SET Is Nearly Ready to Go, But Will It Ignite the Marketplace?

Thanks to MasterCard and Visa, the banking industry has done more work than any other on a way to make the Internet safe for buying, selling, and paying.

With an all-star cast of technology companies, the bank-owned card associations developed the Secure Electronic Transactions protocol, an inventive harnessing of computational power to verify the authenticity of buyers, sellers, and bankers who do not and cannot see or speak to one another.

It is, by all accounts, a prodigious technical achievement. The sponsors believe it is about to break out into the public domain, in part through placement of a SET logo in software packages and on World Wide Web sites that certifiably comply with the standard. Companies as prestigious as IBM and Hewlett-Packard are building entire electronic commerce strategies around SET and calling attention to it in advertising.

So where is the excitement?

More crucially, where are the transactions? When will they come, and in what volumes?

They are not quite in sight.

Optimism abounds in the trade as systems incorporating SET 1.0, the first full-fledged "production version," near market readiness. Preproduction versions, supporters say, have proved their mettle in numerous pilots around the world, generating considerable enthusiasm among participating merchants and consumers.

But among the more volatile and opinionated denizens of cyberspace, the sophisticates whose cynicism often confounds high-tech marketers' hopes and intentions, SET has been something of a pariah.

Despite as much as three years of painstaking effort by companies that put aside competitive rivalries for the cause-including International Business Machines Corp., Microsoft, Netscape, GTE, and Verisign-SET is seen by some as a distraction from the more fundamental task of generating consumer and merchant interest.

Despite the warts-and-all exposure of political and philosophical wrangling that almost derailed SET in 1995, and despite its having been subjected to rigorous stress testing, the technology is criticized for being unnecessarily complicated, outdated before its release, or just plain misguided.

Despite the underlying principle, as stated by MasterCard and Visa, that they want to replicate familiar credit card practices from the physical world, SET procedures have been called unnatural and cumbersome.

Complaints have even been lodged against the protocol's reliance on digital certification, a data security technique that many technologists see as the key to Internet commerce safety.

"Certification is a great solution-it's what happens at either end of that process that is the problem," said Jerome Svigals, a one-time IBM industry consultant, now on his own, who portrays himself as a one-man truth squad.

Through E-mail flames and Internet forums, Mr. Svigals has stirred a thickening pot of controversy and forced the SET advocates into a dialogue.

Most say they welcome the give-and-take, in keeping with both the needs of scientific inquiry and the extreme democratic nature of the Net. But they would no doubt prefer to be evangelizing rather than defending.

"I've heard complaints from Day One," said Steve Mott, MasterCard International senior vice president and SET point man.

Some have characterized SET as risk-management overkill, questioning whether consumers really need the high comfort level that SET is said to offer.

"Is security really the No. 1 barrier to the consumer behavior they are trying to encourage?" said William Powar of Venture Architects, Menlo Park, Calif., who retired from Visa last year. "Once there are compelling value propositions, fear won't be a limiting factor."

Others have called SET unnecessary in light of the common availability of SSL, the Secure Sockets Layer protocol. Mr. Mott contends SET has clear advantages, among them the banks' direct involvement and the fact that because of the use of digital certificates, merchants never see credit card account numbers.

Mr. Mott and his Visa International counterpart, senior vice president Steve Herz, also must talk up SET at the current 1.0 level while also sympathizing with calls from Mr. Svigals and others that it should incorporate smart cards and perhaps alternative approaches to data encryption.

A smart card or other form of security token would allow people to carry their certificates around and make electronic purchases from many places. Under the original SET specification, certificates are anchored inside a personal computer.

"The smart card and its added security and portability will be an enhancement to SET. There is no doubt about that," said Mr. Herz. "But that's a future direction."

While there may be tens of millions of people with Internet access, he said, it will take years for any sizable number to have chip card readers at their PCs.

"SET is an earlier solution for an existing base of customers to help support growth of the Internet," Mr. Herz said. "SET is a reinforcement of current cardholder behavior, and there is nothing on the horizon that reinforces the banking relationship the way SET does."

Because the specification parallels conventional point of sale practices, "I believe SET will be adopted and move through a technology evolution that supports and enhances those fundamentals."

"We had to come up with a solution that the banking industry and the people who depend on it could rely on," said Mr. Mott of MasterCard. "The onus was on duplicating what we did in the physical world," which is why the competing brands cooperated on SET, just as they agreed to an interoperable standard for cards and merchant equipment.

Mr. Mott said priorities are being set for a SET 2.0, including a debit card extension, chip card integration, and perhaps the elliptic curve method of calculating encryption algorithms, an alternative to the RSA standards that is championed by Certicom Corp. of Canada.

There will always be demand for "better, faster, cheaper," Mr. Mott said, "and we damn well better deliver it."

Mr. Svigals, who is based in Redwood City, Calif., raises concerns about consumers' and merchants' ability to manage the proliferation of certificates that might come their way, and about certificate authorities' readiness for massive volumes of transactions.

The certification vendors, led by GTE and Verisign, insist not only that they have what it takes, but also that they can support any issuing institution that wants to act as its own, or private label, certificate authority.

Entrust Technologies of Richardson, Tex., a spinoff of Northern Telecom of Canada, shares that conviction, having just entered the SET certificate game.

"Doing business over the Internet will be the norm in the near future," said Entrust president John Ryan. "SET opens doors to merchants and consumers who want to conduct business in this manner securely and with confidence. With its new SET functionality, Entrust is demonstrating its capability to evolve its platform to support new industry standards."

Mr. Svigals is most worried about certificate issuance and other processes that SET, which applies only to credit card payments while "in the pipeline," does not directly address. He alleges, and SET proponents do not deny, that certificates can get into the wrong hands. The banking system could find itself powerless to prevent such fraud-and may not even know it happened.

"The same is true of wire transfers," Mr. Svigals said, referring to the wholesale money transfer operations that bankers go to great lengths to safeguard. "The transfers themselves are very safe. The problem is what goes on in the wire room before and after a transfer happens."

"Cryptography is easy, (encryption) key management is hard," said Jim Rudd, president of the Mondex USA originating company, which manages the electronic currency that goes on the smart cards.

He said the SET technology is "definitely adequate," but the key management operation can be bolstered using the smart card chip.

Mr. Svigals, a longtime proponent of smart cards, supports their use as portable tokens. He also pointed to the Mondex system as an example of how security can be ensured without going through SET-like hoops.

Those hoops include the considerable number of cryptographic calculations specified by SET, which could lengthen the time it takes to complete a purchase. Even a few seconds would be noticeable and could discourage on-line commerce.

This "processing-intensity" problem has prompted a search for more speed in transaction systems. Tandem Computers Inc. is making a race out of it- not just to maximize throughput, but to be first with SET 1.0 software in an alliance with GlobeSet Inc. of Austin, Tex.

"SET is a bit of a killer in terms of the amount of cryptography," said Nicko van Someren, chief technology officer of nCipher Corp., a Cambridge, England, developer of so-called cryptographic accelerators. He said SET requires six RSA public key operations per transaction, while SSL requires only one. The added burden falls hard on the merchant's server computer, which could limit its availability to customers.

The elliptic curve technology would be less burdensome than that of RSA Data Security Inc., one of the SET development partners. But Mr. van Someren agrees with many experts in the field that Certicom's Elliptic Curve Cryptosystem has not fully proved itself.

Though the debates may rage, technology providers are rearing to go.

"We will do 1.0 and have it certified quickly," said Richard A. Bailey, director and general manager of enterprise systems for Verifone Inc., the Hewlett-Packard transaction automation subsidiary. "It's not technically difficult. From a product standpoint, it's a standard, and we build it in."

"It's a comfort factor," said George Hoyem, general manager of Verifone's Internet commerce division. "It solves the security perception problem. It's on track and rolling. It will be refined over time, but it is an absolute necessity for commerce in this space."

Mark Greene, IBM's vice president of Internet payments, said the 1.0 stage-his company is promising full availability by November-ends "the first chapter of the book. The second chapter is market acceptance, education, implementation, and rollout, which in many ways will be harder than getting the technology right."

He said SET has been "a lightning rod for Internet critiques" because it is "the first initiative of its kind. As the first mass-market rollout of secure Internet commerce, it is a symbolic event."

"I am high on it," Mr. Greene said of SET, but he looks ahead to when it will be "woven into the fabric of commerce" and "transparent to the consumer."

Two Silicon Valley research groups, Killen & Associates and SRI Consulting, have made optimistic forecasts for SET. Killen sees a vendor bonanza; SRI said it "will handle the lion's share of a $10 billion-plus Internet commercial market by 2001" and dwarf digital cash alternatives.

But even the SET principals are not locking themselves into any assumptions.

"I'd be the last to say the SET we have today is the optimal system for the future," said Mr. Mott. "It has to be scalable and stand the test of time."

"As the technology improves, SET can be improved," said Mr. Herz. "I see technology advances helping SET, not making it obsolete."

"Let's not rush to judgment; let's let the markets work themselves out," said attorney Thomas Vartanian of Fried, Frank, Harris, Shriver & Jacobson in Washington, who has studied the legal and risk implications of several emerging payment types. "I see SET as something along a continuum. I don't think for a minute that what it is now is the way it will end up."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER