SECURE ELECTRONIC TRANSACTION (SET)

A protocol designed to ensure the security and integrity of online communications and purchases, Secure Electronic Transaction (SET) uses digital certificates, issued to merchants and other businesses and customers, to perform a series of security checks verifying that the identity of a customer or sender of information is valid. SET provides the basic framework within which many of the various components of securing digital transactions function. Digital certificates, digital signatures, and digital wallets all function according to the SET protocol.

There are several components for the SET protocol.

• The Cardholder Application, also referred to as a digital wallet, is held by an online consumer and packages a digital signature and credit card information that ensures his or her identity and safeguards his or her financial information through a complex encryption system.
• The Merchant Server component is the verification product held by the merchant to process the online card payment.
• The Payment Gateway component is held by an acquiring bank or other trusted third party that accepts and processes the merchant's verification and the customer's payment information and filters them to their appropriate financial institutions.
• The Certificate Authority component, usually run by a financial institution, is the trusted agent that issues the digital certificates and is responsible for ensuring that all users of digital certificates are in fact secure and trustworthy customers.

Once a security product for any of these components has passed the SET Compliance Testing, it bears the SET Mark, ensuring all users that it meets the SET standards.

SET is an open standard available to anyone engaged in electronic commerce. MasterCard International and Visa International, recognizing that security was the key to the widespread use of credit cards for e-commerce, developed the SET protocol, which was launched on February 1, 1996. The first version of the SET Specification was published in May 1997. In December of that year, the credit-card giants and other major players in the e-commerce world, including Microsoft, Netscape, and IBM, set up a company called SET Secure Electronic Transaction LLC (SETCo) to maintain and implement the SET specification, administer compliance testing, and foster the increased global adoption of the SET standard.

Following the great fanfare that accompanied its launch, the adoption of the SET protocol proved greatly disappointing, and the standard was passed over by rival protocols such as the Secure Sockets Layer (SSL) encryption scheme. The primary obstacle to SET's widespread adoption in the United States and Europe in the late 1990s was the lack of feeling, among bankers and merchants, that fraud and security breaches posed so substantial a threat as to make the turn toward SET worthwhile. SET's procedures were viewed as too cumbersome to implement relative to comparative security protocols, and even though SET was ultimately the strongest technology for securing online payments, businesses tended toward the less sophisticated models as a means of establishing for themselves an online presence. As Barbara Smiley, research director at Newton, Massachusetts-based Meridien Research Inc., told Computer World in 1999, "for most people, SET is a nuclear warhead for a problem that may only need a cruise missile." SET was widely seen as too inflexible for what merchants widely saw as only a mild threat of online-payments fraud.

By the 2000s, however, reports of credit-card fraud and abuse rekindled interest in the SET protocol, and companies and card suppliers began integrating SET into their transactions systems. One factor helping the resurgence of the SET standard in the early 2000s was the switch from client-side digital wallets to server-side wallets, allowing for far greater flexibility in their use and for data storage. And as more and more consumers opt to use debit cards, rather than credit cards, for their online purchases, the demand for tighter security will only escalate. In credit-card transactions, the payment is actually drawn from a line of credit provided by the card issuer, while, for debit-card payments, it is the consumer's own money that is directly involved. Therefore, nervous customers will require the strongest possible security protocol for their online payments.

FURTHER READING:

"SET Secure Electronic Transaction LLC." Purchase, NY: SET Secure Electronic Transaction LLC, 2001. Available from www.setco.org.

Larsen, Amy K. "It Pays to Be Secure." Information Week, May 31, 1999.

Marlin, Steve, "SET Making Slow Progress in Banking Arena." Bank Systems & Technology, August, 1999.

Morgan, Cynthia. "Dead Set Against SET?" Computer World, March 29, 1999.

Murphy, Patricia A. "Fighting Internet Card Fraud." Credit Card Management, July, 2000.

Rolfe, Richard. "Debit Cards on the Internet." Credit Card Management, November, 1999.

Visa International. "Visa—Electronic Commerce: SET." Foster City, CA: Visa International, 2000. Available from www.visa.com.

SEE ALSO: Acquiring Bank; Certificate Authority; Cryptography; Digital Certificate; Digital Signature; Digital Wallet; Electronic Payment; Encryption; Transaction Issues