A debate has erupted among developers creating software for secure credit card transactions over whether a server-based electronic "wallet" announced June 15 by GlobeSet complies with the Secure Electronic Transactions (SET) protocol.
But key executives at both Visa and MasterCard, which sponsored SET, say they have no problems with GlobeSet's server-wallet and expect similar products soon from other vendors. A top VeriFone executive disclosed yesterday that his company also is developing a so-called "thin" wallet.
The debate raises issues about speeding the adoption of SET, to which the card companies are heavily committed. SET advocates acknowledge that getting wallet software and digital certificates into the hands of every buyer is the biggest hurdle to widespread use.
The "server wallet" approach stores a consumer's "wallet" and digital certificate, which vouches for the identity of the cardholder, at his or her card issuer's site. But some SET developers argue that undermines the painstaking security measures built into SET.
But that issue isn't bothering MasterCard's Alan Glass, senior vice president of global technology and operations.
"It builds on our model of [card] issuers," said Glass, noting that putting wallets at the issuer's premises fits the risk management practices those issuers already use.
"Others [beyond GlobeSet] will do it too," added Visa's Janet Pruitt, senior vice president for electronic commerce. She noted that VeriFone's George Hoyem, general manager of the Hewlett Packard unit handling SET software, has mentioned development of a "thin wallet."
Questions about the server-based wallet center on having a buyer's wallet and digital ID reside at their issuer's Web site rather than on their own PC.
If the issuer requires buyers to provide only a password and personal identification number (PIN), critics say that would weaken security because digital certificates are regarded as stronger. Others contend it also violates the SET specification.
"The wallet-server architecture achieves 'thinness' by removing all SET security mechanisms from the consumer wallet. In doing so, this approach circumvents the strong identification, authentication and privacy mechanisms that SET was specifically designed to provide," writes a representative of another SET software firm on a mailing list on SET issues.
But even that critic describes GlobeSet's server-based wallet as "an honest attempt" to address the burden SET places on consumers in configuring a SET wallet.
In response, Hans-Rudolf Thomann, who describes himself as the responsible business manager for a Swiss SET operation that uses GlobeSet software, writes: "Our company is thrilled by this idea, and we will thoroughly investigate it. However, we will not deviate from the standard SET path."
Thomann underscored the attractiveness of the wallet-server approach and the need to advance SET deployment, while adding that "any 'improvement' of SET must be as least as secure."
GlobeSet argues that its thin wallet--which requires a consumer to download only a 50 kilobyte file, not the 4 megabytes of an average SET wallet--will boost deployment and simplify customer support for banks and card issuers.
"This gets rid of the major infrastructural barrier," GlobeSet chief executive Michael Cation said last week. "You can sum it up in one word: deployment. This addresses the deployment issue for the buyer."