Getting SET

Ready, SET, charge it? Not quite. The industry is poised to make credit card transactions safe from cyberthieves, but securing business-to-business transactions over the Internet is stil l several months off.

As the industry vies to develop standards that make the Internet safer for commerce, much of the focus is on the consumer-oriented Secure Electronic Transaction (SET) protocol.

SET, which encrypts and authenticates credit card information over the Internet, may be the closest the industry's come to secure electronic commerce since the dedicated line. And SET is backed by the heavyweights of banking, finance and retailing. American Express Co., Chase Manhattan Bank, Mellon Bank Corp., Wal-Mart and SET's developers, MasterCard and Visa, are all running SET pilots that go live in early 1998.

This is great news for consumers and businesses looking to jump into Web-based retailing. But if you want to pay your supplier for those widgets, or negotiate a contract over the Internet, the options for securing the transaction remain slim.

Sure, there are security protocols that encrypt pieces of a business transaction. Two that come to mind are RSA Data Security Inc.'s S/MIME (Se cure Multipurpose Internet Mail Extensions) and Pretty Good Privacy Inc.'s PGP for disguising E-mail messages. Others include the Internet Engineering Task Force's IPsec protocol for protecting the network link itself and the Secure Sockets Layer (SSL) protocol built into Web browser and server software that encrypts Web sessions. The problem is, none of these protocols were developed to support business-to-business transactions.

"There just aren't enough tools in the toolbox,'' says Robert Moskowitz, a member of the Internet Architecture Board and a software specialist for Chrysler Corp.,the $3.5 billion automaker based in Dearborn, Mich.

Insecure Business

Even E-commerce software vendors are frustrated with the lack of protocols for securing core business on the Internet. "What happened to the large-dollar transaction? There has to be a business transaction protocol, but there's no standards body addressing it right now,'' says Mary Van Zandt, director of marketing for Sterling Softwar e Inc., Irving, Texas, one of the biggest electronic data interchange (EDI) software makers.

But don't blame SET. The new protocol was designed specifically for consumers who want to buy merchandise on the Internet with their credit cards-no more, no less. Even so, SET may eventually be expanded to accommodate corporate credit card transactions, so the employee in purchasing can buy pencils and maintenance supplies with a corporate card, too.

There's also talk of SET being built into standard browser software, so configuring your business for SET may eventually be as easy as upgrading your browser.

Even after a few false starts, slow-moving software development and interoperability troubles, SET already has done what no other security technology achieved before-it's given encryption and authentication a commercial spin.

One of the more attractive features of a SET transaction is that the merchant doesn't always get the cardholder's credit card number, unlike SSL, the encryption method deve loped by Netscape. Instead, the cardholder presents the retailer with a Visa digital certificate when ready to charge an item. Once SET catches on, cardholders will have multiple digital certificates-one for each card they hold, be it a Visa, MasterCard or American Express.

Of course, there is a way for a merchant to request that the credit card account information be sent back after the initial transaction by the buyer. That happens outside of the SET process.

"Merchants are used to having that information for chargebacks and retrievals,'' says Tom Butler, first vice president for product development at Pittsburgh-based Mellon Bank's network services division (www.mellon.com). It's up to the traditional credit card authorization service, such as Global Payment Systems, Atlanta, whether to send that information back to the merchant after the credit check, he says.

Obtaining a digital certificate for a personal or corporate credit card will be fairly easy. The cardholder simply fills out a form at either the bank's Web site or at a so-called trusted third party's Web site, like GTE Corp.'s CyberTrust service, which then issues a SET-compliant digital certificate that confirms the credit card is legit. Certificates last for about a year or two.

There are three main components in a SET transaction: The buyer's electronic "wallet,'' the merchant's server software and the credit card company's Internet payment gateway. Electronic wallet software runs on a client browser and holds the digital certificates, while the merchant server software runs on a Windows NT or Unix machine. The Internet gateway software is the credit card company's server, also typically an NT or Unix box.

Here's how a consumer would use SET to charge that nifty new canoe from L.L. Bean on a Visa card. First, he digs his Visa digital certificate out of his electronic wallet, which runs on his browser in a Visa card icon. After the cardholder clicks on the payment button, SET kicks in. The cardholder's software generates two keys-one that encrypts an order and another that encrypts credit card payment information-both are sent to L.L. Bean's merchant server.

L.L. Bean decrypts the order information, which is wrapped up with its public key and digitally "signed'' by the buyer. From there, the merchant server sends the digital certificate containing the credit card information to Visa's Internet gateway, which decrypts that account information. Now the traditional credit card authorization process takes place. That's done off the Internet over leased lines-mostly because that's the way it's always been done-in a highly secure fashion. Today, the entire SET process, plus the back-end credit card authorization, takes about 15 to 20 seconds.

"We are looking to reduce this as we get better at it,'' says Andrew Bartels, vice president of encrypted payments for New York-based American Express, which is running its own homegrown SET Internet gateway software in a pilot with Wal-Mart, Bentonville, Ark.

The reason SET is so slow today is that the software has dozens of encryption calculations to run through, says Bartels. "As SET gets more specialized and standardized, a lot of calculations will be off-loaded onto specialized computation devices to speed up the process,'' he says.

SET Sale

And SET won't just be for credit cards anymore, either. Look for Version 2 of SET-expected next year-to include debit card processing so consumers can make cash payments on the Internet.

SET's authentication feature may be its biggest selling point over the status quo, Netscape's SSL. Today, SSL only encrypts a communications session. "With SSL, both ends may know they are talking to each other, but if there's a dispute, there's no way for a merchant to prove that he's truly who he says he is,'' says David Solo, director of technology for network-centric solutions at BBN Planet, now a division of GTE Corp.

SSL wasn't designed specifically for financial transactions, either. It was more a generic protocol for securing a session, for example, to fill out a form online, says Steve Crocker, CTO for CyberCash Inc., which plans to release SET-based electronic wallet software next year.

Not that SET is perfect. It authenticates the credit card account, not the person charging merchandise with it, which could prove to be a problem for corporate credit card purchases.

"SET digitally identifies the card, not the user. That's the way credit card companies have always done it, where they are not taking responsibility for you using your card, but for the account itself,'' says Andrew Herbert, chief technology officer for APM Ltd., a Cambridge, England, consultancy. "That won't work in the corporate purchasing model. You must know who is using the card because there's a relationship between cards and people and budgets.''

In many minds, SET still has a long way to go. The early pilots have highlighted other shortcomings of the SET spec, namely that it tends to be too general and leaves much of the interpretation up to t he vendor. That's caused interoperability troubles among SET software products, and has slowed the adoption of SET among financial institutions. "There is some frustration among those involved with SET that it's taking longer to get in place than was expected,'' says American Express' Bartels.

That's not surprising given SET's roots as a peace treaty that came out of rival efforts by MasterCard/Netscape and Visa/Microsoft.

Once the technical kinks are resolved, the big challenge for SET may be dispelling the bugaboo of the Internet's inherently unsafe image. Most "netizens" still consider E-commerce no more secure than giving a telemarketer a credit card number over the phone-and about 70 percent of Internet users surveyed by Global Research Inc. recently said just that.

Do You Mime?

So while all eyes may be on SET, S/MIME, PGP and IPsec are the only protocols today that can secure business transactions.

The problem is no one is sure which direction secure messaging will go. S/ MIME was a shoo-in until S/MIME developer RSA Data Security initially refused to give up control of the spec. Now a new version of S/MIME, Version 3.0, is under discussion at the IETF. PGP, traditionally more of a personal security protocol, has gone more corporate and is also on the IETF standards track.

S/MIME, so far, has the commercial edge-it's already tucked into Netscape's browser, for instance, and Microsoft, Lotus and Novell all have plans for S/MIME messaging. S/MIME is also the key protocol in Templar, an Internet EDI product marketed by Premenos Technology Corp. The company also plans to pack PGP into Templar.

S/MIME places data in an encrypted envelope for its journey over the Internet, and the data remains secure even after the transaction because S/MIME stores it in its encrypted format. "There are valid reasons to use S/MIME on mail messages,'' says Chrysler's Moskowitz. "It means you have secured data in the long term.''

Secured data is a big issue for the automobile industry, where industrial espionage is a reality and not just the stuff of hacker fantasies. That's why S/MIME may eventually be included in the auto industry's planned Automotive Exchange Network (ANX) pilot, an Internet-based extranet of sorts for the Big Three, their suppliers, competitors and anyone and everyone who sells anything related to a car.

To Continue