Visa International, Inc., MasterCard International, Inc. and the banking community have high hopes that the Secure Electronic Transaction (SET) payment protocol will be widely used to approve credit-card transactions on the 'Net. But performance problems in SET equipment leave the future of the technology in doubt.
Some users and vendors evaluating SET in pilot projects and interoperability tests complained that SET is far too slow in processing card authorizations. They also said that getting different vendors' gear to work together is proving difficult. While it would be premature to declare SET dead, banks, which are in the business of selling Visa- and MasterCard-type services to merchants, say the problems need to be resolved before they're willing to go mainstream with the payment protocol.
"There are a lot of performance issues with SET," said Alan Slater, vice president of advanced development at Citibank.
He said SET, which uses public-key encryption based on RSA Data Security, Inc.'s technology, is "much too slow."
Slater also said the bank is attempting to "speed up SET" in pilot tests, but until that can happen, Citibank has no plan for mass-market deployment of SET-based card authorizations on behalf of Web merchants.
Getting SET into the real world "is taking a lot longer than we thought it would take," he admitted. SET Version 1 was finalized in May 1997.
Three main network components are required to authorize a SET credit card transaction.
First, a user needs to have a browser-based SET electronic wallet to encrypt a credit card purchase. The electronic wallet lets the online user pay for transactions via credit card, debit card or digital cash.
Second, the merchant needs to be able to receive the SET-encrypted credit card on the merchant Web server in order to automatically hand it to the bank's SET gateway. And finally, the SET gateway, SET merchant server and SET-enabled wallets all need to interact for the card authorization to proceed.
Although the SETCo testing consortium last week certified that electronic wallets from four vendors - GlobeSet, Inc., VeriFone, Inc., Terisa Systems, Inc. and TrinTech, Inc. - are SET-compliant, the good news was overshadowed by larger interoperability worries about SET equipment.
VeriFone acknowledged that the SET interoperability tests it has conducted privately since December with IBM, a key proponent of SET, are not going well.
Although VeriFone's vWallet did win SET certification, "the SET wallet is the simple part," said Tom Wills, senior manager, industry relations in the Internet Commerce Division at Hewlett-Packard Co.'s VeriFone unit. "Far more complex are the SET merchant server and the gateway."
And it's in the server and gateway that things are getting bogged down. IBM and VeriFone are having a hard time getting their gateways and merchant servers to interoperate.
In addition, banks, which will be competing with each other to get Web merchants to begin handling SET transactions, are pushing to put specific business functions into the merchant servers and gateways, Wills said.
Based on what is now known, "we expect we will have to make some changes in our equipment and so will IBM," Wills said. This will mean an upgrade to what the two companies now sell. IBM declined to comment about the testing it is doing with VeriFone.
When it comes to SET performance, special hardware accelerators may remedy the problem of the slowness in the RSA encryption algorithms.
But many involved in SET are already talking about a new version of SET, based on elliptic-curve encryption, that simply uses a mathematical technique that experts - including RSA - generally agree is much faster.
RELATED LINKS
MasterCard, Visa try changing online merchants' mindSET
A look at their SET efforts. Network World, 1/8/98.
Visa's SET page
Has overviews of the technology.
SET Suite of applications
IBM white paper.
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
