SET e-commerce spec ready

The protocol intended to make buying with a credit card as safe on the Net as anywhere else is ready. But some Net merchants still aren't happy.

4 min read
After a delay of nearly six months, the Secure Electronic Transactions protocol is finally finished.

The protocol is supposed to make buying with a credit card on the Net as safe as in the physical world. But on the eve of SET's long-awaited, much-anticipated official publication, Internet merchants are already griping.

Sponsored by Visa and Mastercard, SET has been in the works for nearly two years. The publication of the final specification this weekend will pave the way for the implementation of secure e-commerce applications that automatically process credit card charges for online purchases.

The finalization of SET has long been regarded as an important e-commerce milestone. Formal publication of the protocol can be expected to trigger announcements of new e-commerce trials, including pilot tests from major U.S. banks. Both Visa and MasterCard are already conducting several SET pilots, virtually all of them in Europe, Japan, or Taiwan.

But discussions on an Internet mailing list devoted to the protocol make clear that retailers, whether on the Net or around the corner, aren't in love with their bankers or the two credit card associations backing SET.

"I don't know of single merchant who likes their acquiring bank," said John Pettitt, chief technology officer of CyberSource, which runs the online store software.net. "The whole credit card business is run by banks for the benefit of banks. For merchants, it's a necessary evil."

To address the concerns of Web retailers, Visa, Mastercard, IBM, and other technology firms behind SET are planning to launch next month a "merchant education" campaign with the idea of selling retailers on SET.

Many complaints from retailers have little to do with the SET protocol itself. Rather, the merchants are angry that neither Visa nor Mastercard are providing any financial incentives to merchants who move transactions to the Internet, incentives such as lower rates for Internet card purchases. The merchants argue that the new e-commerce systems will require a significant investment on their parts and that the credit card companies should help out.

"The costs associated with distributing certificates, educating consumers, distributing SET-compliant software, and modifying existing legacy systems is not trivial," said Jeff Irby, vice president of sales and marketing for CyberCash, an Internet payments firm. "My guess is that it will cost the industry billions of dollars to convert to SET worldwide."

Visa predicts that commercial applications that rely on SET will be available by August or September and should be widespread in the United States by mid-1998. But a lot of infrastructure work remains to be done before SET is widely used: software for buyers, sellers, and banks must be reworked, certified, approved for export, and distributed.

"Merchants must change their business practices in order to adopt SET," said Dick Brooks, CTO of Group 8760, a security software firm. "SET is a lot more complicated to use than any of the existing alternatives."

For just one example, Web merchants and the banks that process credit card charges must all get "digital certificates"--a kind of electronic driver's license that verifies the identity of Net users--and consumers may need them too. That means "certificate authorities" like Verisign, Entrust, and GTE CyberTrust must be ready to issue and keep track of millions of digital IDs.

Online merchants have little choice, however. If they want to make users comfortable with the idea of using credit cards to buy things online, they must set up some widely recognized security standard--and, so far, SET is it.

"I'm surprised that anyone here would take a merchant revolt against the card issuers seriously," said Kelly Hall, a programmer with an Internet mall. "That would amount to not accepting credit cards, and that would certainly annoy shoppers. And annoyed shoppers are probably willing to seek out that one merchant who didn't join the revolt."

Many of the e-commerce software vendors are also set on SET, seeing the protocol as a way of jump-starting software sales. IBM, for example, has launched TV ads to promote its e-commerce software, which will be fully SET-compliant by September. Big Blue hopes that many online merchants will establish their new systems by this year's holiday shopping season.

Having significant SET consumer purchases this year "is possible and achievable technically," said Mark Green, vice president of Internet payments for IBM. Green thinks that e-commerce vendors will set aside their disagreements with the credit card companies. "SET reduces fraud. Anything that is a fraud reducer is good for everyone."

The SET specification still isn't set in stone. SET 2.0 is likely to add support for smart cards, electronic cash, and additional encryption methods.