Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)

The Secure Electronic Transaction? (SET?) protocol has the potential to be the secured payments product of the e-commerce age. While it hasn't been widely used to date, it has only recently emerged from the test phase with its impressive offering of significant capabilities. SET could easily become the predominant protocol for both business-to-consumer and business-to-business electronic commerce.

Setting the standard

SETCo manages the specification and oversees software compliance testing

SET was first proposed by the credit card company MasterCard. One of MasterCard's main competitors, Visa, originally had a competing protocol, but later tests showed that the MasterCard proposal was superior. Both companies eventually joined forces and on February 1, 1996 announced the development of a single technical standard for safeguarding payment card purchases made over open networks. In December of the following year it was announced that Secure Electronic Transaction LLC (SETCo) would be charged with the responsibility of implementing the SET specification. SETCo is supported by borrowed resources from MasterCard and Visa. It manages the specification, oversees software compliance testing, and coordinates efforts related to the adoption of SET as the global payment standard. SETCo operates through participant companies committed to the advancement of the SET protocol. They work together to encourage payment brands, financial institutions, merchants, cardholders, and software vendors to adopt SET as the most comprehensive payment solution for global Internet commerce.

SET is basically an open technical standard for the commerce industry developed as a way to facilitate secure payment card transactions over the Internet. Digital certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity, a process unparalleled by other Internet security solutions. Software vendors whose products pass SET compliance testing are eligible to display the SET Mark on their products, as are merchants, financial institutions, and promotional sites that utilize or advertise licensed software.

A set apart

SET requires all participants to have certificates for definite identification

Various stringent tests have been conducted to assess the new SET protocol for verification purposes. To date, the protocol has been deployed in Japan, Switzerland, and Denmark, where it's now being used on a commercial basis. Much has been written in the media about the alleged power of SET and its potential to revolutionize e-commerce payment, but the question that needs to be asked is what makes SET so special. SET's marketing folk would obviously promote the virtues of SET's unique protocol. The first primary feature of the SET protocol is enhanced identification. The only identification required in the protocol is on the part of the server. SET requires that all participants have certificates for definite identification. No matter how hi-tech anyone would like the Internet to be, many avenues still exist for the perpetration of fraud by consumers and merchants alike.

Set strategy

SET counters this threat by a requirement that all transactions be signed and identified by each participant at each step of the purchasing process. By requiring cryptographic identification, the authentication will actually surpass that of nonelectronic transactions. The extremely high fraud possibility forces merchants conducting electronic commerce with credit cards to assume the risk. Additionally, the percentage charged by the acquirer is usually significantly higher. A conventional credit card transaction is classified as a "card present" transaction and is typically subject to a 1 to 3 percent fee. The Internet classification or "card not present" fee ranges between 6 and 12 percent. As a sign of their confidence in SET's authentication technology, MasterCard and Visa have rated it with a "card present" classification, which will represent a significant cost saving to merchants.

The second differentiating characteristic of the SET protocol is that the merchant never actually gets to see the credit card number. Instead, the purchaser's credit card information is sent encrypted to the merchant's bank. This system ensures that the merchant never gets an opportunity to abuse the credit card or transaction information, either deliberately or inadvertently.

A third requirement of SET is that all sensitive information among all parties must be encrypted and signed. This encryption is used to achieve four goals with respect to cryptography—data confidentiality, data integrity, authentication, and nonrepudiation.

Finally, because the SET protocol was designed specifically for use in financial transactions, it also supports such activities as credits, returning of goods, reversing authorizations for product unavailability, and charge-backs. These credit card situations currently cause difficulties with most payment gateways, but including them in the protocol alleviates this problem.

Set differences

The major advantage of SET over existing security systems is the addition of digital certificates that associate the cardholder and merchant with their financial institutions and the respective SET payment brands. Digital certificates are designed to reinforce existing trusted business relationships and will protect against fraud at a level existing systems don't.

Despite all the fanfare surrounding SET, it is a security system with its fair share of detractors. Analysts cite the pricey implementation costs as one of the system's weakest points. Royal Bank of Canada, for example, recently forked out over $1 million for the implementation of a SET gateway. New options for handling credit card transactions over the Web are emerging as cheaper and simpler alternatives to SET. These include SSL (Secure Socket Layer) and SSL using X.509 digital certification. Because of the range of competing security products, the secure payments market seems destined to have an extremely healthy future, especially with the continued customer migration to the Internet. The extent of SET's role in all of this is hard to predict, but its success to date has been fairly promising.