Victories Overseas May Revive Set in U.S.

The SET payment standard for the Internet is making inroads overseas that supporters say could eventually turn the tide in North America, where much of the banking community wrote it off as unwieldy or unnecessary.

The protocol, formally Secure Electronic Transaction, was vilified almost from the day the MasterCard and Visa associations, in cooperation with several leading technology vendors, started to promote it. Though there are still no noticeable stirrings in the United States - those same companies are more intent on distributing digital wallet technology for holiday season shopping - momentum in Europe is building, along with the general excitement about electronic commerce and a corresponding concern about credit card fraud and chargebacks.

"The question 'Is SET dead?' is a funny one to Europeans," said International Business Machines Corp. security expert Mark Greene, who participated in some of the early discussions on the protocol in 1995 and 1996.

With the international bank card associations and companies such as IBM and Microsoft Corp. participating in the standard setting and ready to support SET among other security mechanisms for Web transactions, the much maligned protocol may have a fighting chance after all.

It has been embraced enthusiastically in two recently launched banking industry initiatives: iPay in the Netherlands, where "SET is very nearly a legal requirement," Mr. Greene said, and Cyber-COMM in France, where SET is being combined with smart cards in a national drive to authenticate customers at all terminal locations, including home computers.

SET has won similar backing from banking consortiums in Germany, Spain, Japan, South Africa, and elsewhere. The reason is that transaction disputes, whether because of fraud or consumers' unfamiliarity with e-commerce service and procedures, are epidemic, said Sandra Alzetta, senior vice president of electronic commerce for Visa International's European Union region.

"This is an issue we have to resolve now," she said, adding that seven out of 10 people who are reluctant to shop on-line cite security concerns as the reason.

Web commerce "has to be as easy and secure as shopping on High Street and has to be perceived that way," Ms. Alzetta said during the Cartes '99 smart card conference in Paris last month. "We need authentication technologies to reduce fraud," and SET can raise the comfort level of both buyer and seller. She described it as "an excellent way of addressing that."

"Merchants and consumers have different perceptions of where these problems sit versus banks," said MasterCard International senior vice president Michael Harris. "SET is the best solution for dealing with these problems end-to-end."

Advocates have contended all along that SET is the only viable way to add authentication assurances to faceless, signature-less card transactions in cyberspace. Short of SET, Web connections are safeguarded by Secure Sockets Layer, or SSL, which makes it difficult to violate an interaction between buyer and seller but does not certify that those parties are who they claim to be.

Identification could be assured by a digital certification process in which the card-issuing bank, for example, vouches for the validity of its cardholder. A further benefit of SET is that card numbers would not be transmitted over the Internet. Exchanges of digital certificates would take their place, making the transactions arguably safer than those done over the telephone or even at some real-world merchant sites.

The SET community stuck to its guns, saying the day would come when fraud would require what SET could deliver - and Europeans, at least, may be ready to acknowledge that this day has arrived. Some observers say that as U.S. merchants encounter fraud in serving overseas shoppers they will inevitably change their tune.

But in the early stages of Internet growth, these arguments fell flat in the United States. Neither prominent Web merchants such as Amazon.com nor their payment-processing banks were willing to wait for the standard to be completed and then tailor their systems accordingly. Instead they relied on existing card authorization and antifraud measures and new screening techniques built around Internet transaction patterns.

Web commerce took off faster than the SET committee structure was able to react. Resistance mounted as it became clear that the complexity of SET - the multiple cryptographic operations required to validate banks', merchants', and customers' digital certificates - bogged down the server computers from which consumers desired instant gratification.

"It was too compute-intensive," said Ron Martinez, chief executive officer of Brodia.com, a San Francisco virtual wallet company whose clients include the credit card leader MBNA Corp. and the pioneering Internet transaction processor Wells Fargo Bank. "You needed heavy iron to make it work" when business increasingly revolved around personal computers and other compact server equipment.

Mr. Martinez said SET's "impulse was correct. It was not wrongheaded. It was just an implementation question."

He described the electronic commerce modeling language, or ECML, an approach embraced by MasterCard, Visa, and others in the digital wallet business to standardize the completion of on-line merchants' order forms, as "SET peace with honor."

Domestically, ECML, announced on June 14, has gained far more popularity than SET in a much shorter time. Though SET after recent modifications is not as "compute-intensive" as it used to be, it still has a lot of inertia to overcome on this side of the Atlantic.

IBM Payment Suite architect Mark Peters, who participated last week in the Cardtech/Securtech "Cards on the Net" Conference in San Francisco, gave several reasons not to bury SET. Among them: Powerful brands such as American Express, MasterCard, Visa, and JCB of Japan carry "SET brand certificates;" merchants will appreciate payment guarantees in the face of fraud rates as high as 30% on digital-product sales over the Internet; and new flexibility in SET rules allows for transactions even when a cardholder certificate is lacking.

Mr. Peters also pointed out that it took automated teller machines 15 years to become pervasive.

The first live SET demonstrations occurred at the end of 1996 in Europe. By early 1998 the long-delayed 1.0 version of the specification was available in several vendors' software. In May 1998 SETCo, a MasterCard-Visa venture administered by an affiliate of Science Applications International Corp. of San Diego, issued the first four SET 1.0 certifications to Globeset Inc., Spyrus, Trintech Group, and Hewlett-Packard Co.'s Verifone unit.

They and other technology companies' consistent investments and commitments - responding to European and other foreign demands, for the most part - have helped keep the flame burning.

By October 1998, 19 software providers had submitted 42 wallet, merchant, payment-gateway, and digital certificate packages to SETCo for approval. By the end of that year, nine products had gained the right to display the SET seal of compliance.

The setco.org Web site currently lists 25 companies that have submitted 54 programs for approval; 26 of the programs have completed the process. Between May and August, Fujitsu of Japan got four of those SET seals; Globeset and Cybercash Inc., two each.

"In the early days this was cumbersome, heavyweight technology," said Mr. Greene of IBM, whose four SET seals match Fujitsu and are two shy of Austin, Tex.-based Globeset. "Now it is lighter weight."

Mr. Greene, vice president of the SecureWay business unit, placed SET higher along a "risk-cost continuum" than SSL. That can be improved upon only by combining SET with smart cards, as the French banks are doing with Cyber-COMM. When complemented with ECML, there is the opportunity to "facilitate transactions and present a transparent shopping experience," he said.

Bizrate.com, which tracks consumers' Internet preferences, released a survey this week with the Silver Spring, Md., trade group Shop.org in which 58% of 13,000 on-line respondents expressed concern about card-number theft. But only 2% reported experiencing it, and even that small group was undeterred; 94% of them were doing on-line transactions when the survey was being carried out.

One-third of the 13,000 said they were inclined to use only big-name merchants, and 76% said they viewed encrypted transactions as a prerequisite.

"As an industry, we have not witnessed theft of cards," said Shop.org executive director Bob Smith. "We are befuddled by continued consumer beliefs to the contrary."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER