|
Is the Web Set for SET? The industry is busily developing electronic-transaction technology that nobody needs How to tell a proposed networking standard will be DOA:
If I were writing this in 1987, I would probably be writing about OSI, the infamous Open Systems Interconnect that was designed by committee and mandated by world governments, but which turned out to be a nightmare for the people who actually tried to make it work. But it's 1997, and I'm writing about SET, the Secure Electronic Transactions protocol. This time, the standard is being mandated by banks and credit-card companies as the only true way to promote electronic commerce while simultaneously protecting credit-card numbers from theft and abuse. To an engineer, SET makes a lot of sense. The protocol is designed to let Internet users buy things from merchants over the Web in such a way that the merchant never sees the consumer's credit card, and the bank never knows what the consumer actually ordered from the merchant. SET theoretically fosters commerce by protecting privacy. | |||
|
Accomplishing this feat of magic requires a lot of work. To use SET, consumers have to manually type their credit-card numbers into a special "wallet" program on their computers. (Right now, wallets are implemented as helper applications for browsers, but eventually they will be bundled into Web browsers, and probably into operating systems as well.) When a consumer wants to buy something, she clicks on a link, and the merchant sends her a special file with a particular MIME type that describes what the consumer is purchasing. The consumer's computer takes the file and computes a cryptographic hash function. The consumer's computer also encrypts the consumer's purchase instruction, which includes the credit-card number and other information. Both parts are then signed, encrypted, and sent off to the merchant. |
|||
Join us in Threads.
Subscribe to PacketFlash, for Packet news. |
The merchant decrypts the half that contains the information on what the consumer wishes to buy, and sends the other half off to its bank. The merchant's bank decrypts that other half, verifies the consumer's credit-card information, authorizes the charge, and encrypts and sends a reply to the merchant. The merchant decrypts the reply from the bank, verifies it, and then sends a confirmation to the consumer. Sound complicated? It is. SET is a full-employment act for highly paid software engineers, who just happened to have designed it. As a result, it's a technically sweet solution to a number of problems that don't exist in the real world of electronic commerce. First, SET was supposed to let merchants process credit cards without giving them access to credit-card numbers. Theoretically, this would have allowed hundreds of thousands of new companies like Jim's Midnight Software to accept credit-card numbers without going through extensive screening by banks. What the engineers didn't realize is that it isn't very hard for a legitimate business to jump through these hoops, and most banks would rather not deal with businesses and individuals that can't or won't. Hell, even phone-sex operators and prostitutes can take Visa and MasterCard these days. The fact is, if you can't pass a bank's screening procedures to become a credit-card merchant, then the bank isn't likely to make that much money by working with you. Merchants are doing business on the Web without SET just fine, thank you, by having consumers type their credit-card numbers into forms and then transmitting the payment information using SSL. SET also pales when compared with First Virtual's payment system, which provides security by keeping credit-card numbers completely off the Net in the first place. But the real reason I think SET is doomed is that I don't think consumers will feel comfortable typing their credit-card numbers into a computer and then just clicking a button to buy something: I think consumers want the control that comes with taking out their wallets, typing in their credit-card numbers, and clicking a button to send the information. It's really amusing to see companies like Visa, MasterCard, Microsoft, Netscape, OpenMarket, and other electronic-commerce players spend tens of millions of dollars creating SET technology and implementing the standard, while privately telling me and each other that they know this technology will never be used. SET is destined to become a check-box item whose only real function is to make technology vendors waste their time developing stuff that nobody uses.
Talk back to Simson Garfinkel in his column's Threads. Illustration by Dave Plunkert
| |||
Join the HotWired Network, it's free. Members log in. |
Previously in Garfinkel ... Previously in Boutin ... Feedback | Help | About Us | Jobs | Advertise | Privacy Statement | Terms of Service Copyright © 1994-2001 Wired Digital Inc., a Lycos Network site. All rights reserved. |