PROMISES, PROMISES What ever happened to SET?

By Nikki Goth Itoi

Two long years ago, Visa and MasterCard and a consortium of 11 technology companies made a promise to banks, merchants, and consumers: they would make the Internet safe for credit card transactions and send electronic commerce revenues skyward. With great fanfare, they introduced the Secure Electronic Transaction protocol for processing online credit card purchases.

Today, SET's standard-bearers are more subdued. Their work is nowhere near complete. SET remains riddled with technical difficulties, and merchants are largely uninterested in implementing systems that are more expensive and complicated than the security software already in most browsers, which supports the Secure Sockets Layer (SSL) standard.

Despite SET's problems, the credit card companies and banks are determined to push it to market this year. They need SET to protect their slice of revenue in e-commerce transactions. And SET supporters--technology companies like GTE, IBM, Microsoft, Netscape, RSA Data Security (Security Dynamics), Science Applications International, Terisa Systems, and VeriSign--are ready to move beyond pilot programs and begin full-scale marketing and implementation efforts.

Safe passage The SET protocol addresses all the parties involved in typical credit card transactions: consumers, merchants, and banks. SET consists of a client-side software program that functions as a digital wallet for consumers, a merchant server that acts as a storefront, a payment gateway for the acquiring bank, and a digital certificate authority that encrypts the transaction and credit card information and verifies the identity of the user. The digital certificate makes SET more secure than SSL, which effectively secures the pipes through which transaction information travels but cannot verify that credit card users are who they say they are. SET will be able to provide even greater security and portability once it is integrated with smart card technology.

"If SET is adopted as a standard, everyone wins," says Steve Herz, Visa's senior vice president of Internet commerce. Some analysts support his conviction. The market for SET-specific software, services, and hardware was approximately $137 million in 1997 and will approach $1.8 billion in 2000, according to Killen & Associates.

But Michael Cation, CEO of GlobeSet, an Austin, Texas­based provider of SET payment systems software, cautions against misinterpreting those predictions. "If you narrowly define SET as a credit card transaction system, it's a decently sized market," he says. "But it's not until you extend the market to include debit cards, smart cards, and micropayments that you can actually say 'billions' and keep a straight face."

Indeed, those are high hopes for an effort that has been bogged down by technical problems and tepid interest for more than a year. A number of financial institutions, including Bank of America, Citibank, Chase Manhattan, First Union, and Fuji Bank, have agreed, somewhat grudgingly, to participate in various pilots. (MasterCard has launched 67 pilots in 32 countries, 22 of which are conducting transactions presently.) But John Herron, senior managing director of BT Ventures (a division of Bankers Trust that has funded GlobeSet and another SET company, CertCo), says getting banks to embrace SET remains a significant challenge: "I think the last thing any bank wants is another system to roll out."

But although banks might resist the idea of switching to new systems, they have an interest in supporting SET. In the emerging era of e-commerce, SET is the only system that promises to protect their existing positions. By contrast, competing proprietary options like Digicash and Digital Equipment's Millicent propose to replace the bank in the Internet payment environment with an alternative institution.

Continental trendSETters Curiously, SET has had much wider appeal among banks in Europe and Asia than in the United States, where the bulk of e-commerce currently takes place. Paul DiSenso of SRI Consulting believes that may be because "SET solves some of the international problems that proprietary, national solutions can't address." For example, SET has a currency exchange mechanism built in, and it also creates some level of legitimacy for online merchants, since they have to register with a bank to carry out SET transactions.

According to Mr. Herz of Visa, SET in Europe is "a broader-based team initiative with more energy from business and government." The effort, he says, involves about 80 banks in 16 countries. Banking is also more competitive in Europe and Asia, so players in those markets have greater incentives to innovate and experiment with e-commerce projects. For example, privately held Trintech, based in Ireland, provides European banks and merchants with a SET product that, among the lower-priced systems on the market today, is one of the best at integrating SET with banks' legacy systems, according to Gary Kinghorn, RSA's director of product marketing.

Despite the much lower level of enthusiasm for SET in the United States, Gail Grant, the executive director of the financial services portfolio at CommerceNet, a nonprofit research and industry group that focuses on e-commerce, is not discouraged: "Although I've been disappointed that this is taking so long, it's phenomenally fast for the banking industry."

Grin and bear it As 1997 drew to a close, however, SET advocates were weary of pilot programs. "We've gone as far as we can with the early adopters," says Mark Greene, IBM's vice president of electronic payment systems. "It's time to focus on consumer acceptance and business implementation."

SET may be clearly in the interests of the credit card companies and banks, but it looks quite different from the perspective of merchants and consumers. Although a few European merchants, like the German retailer Karstadt, have begun SET pilots, most at this point have little reason to believe SET will buy them anything but headaches. Chris Stevens, who analyzes e-commerce for the Aberdeen Group, has interviewed several dozen Internet merchants and found that "not one of them says they plan to use SET, because they see zero demand for it." Even Wal-Mart, which has initiated the most successful U.S. SET pilot--with participants like IBM, GlobeSet, American Express, MasterCard, Chase Manhattan, and First Data--refuses to comment on how its customers are responding.

The problem is that merchants need to spend several million dollars in equipment and services in order to process SET transactions, when they already have what are arguably sufficient security provisions in SSL.

Cryptic advantage In the near term at least, SET doesn't appear to add much value at all for merchants or consumers, considering the effort required to make it work. For starters, SET supposedly provides better security by verifying that merchants and consumers are who they say they are. But the result is that SET systems are frustratingly slow. Mr. DiSenso of SRI Consulting reports a 50-second lag time from the purchase request to the approval and finally the transaction--even in the controlled environments of SET pilots. "This is not acceptable," he says. "What will happen when you add the bottlenecks and congestion of the real world?"

Mr. Greene of IBM speculates that SET 2.0 might include other cryptographic methods that speed up the process. To date, SET has relied on RSA's S/Pay toolkit. "RSA was chosen because it has withstood the test of time, but people are anxious to explore something called elliptic curve security," says Mr. Greene. Merchants also have simpler options for avoiding the lag time associated with SET. For example, CyberSource's Internet Verification Service, used by 160 online merchants, analyzes all of a site's credit card transactions for irregularities that might indicate fraud.

SET's supporters unanimously concede that the protocol's complexity makes it slow. But they argue that the complexity is the necessary result of working within the constraints of the existing transaction system. "Payment systems are like telephone systems. You could certainly design a better one from the ground up, but then no one would trust or use it," explains Mr. Cation of GlobeSet, adding that it took Visa 25 years to build its network of 600 million cardholders, 21,000 banks, and 14 million merchant locations.

As an open standard, SET must also ensure that systems from different vendors are interoperable. This has not yet been achieved. In the interim, SET vendors like IBM and VeriFone (Hewlett-Packard) are working together to make their individual products interoperable, but such efforts result in many different "interoperable" versions of SET, instead of a single protocol.

Tough crowd If merchants are leery of SET, consumers are an even harder sell. Vernon Keenan, a senior analyst at Zona Research, claims that the wallet concept is the biggest hurdle because SET requires users to install software. "Anything that requires consumers to take an extra step deters them from adopting it," he argues.

And though mainstream consumers may still fear fraud on the Internet, Alyse Terhune, the research director of the Gartner Group, thinks SET may run out of time in this regard: "Banks will have to spend several million dollars to SET-enable their back-end systems. Merchants will have to spend almost as much to do SET transactions. Then they still have to convince consumers to get a SET certificate. What's the likelihood of that happening before consumers realize they are already safe on the Internet?" she asks.

Both the card companies and the SET vendors realize they are racing the clock. Steve Mott, MasterCard's senior vice president of e-commerce and new ventures, says that "bringing merchants to the party is clearly MasterCard's priority now. We have 350 SET merchants up currently, and that should increase tenfold in 1998."

Visa and MasterCard have a three-pronged strategy for marketing SET. First, they agreed to establish a separate entity to own and manage the SET protocol. Tentatively called SETCo, this body--which also includes representatives from American Express and the Japan Credit Bureau--will license the right to use the SET trademark and will monitor business practices and implementation.

Second, the card companies will launch a full-scale marketing blitz. Mr. Mott says that for MasterCard this will involve a "shop smart" program intended to point consumers to SET-enabled merchants and a host of enrollment programs. Though the first wave of SET pilots has been oversubscribed, Mr. Mott admits that penetrating the next level won't be so easy. "Net-savvy cardholders were eager to get in as guinea pigs in the SET pilots because it's an interesting process to them," he notes. "But mainstream consumers will be more difficult."

Third, most SET supporters are certain that, if all else fails, the credit card companies will push SET through by manipulating the interchange rates on credit card transactions and by adjusting the policies for liability and repudiation to make SET more appealing to merchants. According to John Pettitt, CyberSource's chief technology officer, "Merchants already have a simpler, cleaner solution called SSL. But they will move heaven and earth for half a percent."

Force-feeding The financial community, then, can easily force merchants to use SET. Presently, all Internet credit card transactions are placed in the highest risk category, called MOTO, for mail order/telephone order, or CNP, for card not present. This means they carry the highest interchange rate. But as George Hoyem, VeriFone's vice president of Internet commerce, explains, if Visa and MasterCard lower the rate for SET and keep it high for SSL, "no bank will put in an SSL gateway." In this way, the card companies will drive the adoption of SET, whether it's the best solution or not.

In addition to the deep pockets of the credit card companies, SET will also be helped along by the individual software, hardware, and services vendors. IBM and VeriFone, which together hold the lion's share of the market for payment systems, are gearing up for major SET marketing efforts this year. Both companies, however, also have other e-commerce initiatives up their sleeves. "We're hedging our bets by developing payment systems for SET and for SSL," says Mr. Hoyem. Ms. Terhune thinks such caution is warranted: "If vendors are banking their business on the wide and immediate adoption of SET, then they're making a mistake."

Analysts may think little of SET's near-term prospects, but they do suggest that when smart cards enter the market en masse, SET will become a workable, even elegant, technology. The reasons: added security and portability. Today SET still has some security holes. Because users' SET certificates sit on their computers, an interloper need only decipher a password and some standard personal information like a Social Security number to make transactions on an account. For the same reason, digital certificates are not portable; users need a different certificate for each computer from which they wish to conduct transactions. Smart cards solve both of these problems by carrying the digital certificate.

According to Mr. Greene, "There is clearly support among vendors for putting SET onto a smart card." Visa and MasterCard already have a few smart card pilots under way in Europe and Japan, and Mr. Mott believes that "smart cards may become the biggest access channel for SET."

But the time for smart cards is still several years away. In the interim, says Ms. Terhune, "SET will be used, but there will be multiple payment-system protocols, and if SET fails it will not slow the growth rate of e-commerce in the least." SET's crusaders say they plan to finish the job and keep their promise to the banks, merchants, and consumers. The question is, will anyone but Visa and MasterCard notice if they don't?

THE LAY OF THE LAND Who does what for SET.