Visa Delicately Gives Hook to SET Standard

Amid the hubbub of the Visa-MasterCard antitrust trial, the world paid little or no attention to the fact that Visa on Monday officially gave up trying to implement SET, the Secure Electronic Transaction specification for Internet payments, in the United States.

Part of the reason for the collective yawn may have been an opaquely worded press release ("Visa International Launches Secure E-Commerce Initiative") that disguised what the card association has actually done. Acknowledging that the U.S. merchant community has no use for the foolproof but cumbersome SET standard, Visa has come up with some alternative standards based on SSL, the Secure Sockets Layer protocol that everyone here uses.

One of the new offerings, called 3-Domain SSL or 3-D SSL, is meant to be a better way for merchants to authenticate shoppers online and thus reduce chargebacks from fraudulent or disputed transactions.

A separate offering is described as a way that Internet merchants can protect cardholder account data better.

Unlike SET, which takes a good deal of work to use, these enhanced safeguards can be installed largely by downloading software from the Internet. Unlike SET, they do not require that each cardholder get a digital certificate.

"What we have done is vastly reduce the work that merchants and banks have to do to get to a level of authenticated payment," said Philip Yen, executive vice president at Visa and head of its Internet and access channels group.

Moreover, banks and merchants can pick and choose from the graduated Visa offerings, which span progressive levels of security and require correspondingly different efforts to implement.

For example, under 3-D SSL, banks could continue to let people identify themselves by typing in passwords or could migrate to chip cards or digital certificates. "Instead of having to distribute certificates to every single cardholder, the bank can issue only one certificate and put in a mechanism to authenticate the consumer" through that blanket certificate, Mr. Yen said.

Though the United States has shrugged at SET, the specification is used in Europe, Latin America, and some Asia-Pacific countries. The strong SSL infrastructure that had been built up here was lacking there, as was the address verification system for credit card transactions that is built in to Visa's U.S. network.

Even so, as part of its new package, Visa has trotted out a scaled-down version of SET called 3-D SET. Mr. Yen said this approach permits server storage of digital certificates, obviating SET certificates and SET wallets on the personal computers of all cardholders.

Visa says it was trying to recognize U.S. resistance to SET while also addressing the heavy chargeback problem for online transactions. In the chargeback records it keeps, Visa recently was able to separate Internet transactions from other transactions in the mail order/telephone order category. The Internet chargeback rate was found to be the highest of all. SET had been meant to address this.

"What we're coming to realize is that instead of trying to force the whole world to come to the same place, we should listen to the market," Mr. Yen said. While there is "quite a bit of investment" in SET in other parts of the world, he said, "we recognize that because merchants have moved ahead in the U.S. and more of them have gone into e-commerce with investments already, it is a lot more difficult to ask all participants to adopt SET."

SSL is a consumer protection. It encrypts the card number, and as long as a merchant's firewalls are strong, the consumer remains protected. But "the person who needs protection is the merchant, and SSL does not afford the merchant any recognizable degree of protection," said Theodore Iacobuzio, senior analyst at TowerGroup, a technology consulting firm in Needham, Mass. "If Visa is coming out with this product now, my suspicion is they've been hearing from the merchants and the acquiring side that more protection is needed."

Because 3-D SSL is an authentication mechanism that does not address the data protection aspect of SET, Visa is also providing tools for merchants who want to keep consumer account data off their Web sites. Not all merchants want this.

"In the U.S., a lot of merchants use the account data for internal systems for consumers to do business with them - concepts like One-Click - and we believe there may be many cases where there might be quite a bit of burden on the merchants to change systems in order not to be able to use the cardholder number," said Mr. Yen of Visa.

"The issue here is not getting data away from the merchants, but finding ways to help merchants better protect the data" from hackers.

Visa is setting up a Web site, to be ready in August, that will offer what it calls a "self-certification tool" for data security. Merchants will be able to "dial in to the site to check on the security of their Web sites," said a Visa spokeswoman. "It will help them understand how vulnerable they are to hacking." The site will also have Visa-approved vendors of firewalls and other security features.

Whether the easier-to-use and more relaxed safeguards will prove popular will remain to be seen. Another question is whether - if U.S. banks and merchants do embrace the Visa system - it will serve as a stepping-stone to a full-blown implementation of SET in this country, which might help international e-commerce.

"What Visa is trying to achieve is a simpler solution that issuers can roll out to their cardholders, but all the problems that hampered SET are still going to be somewhere hidden in the background," said George Burne, chief technology officer at Trintech Group, a company in San Mateo, Calif., that makes SET-compliant payment network products. "The real challenge is for issuers and acquirers and merchants to get all this stuff installed and up and running."

Mr. Burne said 3-D SSL gives merchants "an extra piece, which is basically a signed message from the issuer saying he has had a look at the transaction and he is willing to stand over it. Today, what happens is if you type your number in, the merchant guesses the number is right. The merchant is taking it on spec that you didn't pull a receipt out of a dustbin in a restaurant."

The drawback, Mr. Burne said, is that "the merchant has to install software on his side, and that's what slows down new standards like this. Basically, everybody has to do something" to get Visa's proposed system up and running.

3-D SET is available, Mr. Yen said, and there will be a "rather significant implementation" of it this fall in Europe. A pilot of 3-D SSL will commence this summer with undisclosed merchants and banks, he said.

Though Visa collaborated with MasterCard on SET, MasterCard was not involved this time. But Mr. Yen stressed that all the tools adhere to open standards, and the idea is "definitely not to have a Visa-only approach." He said Visa has alerted MasterCard, American Express Co., JCB, and other members of SETCo, the Visa/MasterCard offshoot that certifies compliance with the SET standard. "We're trying to make this a general industry solution," Mr. Yen said.

The announcement of these security measures fell less than a week into the antitrust trial that the Department of Justice has forced against Visa and MasterCard, and both companies have been releasing business-as-usual-type announcements during the proceedings. Mr. Yen - who is named on Visa's list of potential trial witnesses - said the measures have been long in the making, and that Visa International's board of directors just approved them at its last meeting, which is why they were introduced now.

"It was timed to the Visa internal working agenda," he said. "To be honest, I hadn't really given it a thought as to the DOJ."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER