The recent wave of high-profile thefts of consumer credit card numbers on the Internet has revived interest in the Secure Electronic Transaction protocol, an Internet security standard developed by MasterCard International and Visa U.S.A.
SET was developed in the mid-1990s, and until about two years ago many banking industry executives viewed the high-tech safety measure as a potential cure-all for merchant and consumer skittishness about putting credit cards on-line. But as more and more consumers overcame their fears about buying merchandise on-line, enthusiasm for SET flagged. The public consensus seemed to be that a lower-grade security standard now used on most Web sites, Secure Sockets Layer, was adequate.
A spate of cyberthefts has changed the situation. Some prominent Internet merchants - including CD universe, an eUniverse subsidiary, and Expedia.com, an on-line travel agency owned by Microsoft Corp. - have been scam victims. Only Friday, MSNBC.com posted what it called an "exclusive" report about another major credit card theft, one that was said to have occurred in January 1999 in which more than 485,000 credit cards were stolen from an undisclosed Web site and hidden in a U.S. government agency database.
MasterCard and Visa officials say they have had a major surge in inquiries about SET in the last few months from merchants and banks, and are not missing the chance to promote the standard in the face of rising fraud concerns. Moreover, a cheaper and less cumbersome version of SET may be in the offing, which would make the standard more attractive.
Steve Orfei, vice president of e-commerce and emerging technologies at MasterCard International in Purchase, N.Y., said about 60% of chargebacks come from cardholders who say they did not make a purchase that was charged to their bill, and that SET could solve that problem.
"In the SET world, an on-line transaction is as good as a face-to-face transaction," he said.
"The U.S. perspective has been that SSL coupled with address verification is enough," Mr. Orfei said. "Now there's a wakeup call coming to this market that SSL is not enough."
SSL is a protocol used by most on-line merchants to secure the transportation of the customer's information to the retailer, but it does not validate the authenticity of either party. With SET, card numbers are not transmitted over the Internet. Instead, digital certificates - issued to both the merchant and the cardholder - are sent.
But few merchants want to pay the $20,000 or so in software and systems integration that SET now requires.
"As of yet, there's been no reason for merchants to pick up that cost," said David Robertson, president of The Nilson Report, an industry newsletter in Oxnard, Calif. "It's going to require financial institutions to offer incentives to merchants to go to SET."
One major prod for merchants is that by implementing SET, any losses incurred from fraud will be picked up by the card-issuing bank, just as they are in face-to-face transactions. As things stand, merchants who conduct non-face-to-face sales - by order, telephone, or the Internet - must foot the bill for fraudulent transactions.
Expedia, for example, announced earlier this month it would take up to a $6 million charge to cover losses from a credit card scam, where credit card numbers that had been stolen from a variety of other places were being used to purchase air tickets on-line. When the stolen-account holders declined to pay for the fraudulent charges, Expedia got stuck with the bill.
"SET had sort of dropped off the planet for a while, and now is struggling to get on the map again," said Alyxia Do, smart card industry analyst at Frost & Sullivan. "The massive amount of scares we've had in the last two months had a major impact."
Many industry observers say SET will prevail in the end, but only once a less complicated version is released. Mr. Robertson said Visa would release a new version by the end of June.
Adam Backenroth, vice president of technology planning at Chase Manhattan Corp. and president of the financial services technology consortium, said it is "very conceivable that there will be a SET."
"If it's something simpler and better, it could definitely become standard," he said. "If you get the critical mass of Visa and MasterCard behind it like the original, and it's a better mechanism, it has a chance for traction."
Mr. Backenroth said MasterCard and Visa "have learned a lot, and it's conceivable they have something in the offing."
One alternative to SET is also making inroads, and some see a competition evolving between the financial industry and the information technology industry.
The Internet Engineering Task Force is promoting its own security provision called the X.509 Public Key Infrastructure standard. While X.509 is a broader standard than SET - it is used to identify people for all activities on-line, not just financial transactions - SET offers tighter security for on-line payments.
American Express Co. is using X.509 with its Blue card, and has authenticated all of its merchants with X.509.
X.509 is "easy to implement, and the merchant doesn't need to add any additional software on their end," an American Express spokeswoman said.
American Express still sits on the technology board of SETCo, the company based in St. Louis that was created to manage and develop the SET protocol. It said it may use SET in the future.
Both SET and X.509 "use the same fundamental idea of a PKI - they just do it differently," said Henry Dreifus, a data security consultant in Orlando, Fla. "There's a debate and I don't know if the X.509 world is going to win or the SET world will win."
SET has made strides overseas - MasterCard has nearly 100 merchants using the technology in Finland alone - but banks and on-line retailers in the United States have shown little interest in a technology many see as cumbersome and costly.
Audri Lanford, co-editor of Internet Scambusters, a monthly newsletter about Internet fraud, said merchants are starting to acknowledge the need for a standard to combat fraud, and that SET "has the characteristics to be the best one to do that at this point."
Right now, the only U.S seller using SET is the Treasury Department's Bureau of Public Debit, which last November put up a Web site to sell savings bonds.
The Bureau worked with MasterCard and International Business Machines Corp. to install its SET-compliant Web site. Mellon Corp. was chosen as the acquiring bank, and its employees participated in a pilot before the site was officially launched.
The Bureau said more than 210,000 people visited the Web site in its first three months, and bought more than $15.5 million worth of bonds.
"While we had examined other encryption technology, we really felt that SET's authentication measures made it a superior security option," said Wally Earnest, director of the division of staff services at the Bureau's savings bond operations office.
