Ready, SET...wait

The two-year-old SET electronic transaction protocol is still a long way from widespread acceptance

By Kristi Essick, Torsten Busse, and Rob Guth

May  1998
[Next story]
[Table of Contents]
Sun's Site

Two years ago Visa and MasterCard were telling us that the world would be doing business on the Internet using a protocol called SET (Secure Electronic Transaction protocol). But despite a lot of attention, and a whole lot of effort, SET has not yet lived up to its promised potential. And until implementation, interoperability, and customer complexity issues get resolved, it's unlikely that this promising technology will receive widespread use. (2,100 words)

Mail this
article to
a friend

The high-rollers in electronic commerce have placed their bets on SET -- but the security protocol still has more than a few hurdles to leap before it's in the background of every online credit card transaction.

Not only is the Secure Electronic Transaction (SET) protocol proving expensive and difficult to implement, but merchant interest is lacking, bankers are worried about systems interoperability, and the differing needs of financial institutions in different countries may fragment the standard.

When Visa International Inc. and MasterCard International Inc. teamed up in 1996 to develop SET, the two credit card giants painted a rosy picture of the future. Consumers would happily buy goods over the Internet, confident that online merchants were legitimate and that their private credit card information was safe from prying eyes, while merchants, protected from fraud, would rake in profits.

Following that vision, 150 financial institutions spread throughout 34 countries drew up plans for SET trials. Credit card companies from Singapore to San Francisco began building SET transaction gateways, while software vendors readied SET-enabled applications.

Two years later, however, this once-rosy view has clouds. The protocol's complexity slowed SET's rollout and though trials are up and running, the SET community is struggling with a host of challenges holding back the protocol's commercial debut. SET backers have not attracted the necessary universe of merchants and consumers while the approximately 20 software vendors building SET applications still don't have SET-compliance seals of approval on their products.

SET use is still limited to trials around the world. Banks in Europe are the most advanced, with around two-thirds of the world's SET trials taking place there. Asia is close behind Europe, with the U.S. in the unusual position of last place in deploying SET. European banks are prepared to take a longer-term view than their U.S. counterparts and aren't expecting a one-year return on their investments in SET, according to Saj Arshad, head of electronic commerce, Visa Europe.

The current outlook of the SET community is "bullish but circumspect," said Mark Cullimore, the Singapore-based director of emerging technology at Visa International.

With backing from the world's two largest credit card giants, Visa and MasterCard, combined with support from many of the world's top financial institutions such as Sumitomo Credit Service Co. Ltd. in Japan and BancAmerica, observers say sheer momentum will drive SET to success. Meanwhile, IBM Corp., Hewlett-Packard Co., and Fujitsu Ltd. are among major IT vendors investing heavily in SET products.

While most banks have bones to pick with the current implementation of SET, few disagree that SET will be the core online credit card payment processing mechanism in the next few years.

And SET, which currently has no viable competitors, may have the luxury of time. But the longer it takes to grow the more questions arise over its spread to broad commercial use.

"SET will be in crisis unless we do everything it takes to promote it," said Kaz Fujii, assistant general manager, emerging markets department of Sumitomo Credit, which is in two SET trials. "We have to stimulate the market."

The cart before the horse
The most fundamental challenge for SET is that very few consumers purchase products over the Internet on a regular basis -- especially in Europe and Asia, where e-commerce has lagged the U.S. Some SET backers have been disappointed by the growth of online transactions and in turn merchants' interest in SET.

"I thought SET would be introduced naturally by merchants," said Fujii. In fact, they are not doing so, he said. "We have to push and make them use it," Fujii said.

Merchants who have already set up Web sites aren't seeing the profits for which they'd hoped, so it makes little sense to invest time and money into implementing SET-enabled systems, according to several analysts and banks.

The Bank of Ireland joined Visa's SET trial 18 months ago by opening an online mall but found that merchants are the missing link, said Conor O'Toole, head of Internet businesses at the Bank of Ireland.

"We have had trouble finding merchants that want to use SET," O'Toole said. Traditional merchants find it difficult enough to grasp the idea of the Internet, so implementing SET, which is costly and complicated, is out of the question for most, he said. "There is no real demand (for SET from merchants)," O'Toole said.

The same is true in Asia, where the Internet is still young and where many merchants are just starting up Web sites. In Japan the appearance of SET is like having the cart before the horse, according to Tomio Umezaki, manager of the Electronic Commerce/Electronic Banking division at the Bank of Tokyo-Mitsubishi Ltd.

Difficult implementation
"In the Japanese market there is not very much online shopping content," he said. "Technology and payment systems are here but not the content."

But it isn't just the reluctance of consumers to shop on the Internet that is holding back banks and merchants from rushing into the arms of SET. It turns out that implementing SET isn't as easy -- or cheap -- as most banks and merchants had hoped.

BancAmerica began SET trials in the third quarter of last year with Time Warner Inc. and Alaska Airlines, and plans to be one of the first U.S. banks to roll out commercial SET services in 1998. However, the experience was trying, said Jim Aviles, senior vice president of technology, products and strategy of merchant services at BancAmerica in San Francisco. "The gist is, SET works well, but it's tough to get there," he said.

"Our trial results show it was very difficult and very expensive for banks and merchants to implement," said Cedric Sarazin, electronic commerce manager at Europay International, the banking group that oversees MasterCard in Europe. "It's not an easy protocol."

The problem is that the protocol offers security at the expense of simplicity, said one critic. The protocol offers many layers of security but with each layer of security the complexity grows, he said.

British bank Barclays PLC has decided not to participate in any SET trials at this time; it is "rather clumsy, not tried and tested and we simply don't need it," said Alex Stevenson, IT director, electronic delivery channel at Barclays.

Consumer complexity
SET's complexity isn't just a problem for banks and merchants. Perhaps even more integral to SET's success is its ease-of-use for consumers -- and serious questions remain about just how intuitive it will be for users to install the necessary files to do SET-based transactions, said several observers.

Users must download or install from CD-ROM an electronic wallet that adds payment functionality to a browser. Users also must register with a financial institution or trusted third party, which then issues a digital certificate that identifies the card holder to the merchant and vice versa. While in the long run SET backers expect certificates to be included in wallets -- which in turn will be built into browsers -- the first wallets shipping in June will not contain certificates, Visa officials said.

The wallet-certificate set-up is beyond the average card holder, said Sumitomo's Fujii. "It's a very troublesome procedure," he said.

Sumitomo last year tried to clear the confusion by adding explanations of SET to customers' credit card bills, but it had little effect.

"We realized last September when we launched our mall that just delivering brochures and papers into the statement isn't enough," Fujii said. So to jump-start SET, the company in June will send out SET wallets on CD-ROMs to 100,000 of its 15 million credit card holders, he said.


Interoperability an issue
Interoperability is another issue making the SET community jumpy about moving SET into production mode, according to officials at banks, credit card companies and vendors. With potentially many different versions of SET software coming to market, it is critical that these packages interoperate.

"Without interoperability, any protocol is dead," concurred Gerard Lacoste, project manager of the Secure Electronic Marketplace for Europe (SEMPER), which is working on integrating SET into a framework of security protocols.

While IBM and HP's Verifone subsidiary are working together, as are Hitachi and Fujitsu, little progress has been made, sources said.

"It's difficult for us to predict how much effort will be required to realize interoperability among vendors," said Masaaki Ogawa, general manager, EC project, Network Services Business Group, Fujitsu Ltd. Ogawa said interoperability is the biggest challenge facing SET deployment.

Vendors are also unsure of when their products will get the mark of SET compliance from Tenth Mountain Systems Inc., the La Jolla, California-based concern tapped by Visa and MasterCard to test if products conform to SET specifications.

And since Tenth Mountain is the only company handling the tests, vendors are lined up waiting and fear any lag time in gaining compliance will hold up SET software rollouts, they said.

Only four SET software vendors have completed compliance testing, according to Lynn Hedler, director of operations at Tenth Mountain. However, she disagreed that the process will hold back SET deployment.

"I don't think we are a stumbling block," Hedler said. "It [the test] is a new process and anything new has to be worked out." Once Tenth Mountain goes through the testing process a few times, the time to certification will speed up, she said.

Besides basic interoperability, and compliance there is the issue of implementing country-specific payment practices into SET, without compromising the global standard. If Japan is any lesson in the difficulties of implementing payment options to SET, similar situations could be major barriers to a global standard. Visa and MasterCard have spent two years adding the Japan Payment Options into SET, which allow for special Japanese payment features, such as the ability for users to elect to have a larger automatic monthly payment deducted during months they receive bonuses.

"We're trying not to do too many [payment options]," admitted Visa's Cullimore. "If we have too many payment options, then we won't have a global standard."

Better than SSL?
Until Visa, MasterCard and the bevy of SET software vendors can sort out issues of complexity, cost, and interoperability, Netscape Communication Corp.'s existing Secure Sockets Layer (SSL) encryption protocol may prove to be a more attractive option for online credit card transactions. Though it offers less robust security it is far easier to use than SET, some observers said.

For example, Britain's National Westminster Bank PLC (Natwest) is testing SET in a limited form in conjunction with the Visa European pilot program, but plans to stick with SSL for its current e-commerce services for the time being, said Jonathan Bye, senior manager of electronic commerce at Natwest. "SET isn't ready for a commercial trial because the software (from vendors) isn't ready," Bye said.

Still, Natwest, like many banks, is bullish on SET in the long term. "SSL has its limits and isn't as safe as SET," Bye said. "SET offers the highest level of security and is the only solution that combines strong encryption with authentication of all trading partners."

No rush to version 2.0
So will SET survive its growing pains to become an easy-to-use global standard? Banks, vendors, and analysts say yes, though there is no doubt future versions of SET will bear little resemblance to today's Version 1.0.

To give the SET community time to work out the kinks, Visa and MasterCard have delayed the rollout of version 2.0 which will offer enhancements including support for smartcards. Visa said the new release will be published in the middle of next year, but several officials at banks and card companies said they expect it will be delayed again.

"We're planning on leaving quite a bit of time between version 1.0 and 2.0," said Visa's Cullimore. "There is no real rush to bring out a whole new standard...Vendors are saying `give us a chance to get our products up to speed.'"

SET has time to develop. For now there is no rival technology on the horizon that could make SET obsolete, said Erina DuBois, an e-commerce analyst at Dataquest Inc. in San Jose, CA. Anything that could potentially emerge, in order to succeed, would need the same level of financial commitment by the major credit card companies that SET already has.

Still, even Visa and MasterCard admit that one protocol does not fit all and that SET will have to work in conjunction with other online payment architectures in order to survive.

"SET won't be the only solution, but it will be an important solution," Visa Europe's Arshad said.

The bottom line is that it won't be until sometime in 1999 that SET services will become more prevalent and part of the majority of banks' back-end processing systems, analysts and industry executives said.

"Sure, we would like to have it all done by Monday at 8 a.m.," said Steve Herz, senior vice president at Visa International in San Mateo, CA. "But it takes time."

--Kristi Essick, Torsten Busse, and Rob Guth are correspondents for the IDG News Service, a SunWorld affiliate. Rebecca Sykes and David Legard contributed to this story


What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Sun's Site
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: