Appendix 9 - SET Clear Motivations & Technically Complex

Quoting from SET Secure Electronic Transaction Specification Book 1: Business Description it provides a clear description of the role of an Internet payment mechanism

" The development of electronic commerce is at a critical juncture.

*†† Buyerís demand for secure access to electronic shopping and other services is very high.

*†† Sellers want simple, cost-effective methods for conducting electronic transactions.

*†† Financial institutions want a level playing field for software suppliers to ensure quality products at competitive prices.

*†† Payment card brands must be able to differentiate electronic commerce transactions without significant impact to the existing infrastructure.

*†† The next step toward achieving secure, cost-effective, on-line transactions to satisfy market demand is the development of a single, open industry specification."

Unicate is in full agreement with these principles but is concerned that the expense of SET will in fact hold back the forecasted growth of business to consumer-based eCommerce.Quoting from an article published by the Shroud Partnership stated in 1997, 1998:

"All the technical and organizational elements seemed to be in place, but from the news that has been emerging about the various pilot schemes it would seem that all is not well.Many of the problems seem to be caused by the complexity of the SET process."

They go on to say:

"In an effort to ensure that consumers are satisfied that their credit card transactions are safe it seems that the whole process has been over-engineered.The huge collective marketing clout of the SET members will be needed to overcome consumer resistance to the complexity of the transaction and the reluctance of merchants to invest in the necessary IT services and equipment to enable it to be used."

SET embeds digital certificates and private keys in the buyer's insecure PC.This creates obstacles to the buyer's ability to shop using a diverse array of devices such as those found at home, in the office, in a cyber cafe or at a friendís house.The owners of SETco and its advocates see the solution to this need for buyer mobility as the integration of smart cards "EMV" with SET.Yet, if the United States is a sample of how quickly smart card adoption will occur, it will be years before buyers have the freedom they demand.

Reviewing the status of SET implementations and visiting shops on the Internet, it is clear that there is little or no progress in SET becoming a globally accepted standard.Many banks have explored the idea of implementing SET but with the exception of limited trials no one has begun a full scale roll-out.Simultaneously, when talking with vendors of SET software interoperability between different vendor implementations is a major concern.Plans exist to alleviate this problem by the introduction of a cumbersome certification process and as of July 1999 only one vendor can successful state that it has a compliant implementation.

In parallel, there is a ground swell of negative opinion and publicity surrounding SET and several major telecommunications vendors are saying they will not implement SET because of its inherent technical complexity and their belief that this complexity was intentional.

Numerous critics of SET argue that it is overly complicated and demands excessive computation power.Numerous merchants have expressed concern at the cost of implementing SET and cannot countenance the computational burden resulting from SETís public key implementation.Everyone has expressed frustration with the complexity of the SET protocol.Systems integrators, frustrated by the fact they cannot guarantee their clients that the SET implementations will be interoperable, are antagonistic towards SET.Many wonder why SET bears no resemblance to ISO 8583, the familiar payment architecture that is employed to process payment transactions.Finally, there are industry experts that ponder if SET is yet another attempt by the payment associations to guarantee themselves revenue.

With SET's slow move from pilot into commercial deployment, many merchants have adopted SSL.They embraced SSL since it is capable of securing (within the limits of the law) the content of messages traveling between two points on the Internet.SSL is also capable of providing and performing PKi based authentication services.SSL does not secure sensitive information held inside Personal Computers and Merchant Servers.These computers are the obvious and profitable weak point for hackers to attack.All this being said SSL does not meet the security requirements of the financial institutions.Moreover, with SET being the banking systems agreed approach this complicates using SSL as a means of authentication.

Many are looking to alternate solutions that in many cases resemble the solution Unicate is proposing but they forget two very important factors.First, they require the existence of a complex public key architecture, which the banks must agree to support.Second, they do not have a clear solution to the issue of mobility without requiring the introduction of expensive EMV like smart cards.

To complicate matters, there is work underway to merge SET and EMV.Many believe this merging will require that one or both specification will have to relinquish its objective of backward compatibility.-Net result many existing implementations will become obsolete.

Furthermore, if EMV is to dictate the technical specifications of smart card readers associated with personal computers and other Internet access devices the cost to the buyer will be staggering.

Not to put to fine a point on it, Microsoft has recently announced its Windows for Smart Card operating system.It is now discussing with hardware vendors the integration of inexpensive smart card readers into every Personal Computer.This begs an interesting question; will this Microsoft Smart Card Compatible reader also be EMV compliant?-At this time, the answer is NO!

SET PKi flow chart as explained at a conference by Racal Security Systems