Momentum Grows For SET Protocol

By DAVID JOACHIM

The SET payment protocol, incubating until now like a premature baby, no longer needs intensive care.

The brainchild of credit card issuers MasterCard and Visa, the Secure Electronic Transactions standard is being deployed for the first time in production-grade payment systems in Europe, with impending commercial rollouts in North America and Asia.

Leading the pack are three payment processors in Scandinavian countries, whose consumers are known to be technically savvy and where strict federal banking regulations require the tightest security for financial transactions.

Danish Payme nt Systems (known as PBS) of Denmark now makes SET mandatory for all affiliated Web shops, following a 30 percent rise in disputed Internet charges in the first quarter of this year. Each dispute, or so-called chargeback, costs up to $75 to process.

"We are telling the merchants that if they don't use SET, they are doing so at their own risk," said Erik Nystrup, a vice president at PBS, whose IBM-powered SET payment gateway and certificate management server went live in March and cost about $15 million to install and configure.

Before SET, payment processor Luottokunta of Finland would not support credit card payments of any kind over the Internet, including those running over the popular Secure Sockets Layer (SSL) network security protocol. Instead, it advised online retailers to accept orders via phone or fax.

"The risk of fraud is just too high," said Ilkka Laitinen, a project manager at Luottokunta, whose system became commercially available a few weeks ago. "With fax orders, at least there is some sort of documentation" that proves a consumer placed an order. Luottokunta invested the equivalent of $1 million in its IBM gateway, certificate server and software wallets for consumers.

Likewise, in Norway there were reports of hacker software that could generate valid credit card numbers and was contributing to fraud. As a result, Europay Norway began promoting SET, with its digital certificate-enhanced data integrity, and has gone live with 20 merchants and 2,000 consumers, part of a controlled production rollout, said Ketil Fridheim, a company vice president.

U.S. banks are generally three to six months behind these international counterparts, experts said.

The European and Asian "view of risk management is very sophisticated, there is a very high rate of Internet usage as a percentage of the population and there is often strict government involvement with the telecom and banking industries," said Steve Herz, senior vice president for E-commerce at Visa.

Several of the overseas pla yers said there is nothing stopping them from pursuing the merchant business in the U.S., and industry watchers pointed out that such a threat should spur adoption here.

In fact, financial companies in North America and elsewhere are not too far behind with their own SET services. Among them:

• BankAmerica is completing a pilot of SET version 0.0 with a handful of merchants and will go live with a 1.0 implementation later this month, a spokeswoman said.

• Royal Bank of Canada will enter production with six merchants and 100 of its own employee testers later this month, with general availability coming later this summer.

• EDS is internally testing a third-party service for small banks that cannot afford to set up their own SET infrastructure. It will enter pilot tests in the next few weeks and roll out later this year.

  SET's emergence has been slow largely because of technical problems that made for uneven compatibility of different SET systems, even if they complied fully with the published specification. IBM and VeriFone recently completed interoperability testing; IBM and GlobeSet have agreed to test the compatibility of both their systems.

  Technology problems remain. Some 0.0 pilots revealed throughput problems associated with the 1,024-bit RSA encryption mandated by the spec and the number of handshakes required by each system involved in a transaction.

  "It was very common for a round-trip transaction to take 35 to 40 seconds, far out of line with acceptable turnaround," said Gary Roboff, a senior vice president at Chase Manhattan Bank and an advisory board member of the Banking Industry Technology Secretariat, a technology consortium of the largest U.S. banks. "I think you will see SET evolve in succeeding iterations to be far leaner and faster than it is today."

  The emergence of the first commercial systems is an important milestone, but it does not by itself assure wide acceptance. System interoperability is still unproven in real-world environments, and each ba nk must be individually certified by MasterCard and Visa before rollout.

  Further, as banks and payment processing services sign on, they need to devise incentive programs to attract merchants. In turn, the merchants must promote the use of SET wallets and digital certificates by their customers, which today requires an eight-step setup and installation procedure, experts said.

  Both issues are being addressed by the creators of SET. Last September, Visa revised its liability rules to treat SET transactions as face-to-face interactions, shifting the burden of proof to the consumer rather than the merchant in a dispute. Also, in April Visa began waiving the transaction fees charged to banks, which run between 8 and 15 cents per $100. Banks, in turn, are expected to pass along the savings to retailers. IBM is proposing a simpler way for consumers to configure the wallet software and digital certificate, resembling the activation process for plastic credit cards.