SET, the Secure Electronic Transaction specification for Internet payments, is showing signs of life that critics of the technology may not be giving it credit for.
SETCo, the offshoot of MasterCard and Visa that certifies compliance with the standard, added to its output by almost 50% in the first two months of 1999.
Three companies gained the right to display the SET seal of approval on four software packages: merchant products from Trintech Group and Verifone Inc. and payment gateways from Verifone and International Business Machines Corp.
They bring to 13 the number of systems that have cleared the rigorous testing process that the bank card associations contracted out to Tenth Mountain Systems Inc. of La Jolla, Calif., in December 1997.
The deliberate pace of the compliance testing-Tenth Mountain has gotten through about a quarter of 47 software products that 22 organizations have submitted for approval-fueled widespread sentiment that SET has been too flawed and too slow to have the desired impact on electronic commerce.
But SET's sponsors and others selling or promoting Internet payment systems have kept the faith. They expect that as on-line sales approach mass-market proportions, consumers and merchants will want greater security assurances than they have under the prevailing SSL, or Secure Sockets Layer, protocol.
The vendors have also found SET demand materializing outside the United States. For the anticipated transition, they have built into their systems the flexibility to handle both SET and SSL.
Trintech, for one, did that with its recently released PayWare NetPOS, which is based on the S/Pay Engine that won SETCo approval in its merchant form in January. A digital wallet built on S/Pay was in the first flurry of SETCo announcements last May-along with wallets from Verifone, GlobeSet Inc., and Spyrus/Terisa Systems-and Trintech is awaiting approval for its payment gateway software to be able to claim "end-to-end" SET assurance.
"The award of the SET mark for our S/Pay tool kit is a major breakthrough for Trintech and helps us deliver our commitment to offer the complete range of security standards in our e-commerce solution," said John McGuire, chairman of the company, which has dual headquarters in Campbell, Calif., and Dublin.
"The SET protocol is an important aspect of Internet payment, with businesses in many countries adopting it as their security standard," said Tom Kilcoyne, vice president and general manager of Verifone's e-commerce software division. "The explosive growth of Internet commerce predicted over the next few years will bring forth a higher demand to protect the integrity of transactions from start to finish for consumers, financial institutions, and merchants alike."
To be sure, Internet commerce has not waited for SET. Bowing to that reality, the MasterCard and Visa associations have been aggressively promoting their brands on-line in a generic way. At the same time, they have remained committed to SET and continue to give it considerable senior- level attention.
American Express, Citigroup's Diners Club unit, the Discover card, JCB of Japan, and the Air Travel Card organization have all lined up behind SET, albeit with tempered expectations.
"We support SET based on business needs," said Alan Goulet, an American Express Co. vice president in the smart card and electronic commerce areas. "We are not exclusive to SET. It has some value but is quite cumbersome to implement. It may make sense with some specific merchants or countries."
SET had its genesis in separate MasterCard and Visa attempts, dating back to 1994, to design a security protocol for the Internet. It took about three years to overcome political and technical obstacles and get to a unified production version known as SET 1.0, which was incorporated in several pieces of software on the market by late 1997 or early 1998.
By relying on digital signatures and data encryption, SET 1.0 eliminated a major fraud risk by not requiring the transmission of a credit card number over the Internet. The biggest rap against SET 1.0 was complexity. Cardholders, merchants, and banks all need digital certificates, and the resulting exchanges and digital signature operations can be slow and off- putting.
More powerful personal computers and servers, the technology of cryptographic acceleration, and other innovations are coming into play. Trintech is selling an evolutionary path from SSL to full SET, with one of the interim steps called certless, or certificate-less, SET.
Trintech's end-to-end SET aspirations are equaled by several other vendors. When it gains payment-network gateway approval, it will have the same three SETCo notches that Verifone has achieved: wallet, gateway, and merchant.
Verifone, a Hewlett-Packard Co. subsidiary based in Santa Clara, Calif., won approval for vWallet in May 1998. The merchant software, vPOS, which also has an SSL option, followed Jan. 20, and vGate on Feb. 16.
Included in a subsequent Verifone press release was praise from Royal Bank of Canada and Paradata Systems Inc., a British Columbia company that has been developing vPOS systems for a year and provided Royal Bank's first SET hosting service.
"Verifone's receiving the end-to-end SET mark means that our merchants can now offer a highly secure means of conducting payment over the Internet," said Adrian Horsfield, a Royal Bank senior manager for electronic commerce. "We are proud to be on the leading edge of technology, providing our merchants with solutions that let them jump to the forefront of the Internet commerce revolution."
"Verifone's SSL and end-to-end SET-based Internet software provides a practical solution for Internet shoppers today and gives new Internet shoppers the confidence to make payments on-line," said Shannon Byrne, president of Paradata Systems. "SET provides an additional level of security that makes on-line payment more like being inside a real store."
Only GlobeSet Inc. of Austin, Tex., which supplies software to processors around the world on a private-label or original equipment manufacturer basis, has earned the SET compliance mark in all four categories: wallet, merchant, gateway, and certificate authority.
GlobeSet has also enrolled with SETCo server-based versions of its virtual wallet and point of sale software-seen as more efficient than when these programs reside on client PCs.
With IBM's Payment Gateway 1.2 officially posted as approved on Feb. 25, that company is one step away from having all four SETCo marks. Still pending is its Payment Server merchant software.
Fujitsu Ltd. and Hitachi Ltd. of Japan and Privylink of Singapore have enrolled with SETCo-formally, SET Secure Electronic Transaction LLC-in all four categories.
The "vendor status matrix" posted on the SETCo Web site indicates that seven products are in the "pending approval" stage, including Cybercash Inc. wallet and merchant software and certificate authorities from Entrust Technologies Inc., Fujitsu, GTE Cybertrust Solutions, and Verisign Inc.
Meanwhile, MasterCard and Visa have stepped up their campaign for interoperability-the step beyond SET compliance that assures that different vendors' products can work together. They held a month-long "interoperability festival" in October, with 17 products from Entrust, GlobeSet, IBM, Trintech, Verifone, and Verisign.
"These events will be held on a quarterly basis and we hope to see an increase in the number of vendors and vendor products that participate," Steve Herz, Visa International senior vice president of Internet commerce, said late last year. This "should accelerate adoption of SET-compliant products by cardholders and merchants by ensuring that interoperable products are available from a wide range of vendors."
Interoperability becomes crucial with the expected rapid growth in e- commerce, said MasterCard senior vice president Arthur Kranzley. "The SET community is committed to assuring that its vendor products be globally interoperable."