Newshare -- Sharing the future of news

SET followup teaser BY BILL DENSMORE

Posted June 30, 1997 on ComputerWorld website

Will you use your credit card on the World Wide Web? IBM wants to make
sure the answer is "yes."

IBM ran a TV ad during the NBA playoffs that shows three men
discussing how one of them had just purchased something on the Web. A
woman walks in and expresses dismay about a credit card being used
across the Internet. But it's OK, the youngest man says -- his
merchant uses the Secure Electronic Transaction (SET) protocol.

While the ad doesn't delve into its specifics, the SET protocol is
essentially a set of written standards that describes how credit-card
associations, banks, merchants and consumers should implement
credit-card transactions across the Web (see related SET tutorial).

The first officially sanctioned version of SET-enabled transaction
software, written by Terisa Systems, Inc. (now owned by smart card
maker Spyrus), became available June 1. It was given birth by a
coast-to-coast collaboration among financial titans: Visa
International, Microsoft Corp., IBM, Netscape Communications Corp. and
MasterCard International.

Neither did the ad explain that SET will eventually require online
credit-card users to possess a new form of identification called a
"digital certificate," an electronic identity vouched for by a trusted
third party such as a bank. The protocol was designed to all but
eliminate the risk that you aren't who you say you are when you
conduct business with banks, legitimate merchants and credit-card
companies on the Internet.

"They tried to make sure that you could do some things in SET that we
take for granted in the ordinary commerce world, like making sure you
can buy something and then return it and unwind the transaction," said
Carl D. Howe, an analyst at Forrester Research, Inc. in Cambridge,
Mass.

But IBM wasn't trying to explain all that. In fact, if it were up to
IBM and other promulgators of the protocol, SET would become such a
familiar brand name that no one would question what it means. They
would just know that it indicates "trust." To reinforce the brand
notion, the card associations are holding a gala event on July 18 in
San Francisco to unveil a new SET trademark. SET software vendors will
have to have their product certified by an independent authority that
Visa and MasterCard have established and will be required to license
and use the SET trademark if they pass muster.

We're clearly not there yet. In fact, merchants and analysts
don't yet understand how SET benefits anyone but banks and the
credit-card companies, unless banks and card associations lower
transaction fees as a carrot to see it widely adopted. A few merchants
are threatening to announce on July 4 a campaign to bolt from the
card-association fold. And no one is sure yet how SET certificates are
going to get into the hands of consumers to make the system work.
Finally, it is possible that other payment mechanisms will emerge for
settling Internet purchases directly to bank accounts, bypassing
credit cards all together. And already a debate is brewing over
whether the current version of SET includes a cryptographic engine,
painfully slow on current hardware.

Some analysts actually see SET working at cross-purposes. "SET will
completely backfire, [especially if] you stick it on the TV and tell
[consumers] only SET is secure," said Chris Stevens, an analyst at the
Aberdeen Group in Boston. "Not every [merchant] will work with SET
overnight, so the immediate perception will be that sites without SET
will not be secure."

In fact, Stevens said, the SET originators might have been better off
promoting the Internet as a secure environment and managing the risk,
rather than splitting hairs over security technology, especially since
SET covers only a small piece of the whole security picture: "It only
covers consumer-to-merchant [commerce]," Stevens said. "The real
problem with security is that there's too much, not too little. There
are too many competing standards."

SET's supporters say the protocol's technology basis is tried and
true, and any bugs will be worked out in trials during the next six
months or so. And anyway, they add, anything that will unite major
financial and business interests around a common standard is vitally
important for that reason alone, whatever its underlying technology.

"The proof of the pudding eventually has to be [whether it is]
interoperable" among vendors, said Steve Mott, senior vice president
in charge of SET implementation at MasterCard. "And that is where we
are certain we still have a lot of work. It's not going to pop out at
the end of nine months as a perfect baby that everyone can be happy
with. Software, particularly Internet software, isn't perfect at
birth."

One fact that can't be overlooked is that an estimated $100 million of
Internet commerce was completed in 1996, most of it via credit cards,
without the benefit of SET. This has some businesses wondering why SET
is needed and warning that if the credit-card vendors want to see it
adopted, they are going to have to provide a financial incentive to
merchants and consumers by lowering transaction fees.

The card associations acknowledge that Internet commerce using SET is
aimed at cutting the potential for fraud losses. But they decline to
predict whether this will result in a lower percentage taken out of
each merchant's transaction. Lower transaction fees could also make
credit cards viable for settling smaller transactions, but no one
expects the current credit-card infrastructure to handle so-called
"micropayments," charges of less than $1 for pieces of information or
software a la carte.

"The proper incentives would be a rate structure that is
more favorable for transactions that are SET-compliant," said Tim
Knowlton, Internet merchant-card services manager at Wells Fargo Bank.
"If you look at the history of changes in the credit-card industry,
they are always driven by (changes in rates). We certainly expect that
SET will reduce [merchant] fraud."

From a technical standpoint, SET is unnecessary, according to some
analysts and merchants. They say the Internet browser protocol Secure
Sockets Layer (SSL), combined with existing forms of user
authentication, may be adequate. SSL already encrypts credit-card
numbers sent across the Internet to a merchant.

But SET goes a step further. It hides the credit-card number from the
merchant who is accepting it, forwarding it only to the issuing bank
for authorization of the charge. Thus the value of SET is that it
eliminates a potential human source of fraud at the merchant level.
"The goal of SET is to have the risk of an Internet transaction become
equal to a card-present transaction," said Cathy J. Medich, Internet
commerce marketing director at VeriFone, Inc. and a former executive
director at CommerceNet, an industrywide consortium.

At the same time, "merchants would rather sell something using SSL at
a higher discount rather than lose a sale because the customer wasn't
SET-enabled," said an executive at a key credit-card processor who
requested anonymity.

Executives at LitleNet LLC, a Lowell, Mass.-based electronic
clearinghouse, said they're finding that merchants are more interested
in SSL than SET. And John McCombie, technical leader for LitleNet's
Internet commerce solutions, said he is reluctant to invest
engineering time in SET because the standard is still evolving.

"We're not going into the SET thing yet," agreed Shital Anagol, senior
software engineer at OnSale, Inc., an Internet-based hardware auction
business. OnSale uses credit-card processing services from CyberCash,
Inc., which uses SSL encryption. "I think the only thing that will
come out of it is standards."

Rob Reesor, senior software engineer at Virtual Vineyards, a Palo
Alto, Calif., Web-based wine merchant, added, "We're seeing it as
something that will definitely come into play down the road a bit. We
would like to have something that is standard."

Perhaps a bigger issue is getting digital certificates into the hands
of users. SET, which is largely a protocol for consumers and perhaps
for employee-purchasing cards, will require a user to possess such a
certificate.

"Using certificates with SET is going to delay its acceptance because
it assumes that people will be interested in getting these
certificates," said Stan LePeak, a vice president at Meta Group, Inc.
in Stamford, Conn.

Some experts say that future versions of Internet browsers
sold or distributed by Microsoft and Netscape will include software
that permits the program's owner to connect to a bank or other Web
site and download a SET certificate after providing the required
identification. Or banks may simply permit downloading of the
certificate-generating software from their Web sites. "The software
will be distributed, we believe, directly by software vendors and can
be distributed by banks as well," said Stephen M. Herz, senior vice
president of Internet commerce at Visa.

So far, the only entity that is mass-marketing the sale of digital
certificates (SET and non-SET) is VeriSign, Inc., which said it had
issued 750,000 certificates by the end of April. But VeriSign's
certificates are intended more for proof of identity than proof of
financial responsibility.

If banks jump on the SET bandwagon, they could set up customers to
download SET certificates to their home computers. But until that
happens, merchants may want to press ahead with SSL-secured
transactions.

Putting aside the question of whether SET is needed, vendors are
beginning to offer it in the marketplace. On April 9, IBM unveiled
what it said was the industry's first SET-enabled merchant server,
Net.Commerce Version 2.0. In late April, the first cross-border
SET-based transaction was carried out between the charge-card company
Europay Norway and Denmark's PBS to order an airline ticket from
Norway's Braathen Safe airline. IBM provided the technology.
Early users of Net.Commerce will include Brel, Dai Nippon Printing
Co., L. L. Bean, Hoffmaster, the Danish Payment Systems (PBS), Ingram
Micro, United Parcel Service, Inc., Borders Books & Music and Arena di
Verona, IBM said.

IBM is also providing SET technologies to the e-Comm group, a
consortium of leading French banks and Visa International. And
approximately 100,000 customers of Japan's Fuji Bank are scheduled to
try out their debit cards through 1998 in a pilot using IBM's server
and digital certificate technologies. The Fuji test is unique because
it involves IBM designing an extension of the SET protocol for
PIN-based card transactions.

IBM's early lead in the SET software prototyping sweepstakes may soon
start to erode, however. In a one-two punch, Hewlett-Packard Co.
announced in May it would purchase VeriFone, a vendor of electronic
payment software, and a week later said it would align nonexclusively
with Microsoft to sell end-to-end electronic commerce systems to banks
based on the SET protocol. It announced prototype efforts with Bank of
America and Sumitomo Bank, among others. VeriFone's Medich said HP
will focus on linking bank legacy systems to VeriFone payment
software. Banks will get an end-to-end system for $600,000 to
$800,000, Medich said.

VeriFone, which makes the gray point-of-purchase "swipe"
terminals that millions of merchants use, is working hard to come up
with new products that will also enable digital commerce. These
include a "personal" automated teller machine (ATM) that would allow
consumers to load "cash" onto their smart card from home. HP is
aggressively moving to install smart card readers on computers it
sells.

Also entering the SET gateway software sweepstakes is Austin,
Texas-based GlobeSet, Inc., which is behind a test site launched by
Wal-Mart Corp. on June 2 in cooperation with American Express Co. and
GTE Service Corp. First Virtual Holdings, Inc., the first
micropayments vendor on the World Wide Web, said June 2 it will
incorporate SET as an option in its payment system.
From another corner of the world, South African-based BankGate Team
has developed a SET 1.0 system that bears an important distinction:
It's free.

Rather than merchants and banks making a significant capital outlay,
BankGate will customize, install and maintain the product for each
institution at no cost. Instead, customers pay a transaction fee. The
system includes four components: a certification authority, wallet
software, a merchant server and a payment gateway.

In terms of pilots, MasterCard said it knows of 22 planned SET pilots
in 11 countries. Visa is collaborating on some of those and also has a
pilot with 30 banks involving much of the European marketplace. It has
other tests running or ready to run in Singapore, Taiwan and Japan.
But as of June, only one U.S. bank had announced involvement in a SET
pilot. The Chase Manhattan Bank NA and Wal-Mart are enabling selected
employees to purchase merchandise from Wal-Mart Online using a
SET-enabled Wal-Mart Chase MasterCard. IBM is providing many
components of its CommercePoint payment software, while First Data
Corp., an electronic payment processing vendor, will provide
credit-card processing services. Later this summer, the initiative
will be expanded to Chase, First Data and Wal-Mart customers.

As for the scarcity of announced U.S. pilots, the card associations
say U.S. banks are just more secure in their markets, more willing to
take a wait-and-see attitude on new technologies and more wary of
making announcements on tests and experiments than their international
counterparts. More skeptical observers theorize that the largest U.S.
banks may be wary that SET will give the card brands a permanent place
in the digital commerce marketplace -- a role that may not be required
if banks can interoperate with one another directly.

The U.S. marketplace is critical not only because of its size but also
because credit/debit cards are so prevalent. In the international
marketplace, so-called "smart" cards are already commercialized, and
the assumption is that electronic transactions will be adopted quickly
in those markets.

"The rollout plans that the banks have is really critical," Verifone's
Medich said.

One analyst at a major accounting firm said he is watching
Integrion Financial Network, a consortium of 16 U.S. banks and IBM
formed last year with $60 million in capital, to see whether it
emerges with a plan for electronic commerce interoperability.

Integrion has access to half of the U.S. consumer base and 60% to 70%
of merchants, the analyst said. If bank ATM cards, for example, could
be used across the Internet, the need for the credit-card association
as an intermediary would fade.

"A lot comes back in transaction fees to the card associations," the
analyst said. "There is the possibility that electronic commerce
models will kill 20% to 40% of the credit-card associations' revenue
streams. If Integrion can build a model that can do intraconsortium
clearance, they don't have to go into the card associations at all.
They could do clearance at significantly less cost than today."
The card brands hope that Integrion is focused on streamlining
check-processing and electronic data interchange-based payments, not
on the credit-card market. IBM said that is not the case exclusively.
Integrion's board is said to be working on refining its mission, which
has not been clearly articulated in public. In the end, however, banks
appear poised to remain at the heart of the process, either through
their ownership of the card associations or as arbiters of financial
transactionsthrough other intermediaries.

"Is the payment system going to be disintermediated?" asked Ed Jensen,
president of the bank-owned Visa International Services Association,
when asked for his opinion on the idea of nonbank players entering
electronic commerce. "There are lots of people that are speculating
that. I don't think it's even close to a possibility of happening when
you look at the total scale of the payment system. If you want a safe
transaction, you are going to need a certificate from a bank."

Whether or not you believe SET is destined to live a life with
purpose, it is guaranteed a life of importance merely because of the
stature of its parents. The world's credit-card issuers are banking on
the SET protocol to extend their central position in world commerce
onto the Internet, eliminating the threat of merchant fraud and
reassuring consumers. At stake is not so much the future of Internet
commerce but how quickly it materializes and who benefits most
financially.

Densmore is a freelance writer in Williamstown, Mass.
_________________________________________________________________

If you enjoyed this article, you may also want to see our companion
magazine, Emmerce, which appeared in the April 28 issue of
Computerworld. Contact Editor Alan Alper to receive a complimentary
copy.
Copyright © 1998 @Computerworld. All rights reserved.

----------------------------------------------------------------

This article above is copyrighted material, the use of which may not have specifically authorized by the copyright owner. The material is made available in an effort to advance understanding of political, economic, democracy, First Amendment, technology, journalism, community and justice issues, etc. We believe this constitutes a 'fair use' as provided by Section 107 of U.S. Copyright Law. In accordance with Title 17 U.S.C. Chapter 1, Section 107, the material above is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. If you wish to use copyrighted material from this blog for purposes beyond fair use, you must obtain permission from the copyright owner.

# posted by newshare @ 8:15 AM