SET is ready, are banks and merchants?

Come March, when consumers start using the Secure Electronic Transaction protocols to make credit card purchases over the Internet they will enjoy a level of security not found in normal life.

Even detractors from SET, the authorization and payment method developed jointly by VISA and Mastercard, laud the technology, whatever they may say about its prospects for implementation.

Today when someone makes a credit card purchase, the merchant gets to see their credit card number. With SET, the merchant never sees the number, which passes encrypted through the network.

Cryptography requires a key to encrypt and decrypt sensitive information so it can be securely sent across a network. SET uses so-called asymmetric keys, whereas ATM networks, for example, use symmetric keys. To grossly simplify matters, asymmetric keys contain a public key and private key that work together like a lock and key. Symmetric keys (also called secret keys) are copies of the same key shared by a trusted group, such as family members' keys to the home.

Symmetric keys work in an institutional context, where there is a finite number of relationships between parties known to each other (e.g. the ATM owning bank, the electronic payment switch, and the consumer's bank). However, with upwards of 40 million consumers and countless merchants on the Internet, another approach was required.

The approach is SET, which uses digital certificates (electronic "identification cards," issued by bank authorities) to vouch for consumers and merchants and then uses asymmetric keys to secure their correspondence. As mentioned, the public and private keys work together. For instance, when a merchant that has a digital certificate responds to a consumer's expression of interest in a product, it uses the consumer's public key. The message can be opened only by the proper recipient i.e. the person with the matching private key. The consumer uses his (secret) private key to generate an electronic "signature," committing him to accept the offer which the merchant has made. Only his public key will open his response, and there are various security measures built-in to ensure that the message was not tampered with en route.

Furthermore, SET is designed to provide participants with just enough information to do their job. This makes it more secure than existing Internet security systems, which decrypt all information at every link in the chain.

Computational hog?
A possible major drawback to this complex security is that it takes a long time to generate the algorithms used. Even with symmetric key technology handling certain functions, some say SET could overload banks' and merchants' computer networks.

Among them is Bill Sweet, marketing consultant with Atalla, a division of Tandem Computers that offers hardware onto which SET functions can be off-loaded. SET could reduce computational power to one-thirtieth the norm, he says.

From an implementation aspect, the complexity of SET is being addressed by software vendors offering SET toolkits.

Typically, these incorporate the public key technology of RSA Data Systems, a Redwood City, Calif., vendor whose encryption technology, Sweet says, "is becoming the de facto standard." (RSA charges a license fee for its asymmetric keys, whereas the comparable symmetric key standard, DES--Data Encryption Standard--is free.)

Others balk at the cost of implementation, including Abdallah Hitti, chief executive of Kleline, a newly formed subsidiary of the Paris-based bank, Compagnie Bancaire. Kleline currently offers 30 merchants Internet-based credit card transactions through Kleline's server. The bank bore the merchants' technological burden on the assumption that merchants won't be willing to make the investment SET requires. Hitti says it could exceed $30,000, "all before the merchant makes a single sale."

Hitti also concurs with those who say digital certificates are impractical and insecure for consumer use, because of the vulnerability of storing them in software form. He believes SET won't become widespread until SET certificates are incorporated into smart cards.

Linda Elliott, executive vice-president of Visa International, agrees that the next phase of SET will be based on smart card technology. However, before such time (probably in 1998) she says there is sufficient "pent-up desire for a way to purchase over the Internet" to ensure the immediate adoption of SET.

No one is making projections for SET-based purchases in 1997, although projections for the year 2000 run anywhere from $7 billion to $600 billion.

Elliott would not say which banks will participate in Visa's three domestic "market trials" this March.

Actual commerce will be conducted, based on the SET specification Visa and Mastercard released in June, 1996. There will also be trials overseas, as well as trials conducted by Mastercard and American Express.

"We believe SET will become the way every customer identifies himself for banking relationships over the Internet," Elliott says.

Further information on SET is available at http://www.mastercard.com/set/set.htm and http://www.visa.com/cgi-bin/vee/nt/ecomm/set/downloads.html?2+0.