Does your company need a new technology for over-the-Internet credit card transactions when the old one has been working just fine?
Is it possible to discover–buried within the hype, the criticisms, the dashed expectations, and the mind-boggling complexity–a glimmer of a business case for Secure Electronic Transaction technology?
The answer is yes. And there is more than a glimmer. The SET specification for credit card payments over the Internet, though cumbersome and slow to arrive, promises to reduce costs for merchants, increase security, and allow merchants to expand into vast new markets.
In comparison with the Secure Sockets Layer (SSL) specification, which is already in wide use, SET offers more privacy for the consumer and is better suited to the three-way interaction of consumer, merchant, and payment processor in a typical credit card transaction.
Thousands of banks, credit card processors, and retail merchants hope SET will make the Internet a secure shopping mall for millions of consumers.
One bank that is already committed to SET is New York City-based Chase Manhattan (http://www.chase.com), which conducted a modest first pilot test of the protocol last year and thinks highly enough of SET to plan a second test for later this year. The new test will involve a thousand customers, up to a dozen merchants, and more than one bank.
But Chase’s first experience with SET illustrates why the technology has so many critics. For one thing, the early products from competing vendors didn’t all work together. More work is needed on the infrastructure. Devising policies for certifying the identities of cardholders turned out to be trickier than expected. And customer service is a minefield. It all adds up to a bigger price tag than anticipated. Leslie Wollin, Chase vice president for cardholder services, says the experience with SET “was much harder than we thought.” Wollin won’t divulge Chase’s preliminary figures, but says SET will cost “a lot more” than expected.
The interoperability problem
From Chase’s perspective, the advantages of SET aren’t worth much if the products don’t work together. “If it doesn’t work the first time for the consumer, he’ll give up,” Wollin says. In its first pilot test using the SET prototype, Chase armed 25 bank employees with IBM “electronic wallets”–software containing card information that resides on the customers’ computers–and had employees make purchases with the cobranded Chase-Wal-Mart MasterCard. Chase served as the digital certificate authority (DCA), verifying the parties’ identities via IBM technology. Wal-Mart was the merchant, using gateway software from Austin, Texas-based SET vendor GlobeSet. Chase Merchant Services, a joint venture of Chase and processing-services provider First Data Corp., was the acquirer, using an IBM gateway. An acquirer is a bank or processor that accepts and processes a payment, thereby taking on a certain level of risk in the transaction.
Even with these few components, “we found that SET compliance doesn’t make you interoperable,” Wollin says.
There have been interoperability advances since the Chase pilot. The two largest SET vendors, IBM and Hewlett-Packard’s VeriFone subsidiary, have been making their wallets and gateways interoperable. They’re publishing the results so other vendors can take advantage of the findings. Alan Glass, an electronic-commerce executive at MasterCard (http://wwww.mastercard.com), also reports that IBM wallets and certificates, a merchant server from GlobeSet, and merchant certificates from GTE worked together in a pilot at NationsBank in Charlotte, N.C.
Wollin says the Chase pilot raised thorny nontechnical issues, too, such as: What happens when a customer finds that the Chase-issued wallet and certificate don’t work, and calls customer service? The problem could be in the wallet, the merchant’s gateway, or the acquirer’s gateway. It might not even be a problem with SET; it might be a problem with the user modem or the server at the Internet service provider (ISP). But “the bank can’t say, ‘It’s not our problem,'” if it expects the customer to use SET, says Wollin. “We don’t have the mechanism or capability to solve this one yet.”
Parker Foley, vice president of electronic commerce at First Union, believes customer service will be a headache.
Others agreed. First Union Corp., a bank-holding company based in Charlotte, N.C., has participated in pilot tests with IBM, Nova Information Systems, Open Market, and Visa. Parker Foley, vice president of electronic commerce at First Union, believes customer service will be a headache. “Do you let the wallet providers provide the customer support, or do you train your own people?” he asks. First Union call center staff, he adds, know a lot about accounts, but nothing about modems, software, or any of the other problems that could arise in a SET transaction.
Other pilot-testers, including American Express (http://www.americanexpress.com), First Data Corp. (http://www.firstdatacorp.com), First Union Corp. (http://www.firstunion.com), Mellon Bank (http://www.mellon.com), and Wal-Mart (http://www.wal-mart.com) also remain publicly committed to SET, but report problems similar to those at Chase. More than two years after arch-rivals Visa International and MasterCard International united to create SET, it is clear that marrying the Internet to the legacy credit card back end is a lot tougher than many anticipated. “Our expectations were unrealistic,” admits Stephen Herz, Visa’s senior vice president for electronic commerce.
Visa (http://www.visa.com) and MasterCard were working on competing specifications until a little more than two years ago, when they joined forces and brought together experts from IBM, Microsoft, Netscape, RSA Security Dynamics, VeriFone, VeriSign, and many other companies to devise SET as a universal protocol. The prototype was finished a year ago, and version 1.0 was ready last summer. Pilot tests of products based on the spec began immediately. MasterCard alone has 82 pilots in 32 countries, including one in the U.S. involving 100,000 cardholders and hundreds of merchants. Cardholder wallets, merchant gateways, acquirer gateways, and digital certificates from dozens of vendors have been submitted for compliance testing to SETCo, an independent body set up by American Express, MasterCard, Visa, and others to manage SET.
But pilot tests aren’t implementations; some credit card association executives had made early optimistic predictions that SET implementations would be rolled out by now.
The case for SET
The pitch for SET goes like this: Today’s Internet shoppers are early adopters who are comfortable with computers. Everyone else remains uneasy about credit card security. The estimated $2 billion in retail purchases over the Web last year was puny compared with the $20 billion some analysts expect within five years. If the fraudsters aren’t hacking and spoofing now, wait until $20 billion is at stake. To paraphrase bank robber Willie Sutton: Fraudsters will hit the Internet when the money is there.
The Internet is already big business: By most estimates, the number of purchases made over the Internet tripled between Christmas 1996 and Christmas 1997. But for retailing on the Internet to soar, every party to the credit card transaction needs an acceptably low level of risk. The problem is that one transaction can involve up to six parties: cardholder, merchant, cardholder’s bank, merchant’s bank, a back-end processor, and a DCA, the organization that certifies the parties’ identities. Credit card holders want to know they’re doing business with a real merchant and that their card numbers won’t be stolen. Merchants want to know the cardholder is authentic and that they won’t have to eat the cost later because the real cardholder repudiates the charge. Card-issuing banks, merchant banks, and back-end processors need a DCA to have reassurance that merchants, cardholders, and other banks are legitimate.
Many experts agree that SSL has limited capability to protect credit card transactions. All it does is keep a third party from viewing information shared between a browser and a server.
“SSL is not set up for a multiparty interaction,” says Cheryl Ball, senior director at Newton, Mass.-based Business Research Group (BRG) and author of a report on SET (http://www.brgresearch.com). SET not only satisfies the security needs of all, it “allows for greater privacy than an in-person or phone transaction,” she says. “The merchant need never see the credit card information, and the provider need never see the order information.”
So despite the problems with SET, many industry analysts feel the juggernaut can’t be stopped. “There are 10 reasons why it can’t happen, and one big reason why it will,” observes Scott Smith, a critic of SET and an analyst at Current Analysis, a market research firm based in Vienna, Va. He argues that the security-conscious credit card associations and their key banks need SET, whether it’s excessive or not, before they fully embrace credit card payments over the Internet.
MasterCard’s Glass puts the reasoning behind SET this way: “We have developed the SET protocol to ensure that consumers, merchants, and banks have a safe and secure way to shop on line. While this may make the protocol a bit more cumbersome than today’s transactions, we believe that as electronic commerce expands, authentication and strong encryption are absolutely necessary to make people comfortable with on-line shopping.”
There’s wide agreement that the card associations must provide incentives to banks, acquirers, and especially merchants. Both card associations have indicated they will treat SET transactions as though customers were using credit cards in stores. That qualifies SET for the lowest transaction fees a merchant can pay. The associations charge higher rates for transactions over the phone, which also apply to SSL. Many believe the lower transaction rates will drive SET’s adoption. “The cost savings could be of great importance, especially to smaller merchants,” says Robert Davis, strategy manager for electronic retail at Wal-Mart.
Compared with the 20 years it took to establish ATM cards, SET is on the fast track. Expect the early adopters–big card-issuing banks, big credit card processors, and the most Internet-savvy retailers–to continue to pour money into improving SET and rolling it out, perhaps by early 1999, with wider adoption over the following three years. A retail company or bank whose future business strategy includes the Internet might not want to be among the first adopters, but neither will it want to be last.
A waste of time?
Many critics, including a few within the credit card industry, argue that SET is too late to matter because SSL is already in wide use. “SET’s a giant waste of time,” says an executive who requested anonymity because his company is publicly committed to SET. He cites SET’s complexity and the improbable economics and logistics of rolling it out. In addition, most managers appear less concerned about security on the Internet these days (see chart, “What a difference a year makes”).
A handful of retailers have already completed hundreds of thousands, perhaps millions, of credit card transactions protected by SSL, and no major breaches have occurred. “I haven’t heard any really compelling arguments that SET is better enough to spend money on,” says Richard Bell, an analyst at the Tower Group in Newton, Mass. “I think it’s a tough sell.”
Few big pilot tests have been done, so the performance requirements are largely unknown. Because SET requires eight to 12 cryptographic computations, one transaction currently takes up to 90 seconds–a very long time in a retail store during the holiday rush. Hardware accelerators from Tandem’s Atalla subsidiary, Rainbow Technologies, and others will speed that up. Sleeker cryptographic algorithms eventually may streamline the process. But for now, no one knows what SET will do to an acquirer’s gateway when it’s hammered by thousands of transactions at once. Because of these unresolved performance issues, no one can accurately predict the cost of SET implementations.
For SET, the biggest nontechnical issue is how and when to roll out wallets and digital certificates to cardholders, and digital certificates to merchants. No one offers a convincing scenario. Chase’s Wollin believes it will be evolutionary. “You’ll have a couple of banks, a couple of merchants, and then it will snowball,” she says.
Wal-Mart is ready for the snowball. “We’re trying to keep in tune with the issuing community and make sure that we’re there when the certificates are out,” says Davis. He says consumers must have SET wallets and certificates first, then merchants will offer the SET option.
The company also participated in a pilot test with American Express. Davis says interoperability is Wal-Mart’s No. 1 concern, but declined to discuss specifics. The pilots were both small, with handpicked employees as customers. Now that Wal-Mart is finished with the pilot test, the next move is to go live, but Davis declines to speculate on when that might be.
Wal-Mart already sells over the Internet using SSL. Even after SET rolls out, Wal-Mart won’t discontinue that option. “We’re very optimistic that SET will gain popularity,” Davis says, “but we would continue to support SSL for anyone who wants to use it.” VeriFone, GlobeSet, and other vendors are starting to offer merchant gateways that accept both SSL and SET transactions, which the vendors believe will put in place a critical mass of merchant SET gateways ready to go whenever consumers are armed.
Davis is among those who think there’s a business case for SET. “We’re optimistic that electronic retailing is going to continue to grow,” Davis says. The card associations predict that Internet commerce will get stronger, that SET transactions will be cheaper for the merchant, and that the Web opens new markets.
“While today, merchants almost never ship to some overseas markets because of the lack of ability to verify identity and receipt of goods, SET will open up those new markets,” says MasterCard’s Glass. Paymentech, the third-largest credit card processor, reports that many of its mail-order merchants are already asking when SET will be ready.
The critics are surely right about one thing: SET isn’t exactly taking over with lightning speed. Keep in mind that the biggest companies involved are not among the new breed of fast-paced Internet developers. Still, the credit card associations can only blame themselves for the sniping. “It was a mistake by the associations to raise people’s expectations that it would be done so soon,” says Allan Schiffman, chief technology officer of Stateline, Nev.-based Spyrus, a developer of various cryptographic products.
Schiffman, a member of the team that created SET, says: “Deploying a new security specification on a global scale is really, really hard.” //
Bill Roberts, a freelance writer based in Los Altos, Calif., covers technology, business, and electronic commerce. He can be reached at email@example.com.
Will Boeing go shopping with a credit card?
Is there a place for the Secure Electronic Transaction (SET) specification in business-to-business electronic commerce? Mellon Bank and others think so.
Mellon, American Express, and the credit card associations are issuing corporate purchasing cards, which will need some form of authentication before they can be used on the Internet. “SET makes sense in that context for the authentication piece,” says Tom Butler, first vice president of Mellon Network Services at Mellon Bank, based in Pittsburgh.
But most corporate purchasing takes place with funds transfers or checks, and corporations don’t need the authentication that SET offers because big sales tend to be pre-authorized. Richard Bell, an analyst at the Tower Group in Newton, Mass., says: “Boeing doesn’t buy jet turbines from General Electric with a credit card.”
Still, companies like Office Depot are pilot-testing the Open Buying on the Internet (OBI) protocol, which effectively replaces the expensive custom EDI systems now in use for material, resources, and operations (MRO) purchasing. The current version of OBI uses SSL to secure transmissions and can be extended to SET when that specification is ready, says Pete Rawlinson, director of product management for Intelisys Electronic Commerce LLC, an OBI vendor.
PROFIT & VALUE
SSL vs. SET: Private lives
|Secure Electronic Transaction
What it does:
Authenticate: Lets Web-enabled browsers and servers authenticate each other;
Limits access: Permits controlled access to servers, directories, files, and services;
Shares information: Lets information be shared by browsers and servers while remaining inaccessible to third parties; and
Protects data: Ensures that exchanged data cannot be corrupted without detection.
What it does:
Digital certificate: Requires parties–cardholder, merchant, bank, and anyone else involved–to obtain a digital certificate;
Authenticate: Requires a certificate authority to authenticate all parties in the transaction;
Electronic wallet: Lets customers keep credit card information in software called an “electronic wallet” on their computers;
Limits merchant’s access: Gives merchants no access to credit card information, making SET safer than in-person or phone transactions;
Limits access: Gives the credit card issuer no access to order information, maintaining the customer’s privacy;
Immediate verification: Gives a merchant immediate verification of credit availability and customer authenticity, allowing it to fulfill orders without the risk that the transaction will become invalid;
Stronger encryption: Encrypts order and credit card information separately. The card information is of fixed length, so this lets SET use stronger encryption for the card information because Department of State restrictions focus on bulk cryptography.
|Secure Electronic Transaction
How it works:
SSL uses public-key encryption and digital certificates to set up the interaction and verify that the parties are who they say they are. Then it uses special session keys to encrypt the data being transmitted. Public-key cryptography uses a pair of asymmetric keys, public and private, for encryption and decryption. The digital certificates (issued by a certificate authority) are used to verify that the key pairs belong to a particular entity. Session keys perform the cryptographic work for the data exchange.
How it works:
When a customer wishes to make a purchase, the order information is encrypted via the customer’s private encryption key and sent to the merchant, while the credit card information is also encrypted and sent to the card issuer, all accompanied by a unique digital signature. The merchant and card issuer decrypt the information using the customer’s public key, allowing them to verify its authenticity and complete the transaction.
|Secure Electronic Transaction
Shallow encryption: SSL can use only relatively shallow encryption (40-bit internationally, 128-bit in the U.S.), due to Department of State restrictions.
Only point-to-point transactions: SSL handles only point-to-point interaction. Credit card transactions involve at least three parties: the consumer, the merchant, and the card issuer.
Risks: With SSL, consumers run the risk that a merchant may expose their credit card numbers on its server, and merchants run the risk that a consumer’s card number is fraudulent or that the credit card won’t be approved.
Rollout: Rollout has been slow.
Lack of testing: Interoperability among SET implementations is only now being tested.
Slow adoption: Consumers may be slow to implement electronic wallets.
|Source: BRG Research (http://www.brgresearch.com)