A few companies that have stayed faithful to SET, the credit card industry's much maligned security standard for Internet payments, are trying to stage a revival.
With MasterCard and Visa largely supporting the mission through their joint venture SETCo, technology companies are coming forward as never before to sing the protocol's praises.
No one is yet rejoicing about any degree of salvation from on-line fraud or other abuses. And no one wants to jump to the conclusion that the current wave of unanimity among competitors in the card industry and in the vendor community reverses all prior setbacks.
But as electronic commerce comes of age, concern is growing about fraud, chargebacks, and repudiations-pleadings by cardholders that they did not initiate the payments for which they were authorized. SET advocates see the rest of the world catching up to where they were three or four years ago.
"I never worried about SET-it had to be understood from a business point of view," said Mark Greene, vice president of Internet security at International Business Machines Corp., who participated in the mid-1990s deliberations that led to SET. "Fraud levels will help build the case for it."
"There is a difference now-you have some real fraud out there," said Nicholas DiGiacomo, vice president of Scient Corp. of San Francisco.
Before he joined that e-commerce consultancy, Mr. DiGiacomo worked for Science Applications International Corp., which hashed out the SET technicalities along with the card organizations, IBM, Microsoft Corp., Netscape Communications Corp., and others. SAIC then set up the process that SETCo uses to certify that software complies with the standard.
Mr. DiGiacomo, who took some lumps because of the slow start of SET, is feeling some vindication.
To be sure, SET, which stands for Secure Electronic Transaction, has a long way to go. It is virtually nonexistent in the United States, the center of the commercial universe in the minds of most of those involved in its development.
As happened with smart cards, the U.S. banking and retailing communities saw no urgency in adopting something entirely new. As Internet commerce blossomed, existing methods of transaction processing, combined with the prevailing level of data encryption specified in SSL, the Secure Sockets Layer protocol, seemed to work just fine.
Much of the visible progress has been in Europe, and even there, SET has been "patchy," said Fred Stolk, director of new business development at Interpay, the Dutch banks' payment association that is strongly behind both SET and smart cards. The payment group sees a connection between the two.
In France, it took a concerted effort by the banks to reconcile differences between two competing versions of on-line security. Now they have a single SET-based protocol that fits in with the country's pioneering smart card mandate as well.
Banks numbering in the hundreds, spread across six continents, have at least tested SET. With improvements in software, particularly the digital wallets that consumers use to make payment choices and manage the bank- issued digital certificates that authenticate them to merchants, SET momentum is noticeably picking up.
It may be helped along by strategic refinements, such as the French smart card move and the Dutch plan to include both debit and credit cards in the "I-Pay with SET" initiative.
Also stepping up its activity is SETCo, the year-and-a-half-old certifying and coordinating body. It is organizing various advisory groups, holding vendor "festivals" to foster software interoperability and other problem-solving, and formally extending the current SET 1.0 documentation to make the procedures more easily compatible with SSL, smart cards, and debit cards.
When Entrust Technologies Inc. of Plano, Tex., recently announced that its public key infrastructure would play a role in I-Pay with SET, Mr. Stolk said, "We believe that by supporting both debit and credit card transactions, Interpay is going to be a real catalyst for growth. Merchants in 18 European countries are already SET-enabled, and we are seeing real interest from retailers and financial institutions in what we are doing here."
Even Americans may be watching, but the vendors, like the card associations, are pragmatically accepting the primacy of SSL and preparing to lay a migration path.
"IBM had a strategic advantage early with SET products," said David Chew, director of electronic payments at IBM Software Solutions. The company was involved in the first SET demonstration at yearend 1996 with the PBS consortium in Denmark.
"But we are not waiting around," Mr. Chew said. "We will support SSL, ECML (the new Electronic Commerce Modeling Language for digital wallets), etc. The IBM product line will not be only SET."
IBM, with other SET-supporting vendors such as Trintech Group and GlobeSet Inc., has been preaching interoperability-the need for cross- vendor cooperation, beyond what SET specifies, so that card acceptance on the Internet is as seamless and painless as at conventional points of sale. IBM and the Verifone division of Hewlett-Packard Co. were among the first to make a bilateral commitment to interoperability; they announced June 10 that they had completed a second round of testing.
In the lagging North American market, SET suffers from the stigma of being "one of the most painful and political processes we ever went through," said Ashraf Dimitri, president and chief executive officer of Oasis Technology Ltd., a Toronto-based e-commerce systems vendor to MasterCard, Visa, Citibank, and others.
Mr. Dimitri was referring to a rift in 1995 between the MasterCard and Visa sides that nearly derailed the SET process almost at the start.
"I don't expect that the U.S. marketplace is about to turn," Mr. Chew said. "SET's primary focus is in several markets of Europe and Asia." Yet IBM expects to do a strong business providing "open middleware connections" as the opportunities unfold.
Some observers have criticized MasterCard and Visa for not offering financial incentives to adopt SET. The associations might have lowered the interchange rate, an interbank charge for clearing a card payment, as an incentive for on-line payments. That is what they did to accelerate automated card authorizations when technology made them feasible at points of sale, but because of technical complications this has not happened with SET.
The card associations did change some chargeback rules, making it easier and less costly to deal with disputed cardholder payments than under the mail-order and telephone-order rules, known as MOTO, that previously applied. Steve Mott, a consultant who was MasterCard's senior vice president of electronic commerce when the rule change was announced in early 1998, said at the time that the chargeback adjustment would have a more impact than any interchange concessions.
Interchange adjustment or not, Internet transaction economics are changing in SET's favor, experts say.
"Until recently, (card) issuers had to eat much of the cost of e- commerce chargebacks," said Ralph Hertlein, an IBM product manager overseeing electronic wallet efforts. In Europe and South America particularly, he said, volumes are getting big enough that banks and processors on the merchant-acquiring side are bearing more of the risk, and "SET seems to be the answer."
SET's level of cardholder authentication is unmatched by SSL or anything else on the market, making it the best available weapon against improper repudiation.
According to Visa International figures now making the rounds, Internet transactions account for 2% of the network's sales volume but up to 50% of chargeback disputes.
GartnerGroup of Stamford, Conn., said the chargeback rate for Internet merchants is 15%, versus 1% at the point of sale. But it can go up to 30% for on-line merchants selling digital products. Customer disputes are a bigger cause than fraud, Gartner concluded.
Business and marketing executives, as opposed to technologists, "are beginning to look at this, and they see a practical way of shifting the risks," said John McGuire, chief executive officer of Trintech, an Irish company with a U.S. base in Campbell, Calif.
A processor who "acquires a risky merchant's transaction bears a risk and has to price accordingly," Mr. McGuire said. It would stand to reason that the pricing of Net transactions would go up, absent a movement toward "full-blown security with authentication. SET is resurging because of the need to authenticate."
"I see SET as the answer to this," said Mr. Dimitri of Oasis Technology. "Whether the market sees it is another question." He said it behooves banks to grab the "trusted third party" role of certifying their customers' identity for virtual commerce.
"What is SET but a digital letter of credit? Banks already do that today," Mr. Dimitri said.
Mr. McGuire said "regional meetings are being held and initiatives are being proposed behind the scenes" to give a further boost to SET.
Some financial institutions and card companies are exploring the possibility of taking small equity positions in SETCo, which might be a sign of deeper commitment. "It has been talked about, but nothing is imminent yet," said MasterCard spokesman Edward Dixon, on behalf of SETCo.
Trintech, IBM, and others, again with MasterCard and Visa encouragement, are quickly moving ECML wallets into the marketplace. The specification, besides promoting common payment-information formats to simplify the buying experience, lends itself to a range of options that include SET.
For example, Trintech's recently announced ezCard, a virtual credit card accessible from a consumer's computer, would eventually "auto-select" the appropriate level of security, based on what the given payment-gateway and merchant software can accommodate.
But advanced ECML wallets may be only part of the solution.
"The answer will have to be in the wallet, something that is simple and portable so you can take it with you," said Diana Brown, formerly of IBM and now vice president of financial services at Scient Corp.
That points in the direction of smart cards, their computer chips storing the necessary encryption keys and certificates and thereby authenticating the cardholder in any device with a reader.
A portable smart-card wallet may be the ideal vehicle for SET, Mr. Hertlein said. "I see the (wallet) morphing into a couple of pieces, one being the smart card." That, in part, could depend on the popularity of chip cards, which is "still a challenge in the United States."
He said IBM is working diligently on how to "enable more convenience for the consumer and work with SET." And he sees the prospects as big enough to interest bankers and retailers in the higher form of security.
"In the real world, credit cards are 30% to 35% of purchases," Mr. Hertlein said. "On the Internet they are 80% to 85%. The prospect of converting cash and checks into cards has merchants and financial institutions excited about it."
