The SET standard intended to guard credit card numbers traveling over the Internet from hackers and unscrupulous merchants isn't yet set, and won't be until mid-1997, according to backers of the standard.
SET, which stands for Secure Electronic Transactions, is a protocol being developed for Visa and MasterCard that's designed to assure card issuers and buyers alike that credit card data can be transmitted securely over the Net.
The standard was originally due this month. Now, Web merchants, instead of greeting hordes of Christmas shoppers at their sites this season, now must wait until the latter half of next year for card-carrying buyers to make purchases in a manner approved by their card company. Visa and MasterCard still advise cardholders it's not safe to send their credit card data across the Net, although many do anyway.
Tony Lewis, Visa's chief systems architect for Internet commerce, says SET won't be finalized until the second quarter of 1997, with secure transactions in the third quarter.
The existing version of the standard, however, is finished enough to start pilot testing. Using the August version of the draft SET protocol, IBM, MasterCard and Danish Payment Systems (known as PBS) said yesterday they completed the first Internet credit card transaction using only SET. (Other vendors have used a combination of SET and Secure Sockets Layer security, but Monday's demonstration of an online purchase of a book used only SET.)
Scott Dueweke, IBM's marketing manager for electronic payments and certification, said he regards the existing version of SET to be safe enough for a pilot project scheduled to begin next month in Denmark that will involve three merchants and 500 to 1,000 customers. Visa is planning a major pilot test involving 38 Visa European banks and thousands of consumers and a second pilot program in Singapore, both to begin in the first three months of 1997.
Despite the pilots, the delay in the finalization of the standard is still being labeled "the SET setback" by the Yankee Group, but it seems to surprise almost no one.
"A total SET infrastructure is not likely to be in place before 1998," said Scott Smith, electronic commerce analyst at Jupiter Communications, a consulting and research firm.
As 1996 began, Visa and MasterCard were at loggerheads over a standard for sending credit card numbers over the Internet. Visa, allied with Microsoft, backed one approach, while MasterCard, Netscape, and others pushed another.
D?tente was reached under pressure from the card associations' member banks, and vendors agreed on a unified approach. When peace was declared February 1, both sides predicted SET would make the Net safe for cardholders in the fourth quarter this year.
That timetable may never have been realistic. More than 3,000 comments were received after the initial draft was published in February. A revised version was published in June but had a bug, so it was reissued in August.
Of course, many buyers already send their credit card data over the Net to buy stuff. Usually they use a Secure Sockets Layer (SSL) connection, which secures the pathway through which they send their credit card data. SET would secure the data, too.
But finalizing SET may prove to be the easy part; after all, a half-dozen vendors are already testing implementations of the August protocol, and they'll update their software once the standard is finalized. They include IBM, VeriFone, RSA Data Security, and Terisa Systems, which is doing a reference implementation for Visa and MasterCard.
Implementing SET requires buyers, merchants, and payment processors to get "digital certificates," which verify the identity of each party in a transaction. These digital IDs are issued by "certification authorities," and the CA infrastructure is just beginning to fall into place.
Several CAs have set up operations or will do so shortly: VeriSign, GTE's CyberTrust, Nortel's Entrust, IBM's World Registry, and the U..S. Postal Service. But individual issuers of bank cards also will issue digital IDs for their customers, and few of those financial institutions are ready to do that yet.
Merchants must have digital IDs and SET-compliant software to handle credit card transactions. A Netcraft survey of Web sites, created for O'Reilly & Associates and released this month, found that just 3,239 of 648,613 Web sites checked were both secure and had digital IDs.
The card companies, through its testing partner SAIC, began testing early versions of SET code this month, according to Steve Herz, Visa's senior vice president of electronic commerce. Implementing SET depends on how quickly vendors complete their applications, he said, but Terisa says it delivered first versions of its code in October.
Torrey Byles, e-commerce analyst at Giga Group, calls SET a "bellwether" protocol. "For the right people to say it's secure means it better be really secure," he said.
"For the banks to buy in, for a card association to get comfortable with the protocol, it better limit the liability they're exposed to. When you talk about financial institutions, comfort is a very important factor."
In that sense, SET is more about making Visa, MasterCard, and their bank card issuers comfortable than swaying consumers. The biggest concern regarding SET's delay is that "it will take longer to get the message to consumers that it's safe to use the Net," said David Weisman of Forrester Research. But once SET is finalized, many observers expect the card companies to promote the Net vigorously.
Indeed, SET will make the Net even safer than the real world for using charge cards because it will virtually eliminate one major source of credit card losses: merchant fraud. Under SET, Web merchants will never see the credit card numbers of their buyers, nor will those numbers be stored on any Web servers where hackers might get at them.
"Working with digital certificates is a very new technology; then there's how to work out the logistics," Weisman added. "This is a big endeavor. I'm not surprised they couldn't meet the ambitious time frame."