Appendix 9 - SET Clear Motivations & Technically Complex
Quoting from SET Secure Electronic Transaction
Specification Book 1: Business Description it provides a clear description
of the role of an Internet payment mechanism
"
The development of electronic commerce is at a critical juncture.
Buyer’s
demand for secure access to electronic shopping and other services is very
high.
Sellers
want simple, cost-effective methods for conducting electronic transactions.
Financial
institutions want a level playing field for software suppliers to ensure
quality products at competitive prices.
Payment
card brands must be able to differentiate electronic commerce transactions
without significant impact to the existing infrastructure.
The
next step toward achieving secure, cost-effective, on-line transactions to
satisfy market demand is the development of a single, open industry
specification."
Unicate is in full agreement with these principles but is
concerned that the expense of SET will in fact hold back the forecasted growth
of business to consumer-based eCommerce.
Quoting from an article published by the Shroud Partnership stated in
1997, 1998:
"All
the technical and organizational elements seemed to be in place, but from the
news that has been emerging about the various pilot schemes it would seem that
all is not well. Many of the problems
seem to be caused by the complexity of the SET process."
They go on to say:
"In
an effort to ensure that consumers are satisfied that their credit card
transactions are safe it seems that the whole process has been
over-engineered. The huge collective
marketing clout of the SET members will be needed to overcome consumer
resistance to the complexity of the transaction and the reluctance of merchants
to invest in the necessary IT services and equipment to enable it to be
used."
SET embeds digital certificates and private keys in the
buyer's insecure PC. This creates
obstacles to the buyer's ability to shop using a diverse array of devices such as
those found at home, in the office, in a cyber cafe or at a friend’s
house. The owners of SETco and its
advocates see the solution to this need for buyer mobility as the integration
of smart cards "EMV" with SET.
Yet, if the United States is a sample of how quickly smart card adoption
will occur, it will be years before buyers have the freedom they demand.
Reviewing the status of SET implementations and visiting
shops on the Internet, it is clear that there is little or no progress in SET
becoming a globally accepted standard.
Many banks have explored the idea of implementing SET but with the
exception of limited trials no one has begun a full scale roll-out. Simultaneously, when talking with vendors of
SET software interoperability between different vendor implementations is a
major concern. Plans exist to alleviate
this problem by the introduction of a cumbersome certification process and as
of July 1999 only one vendor can successful state that it has a compliant
implementation.
In parallel, there is a ground swell of negative opinion and
publicity surrounding SET and several major telecommunications vendors are
saying they will not implement SET because of its inherent technical complexity
and their belief that this complexity was intentional.
Numerous critics of SET argue that it is overly complicated
and demands excessive computation power.
Numerous merchants have expressed concern at the cost of implementing
SET and cannot countenance the computational burden resulting from SET’s public
key implementation. Everyone has
expressed frustration with the complexity of the SET protocol. Systems integrators, frustrated by the fact
they cannot guarantee their clients that the SET implementations will be
interoperable, are antagonistic towards SET.
Many wonder why SET bears no resemblance to ISO 8583, the familiar
payment architecture that is employed to process payment transactions. Finally, there are industry experts that
ponder if SET is yet another attempt by the payment associations to guarantee
themselves revenue.
With SET's slow move from pilot into commercial deployment,
many merchants have adopted SSL. They
embraced SSL since it is capable of securing (within the limits of the law) the
content of messages traveling between two points on the Internet. SSL is also capable of providing and
performing PKi based authentication services.
SSL does not secure sensitive information held inside Personal Computers
and Merchant Servers. These computers
are the obvious and profitable weak point for hackers to attack. All this being said SSL does not meet the
security requirements of the financial institutions. Moreover, with SET being the banking systems agreed approach this
complicates using SSL as a means of authentication.
Many are looking to alternate solutions that in many cases
resemble the solution Unicate is proposing but they forget two very important
factors. First, they require the
existence of a complex public key architecture, which the banks must agree to
support. Second, they do not have a
clear solution to the issue of mobility without requiring the introduction of
expensive EMV like smart cards.
To complicate matters, there is work underway to merge SET
and EMV. Many believe this merging will
require that one or both specification will have to relinquish its objective of
backward compatibility. - Net result many existing implementations
will become obsolete.
Furthermore, if EMV is to dictate the technical
specifications of smart card readers associated with personal computers and other
Internet access devices the cost to the buyer will be staggering.
Not to put to fine a point on it, Microsoft has recently
announced its Windows for Smart Card operating system. It is now discussing with hardware vendors
the integration of inexpensive smart card readers into every Personal
Computer. This begs an interesting
question; will this Microsoft Smart Card Compatible reader also be EMV
compliant? - At this time, the answer is NO!
SET
PKi flow chart as explained at a conference by Racal Security Systems
