Sheldon...per your request:
This should answer your question on SET.
Security System for Internet Purchases Raises Doubts
By SAUL HANSELL
After two years of development and dozens of trials around the world, the
credit-card industry is readying an elaborate system meant to improve the
security of making purchases over the Internet.
The system, called Secure Electronic Transaction, is to be introduced early
next year and promises to make it harder for someone to steal a credit-card
number sent over the Internet. It will also make it easier for shoppers to
verify that the online merchants they are dealing with are legitimate and for
the merchants to authenticate the identity of the shoppers.
Yet after the system's proponents, including perhaps a dozen financial and
software firms, have invested tens of millions of dollars in its development,
they are finding there is a growing backlash among bankers and companies
doing business on the Internet. The system, which is often called by the
acronym SET, is too slow, too expensive and far too cumbersome for shoppers
to use, the critics say.
"SET is not a panacea and it ain't cheap," said Allan Weinberg, senior vice
president of First Data Corp., the United States' largest credit-card
processor, which handles such big Internet merchants as Dell Computer Corp.
and Amazon.com Inc., the online bookstore. "If you want to sell more sweaters
or greeting cards on the Internet today, you are just not going to get a
return from your SET investment."
First Data is grudgingly building the capability to accept SET transactions
because some of its clients have asked it to do so, Weinberg said. But he
predicted that two years from now, a "relatively small" portion of Internet
transactions would use SET.
The controversy is yet another reminder that electronic commerce, like the
rest of the Internet, has flourished on simple technology developed in small
steps by millions of users, rather than by complex systems designed over
years by committees of experts.
And it highlights how problems that seem insurmountable o such as
consumers' fear of using cards on the Internet o can vanish in months,
potentially rendering research into solutions an expensive exercise in
futility.
"Last year we did a survey, and three-quarters of our customers said
credit-card security was an issue," said Chris McCann, senior vice president
of 1-800-Flowers, which does 10 percent of its business online. "Today less
than one-third see it as an issue."
What's more, the added security of SET is hardly needed when fraud on the
Internet is minuscule and existing browsers already have more than adequate
ability to prevent hackers from eavesdropping.
"Credit-card shopping on the Internet is going like gangbusters today,"
said Cliff Conneighton, chief executive of Internet Commerce Services Corp.,
which runs shopping sites on the Web for Panasonic Consumer Electronics Corp.
and Random House Inc. "The fear of shopping is diminishing rapidly. It's
always good to have truth on your side, and the truth is that it's not very
risky."
Credit-card companies argue that the reason they are pushing SET now is
precisely to stay ahead of the criminals who will eventually find ways to
exploit the weaknesses of the current system.
"As a bank, we just can't say, 'Let's choose the option that is less
secure,"' said Gary Roboff, senior vice president of Chase Manhattan Bank,
which is testing SET with Wal-Mart Stores Inc. "The reason SET will happen is
that it's truly in everyone's best interest to make it happen," he said.
"Consumers will have a degree of security they can't have any other way, and
the merchants will have lower fraud losses."
Yet in return, it is much more complicated for a shopper to use SET than
the security automatically built into today's browsers.
First, a customer must get a special program, known as an electronic
wallet, which works in conjunction with Internet browser software. Netscape
Communications Corp. and Microsoft Corp. include such electronic wallets in
their latest browsers, but credit-card companies plan to offer their own
versions. Any SET wallet will be able to handle five different credit-card
accounts; debit cards will be added in a future release.
Before going shopping, consumers will need an electronic certificate o
effectively a digital identification card o associated with each credit card.
They will either receive this on a disk or download it from their card
company's Web site.
To shop, users would do as they do today, browsing a store's Web site and
selecting items to purchase. At the end of a shopping spree, the user would
press an on-screen button to pay using SET, automatically starting the wallet
program.
The shopper would select which credit card to use, and the wallet would
transmit the card number, purchase details, and the unique identifying
information in the certificate to the merchant's Web site, in an encrypted
form.
What happens when the transaction reaches the merchant is how SET differs
from the current browser systems. The credit-card number itself is passed
while still encrypted right to the processing bank. That means that a
sophisticated electronic thief tapping into the system, or a crooked employee
snooping in the system, will not find any valid card numbers. (This is one of
the biggest risks of the current system.)
Moreover, by validating the electronic certificate, the merchant can be
much more certain of the cardholder's identity. That means that someone who
steals a credit card from someone's wallet cannot use it to make purchases on
the Internet.
Similarly, the shopper's wallet software will examine the digital
certificate of the merchant, automatically providing a warning if the
merchant is not authorized to accept credit cards.
"SET gives people the confidence to shop with people they don't know,"
argued Steve Herz, senior vice president of Visa International Inc.
Merchants have often been the victims of what little fraud there has been
on the Internet. Yet even the merchants that have been most hurt by this
fraud say that SET is not the solution to their problems.
"It's not clear to me that SET is compelling enough for either consumers or
merchants to go out and use it," said William McKiernan, chief executive of
Cybersource, which runs an online software store that had huge losses from
fake credit cards.
The biggest issue, he said, is what will encourage consumers to get wallet
software and then download the required certificate. At first, only the
largest banks will be set up to issue the certificates at all, meaning that
millions of people will not be able to use SET even if they want to.
The big banks may be wary of pushing SET too hard, because it will cost an
estimated $3 to $5 a customer for them to sign people up for SET. Companies
like GTE Corp. are hoping to charge the banks as much as $1 each just for the
digital certificates. Most card companies are expected to absorb these costs,
although some may pass them on to their cardholders.
Similarly, the banks that provide credit-card processing services to
merchants will have to spend as much as $1 million each to set up the
software they need to process SET transactions.
And all that money gets a system that many people who have used it say is
hardly ready for prime time. "It's so slow it will lead to the electronic
equivalent of arterial sclerosis," said Roboff. In Chase's tests, SET
transactions take 30 to 40 seconds. "If you have millions of people out there
trying to use it, it will collapse under its own weight."
The delays arise from the time it takes to encrypt the information.
Moreover, the resulting information transmissions are many times longer than
those that are not encrypted.
Even more troublesome, the SET standard published by Mastercard
International Inc. and Visa is so loose that versions of SET software written
by different companies are not compatible with each other, forcing two of the
biggest companies looking to cash in on the SET software market, IBM and the
Verifone Inc. unit of Hewlett-Packard Co., to announce that they would work
together to create a true standard within the SET standard.
The card companies say they are working to speed up SET software and
resolve the compatibility issue. The bigger question is whether they will
provide tangible incentives for merchants to use it. "To get the merchants on
board, the card associations have to put their money where their mouths are,"
said Karen Epper, an analyst at Forrester Research.
Visa has decided to change its price structure in ways that are likely to
reduce the fee merchants pay for SET transactions by 3 cents to 5 cents, but
this is hardly enough encouragement, analysts said. Possibly more
significant, Visa has said merchants will have less liability for fraud in
transactions using SET than with other Internet transactions.
Yet even if merchants do want to encourage SET, experts say they would be
crazy to turn away paying customers who do not use it. And as a result, it
may do little to halt the sort of fraud it was meant to prevent.
"SET will not have 100 percent market share for a long period of time,"
Weinberg of First Data said. "You'll just move the crooks over to non-SET
transactions."
Related Sites
First Data Corp.
<A HREF="http://www.firstdatacorp.com/">http://www.firstdatacorp.com/</A>
Chase Manhattan Bank
<A HREF="http://www.chasemanhattan.com/">http://www.chasemanhattan.com/</A>
Cybersource
<A HREF="http://www.cybersource.com/">http://www.cybersource.com/</A>
MasterCard's SET site
<A HREF="http://www.mastercard.com/set/">http://www.mastercard.com/set/</A>
Copyright 1997 The New York Times
**********************************
Also, from Mr. G...
NRI continues to develop the Secure Authentication Facility (SAF) product
line to provide packaged solutions that deliver biometric authentication to
client/server systems and networks.
Because electronic commerce is being done in client server environments it
proves that NRI products are compatible with electronic commerce
applications. One of the most important components of SET is the digital
certificate. Access to digital certificates is controlled by traditional
passwords or PINs. The SAF products SAF/NT and SAF/IIS provide customers
strong authentication for SET-based transactions because access to the
digital certificate can be controlled by biometric authentication -
specifically, finger imaging. With NRI's SAF products in the system, any
time access to a digital certificate is required permission will be granted
by NRI's SAF/NT finger image-based authentication. Once access is granted,
both buyer and seller can be assured that an authorized and authenticated
person is performing the transaction.
**************************
Will be sending the Q's from investors to Mr. G in the next day or two...at this point, thete's only 3 Q's...what's wrong with you folks...
Jaffo |
