MasterCard, Visa trade strong security for ease of use

When MasterCard and Visa unveiled technology for secure Internet electronic commerce transactions two years ago, they thought it would take over the world.

But while Secure Electronic Transaction (SET) has made inroads in Europe and Asia, it has faltered badly in the U.S. Faced with technical and business obstacles to SET, MasterCard and Visa are now coming up with alternatives to SET - SET Lite and Merchant-originated SET (MOSET).

But SET Lite and MOSET critically alter the SET 1.0 architecture and soften SET's rock-hard security - all for the sake of convenience. For example, the technologies abandon the idea that each online consumer is going to have a bank-issued SET digital certificate for credit-card encryption. This certificate was to be the main means of verifying the consumer's real identity on the Internet.

SET Lite, or certless SET, eliminates the need for a credit-card holder to use a SET digital certificate to "sign" his Internet transaction. It also eliminates one of the main security advantages SET has over SSL: client authentication.

With SET Lite, the card holder uses a SET-based electronic wallet to encrypt the transaction. MOSET throws away the SET wallet, presupposing that the card holder simply encrypts his credit card by means of browser-based SSL. The Internet merchant and the acquiring bank still act in SET mode, with the merchant server and bank gateway swapping digital certificates to identify each other before processing the credit card.

In the future, however, SET merchant servers such as IBM's Payment Server or the GlobeSet POS are likely to give users two options - one for SET and another for SSL.

SET Lite and MOSET are a tacit acknowledgment that SET faces an uphill battle against the Web's current widespread en-cryption technology, Secure Sockets Layer (SSL). Originally developed at Netscape and now the staple encryption technology used in Web browsers and servers, SSL is effective for simple data encryption, but it's not integrated into the banking system like SET.

MasterCard says it views MOSET and SET Lite as "steppingstones" to full-fledged SET. MOSET, which may end up being called Backend SET when it's officially announced, is going to be an option for merchants, says Art Kranzley, MasterCard's senior vice president of electronic commerce.

"It's a migration path to SET," Kranzley notes, adding that the decision allows vendors to sell merchant and bank SET gear as SET-certified even if the consumer doesn't have a SET wallet and certificate.

A third idea, already being tested by banks, is the so-called server-side wallet, which puts a user's digital certificate and wallet on an Internet server.

Why has SET stalled? Sources at Citicorp say simply that SSL killed SET. But it's harder to explain than that, given that Internet merchants stand to gain real benefits from SET. When a merchant completes a SET digitally signed credit-card purchase, Visa and MasterCard levy a lower service charge because the transaction is considered less risky than accepting a card number without SET.

Visa and MasterCard regard a SET transaction over the Internet to be the same as having the card holder sign his name on a purchase in front of the merchant. SSL is more like a mail-order merchant taking a credit-card number over the phone.

As to SET Lite and MOSET, MasterCard is unlikely to give online merchants reduced service charges if the card holder isn't using a SET certificate, even if the merchant and the bank are using SET gear, Kranzley says.

One headache with SET, insiders say, is finding a way to distribute the 10M bytes of software that comprises the SET wallet. Another issue is the interoperability problem between different vendors' SET wallets, merchant servers and gateways.

In spite of the SET-compliance testing overseen by the joint MasterCard-Visa venture called SETCo, there still remain interoperability problems even with SETCo-certified gear, Kranzley acknowledges. To resolve those problems, IBM and Hewlett-Packard over a year ago started the Interoperability Testing Initiative to conduct the kind of one-on-one application testing that SETCo wasn't set up to do.