Since the advent of the Internet and the World Wide Web, a number of players have been searching for a secure way to enable payments.
SET, the specification developed by MasterCard and Visa with the advice and assistance of GTE, IBM, Microsoft, Netscape, RSA, SAIC, Terisa, and VeriSign, has been slow in its uptake due to its cumbersome protocol and its requirement for excessive processing. Complaints abound on the cost of implementing SET due to its demand for the computation power to perform complex cryptography. Cumbersome registration/enrolment procedures also concern consumer advocates and trouble bank managers who are responsible for assuring customer satisfaction.
In recognising the enormous interest buyers/consumers have in the Internet, some banks have installed Cyber Cafes in their prime branch locations. Nevertheless, the banks must accept that mobility is not part of SET.
Europay, MasterCard and Visa, who have been working on the introduction of Smart Cards based on EMV specifications to combat fraud, are currently investigating the possible integration of EMV with SET. EMV would offer increased mobility. Yet, with regard to EMV, its implementation has been equally as slow as SET. The two different PKi structures of SET and EMV also create the need for more expensive processing power and software
Smart cards have not yet proven cost-effective in most markets. In the largest payment card market, the United States, banks are particularly concerned about the economics of EMV.
While concerned about the complexity of SET, yet under pressure to make eCommerce a reality, a number of merchants have turned to SSL as a way of securing information while it transits the Internet.
SSL is only a line encryption method between two points. SSL does not protect card details stored within the merchant server or inside the buyer's PC.
For a criminal intent on attacking the system, the easiest place to attack is the insecure web server of an unsuspecting merchant. Once inside, it is not one card that they can counterfeit, but hundreds if not thousands.
A PKi can be built on top of SSL, introducing the need to manage and authenticate public key certificates. This is fraught with politics. Defining who shall be the entity responsible for offering trusted certificates is a much-debated issue. When it involves a guarantee of payment, the banks believe they should be more responsible. When it involves assurance of identity, the question becomes more complex.
What is it about the individual that needs to be trusted? Their name? The address they give? Is it that the individual is indeed employed by the named organization?
There are issues of national verse global responsibility. PKi can support complex structures. Its "trust tree" is elegant in structure allowing digital trust to be both global and decentralized. Unfortunately serving this need for decentralization comes at a cost. Each layer requires incremental processing as the PC or server attempts to work its way up the tree until it finds a trusted entity that it recognizes.
As a means of authentication, SSL must establish a comprehensive trust structure. Like SET, it will require that the banks agree to a global PKi architecture. This structure is not efficient in supporting the need for product, regional and national Certification Authorities. In fact, this PKi structure will create the need for complex cryptographic authentication processes within the PC and the web servers.
SSL cannot secure card details and authenticate the counter-party.
SSL is not a solution that can give the buyer both authentication and mobility
SSL does not meet the requirements of the financial institutions as stated in SET
The vision behind all these current proposals for an Internet payment mechanism is very simple. It is to create:
An easy to use
Irrefutable system for buyers and sellers to effect all payments over the Internet
Via an assortment of payment options
However, realizing this vision has been difficult and slow. The political issues, the excessive complexity of processor intensive approaches, the standardization issues, the inter-operational problems, and the very significant implementation costs provide major obstacles to their uptake.
The result is that consumers continue to fear using the Internet as a purchasing channel.
The successful solution will be one that can meet all the demands of SET, overcome all the obstacles imposed by the complexity of SET, and deliver the mobility and security promised by EMV. At the same time, it will assure that payment details are safe, not only on the Internet but also in the insecure computers and servers connected to the Internet.