives a comfort level. SET will be the next level. The more user-friendly it is, the greater the adoption and ubiquity."
SSL has those qualities. SET, by contrast, comes across as having been created by committee for an indifferent audience. MasterCard and Visa have changed some chargeback rules to encourage SET acceptance by merchants, but they have not heeded calls to lower interchange pricing. Even if they did, there is still a chicken-and-egg, supply-and-demand challenge-consumers need wallets for SET to kick in.
The trick will be to make SET so painless and transparent that people will hardly notice-as big a technical and marketing challenge as the consumer payments industry has ever encountered.
Industry leaders are sounding more pragmatic and less dogmatic about getting the e-commerce ball rolling. MasterCard's sponsorship of National Online Shopping Week, starting Nov. 27, is by definition aimed not just at the SET segment.
"We are very bullish on electronic commerce as a new channel and opportunity," said Visa U.S.A. president Carl Pascarella. "SET is an important part of our initiative, but really we are here to be an enabler. I wouldn't say it has to be SET-compliant today. We are interested in opening this channel and making it as convenient and widely used as possible."