P1: JDV
Merkow WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 12:46 Char Count= 0
LESSONSLEARNED ANDNEWDIRECTIONS INSECUREONLINEPAYMENTS 255The EasySET wallet supported SET transactions for
Eurocard Mastercard and Visa cards issued by Banesto.
The wallet was a free download to Banesto’s customer us-
ing a “click-and-go” interface that enabled a 1-step down-
load for SET cardholder certificates.
When customers used a SET-enabled credit card for
payment, the EasySET POS system and payment gate-
way went to work at the Banesto site. Because the heavy-
lifting work needed by the wallet is housed and main-
tained on Banesto’s system, any upgrades needed to the
software are made completely transparent to users. Ad-
ditionally, the SafeLayer wallet supported the Electronic
Commerce Markup Language (ECML) to speed up check-
out processing though autofill features on merchant Web
forms. Banesto also offered for free the CiberTienda shop-
ping cart system and Virtual POS as open source down-
loads under the GNU public license.
In compliance with the SET specification, the EasySET
systems offers the full complement of the SET messaging
protocol to keep credit card information from falling into
the wrong hands. It also supports the uses of SSL where
SET is unavailable on cardholder registered cards. Card-
holders need only download and install the SafeLayer wal-
let (around 500 Kbytes) and register their cards for SET
enablement. Merchants download and install the Banesto
Virtual POS along with the CiberTienda shopping system
or within their existing e-commerce software. Multiple
merchants can share the same POS software, provided
that each merchant obtains and manages unique pairs
of SET digital certificates needed to conduct transactions
and settlement steps.
Banesto serves as the merchant CA and cardholder CA.
As of mid-2002, EasySET is still in use in Spain.Dutch Trials
I-Pay with SET was the first widespread commercial
implementation of SET in the Netherlands, through
Interpay Nederland B.V. in conjunction with Dutch banks
offering debit or giro accounts using Maestro and Euro-
card/Mastercard credit card accounts.
I-Pay offered Dutch merchants the security of SET with
the additional benefit of accepting cross-border transac-
tions from non-Dutch customers. I-Pay payments are pro-
cessed within the I-Pay wallet when a customer selects
either his or her Maestro account (debit) or his or her
Eurocard/Mastercard (credit) as the form of payment.
The I-Pay wallet prompts the user to enter a password
to unlock the wallet, checks the balance on the account
or the open-to-buy amount, and then challenges the user
to prove legitimate ownership of the account. This step
occurs in one of two ways: either a SmartCard protected
by a PIN is required or a bank-supplied digital token is
used to generate a one-time password once the correct
secret is entered by the buyer. Two-factor authentication
(what one has plus what one knows) of the buyer is suffi-
cient proof for the banks that honor I-Pay with SET so that
completed payments are irreversible, helping merchants
gain confidence in debit and credit card payments via the
Internet.
Merchant Web servers must run a piece of software
called the Digital Till Point of Sale (POS) system to com-municate with both I-Pay wallet and I-Pay payment ac-
quirers. To accept I-Pay payments, merchants must also
enter into connection agreements with Maestro for debit
or giro accounts and with Eurocard/Mastercard for credit
card transactions. As a merchant bank, Interpay Neder-
land B.V. offers both types of accounts to Dutch compa-
nies.Struggles to Keep SET Pertinent
Suggestions for differing mechanisms to implement SET
continue to crop up, including one called merchant-
originated SET, or MOSET. The approach with MOSET
eliminates cardholder certificates and reuses many of the
traditional payment system processes with SET messages
passing between the merchant POS and the acquirer,
whereas the cardholder uses SSL to communicate with
the merchant. Other proposed changes to SET for Ver-
sion 2.0 attempted to address some of the concerns with
SET Version 1.0 and add some new features, including
these:Japanese payment option (JPO) to support extended char-
acter sets,
Merchant-originated authorizations,
Online personal ID (PIN) extensions, and
CVV2/CVC2 extensions to accommodate the new Visa
card fraud prevention schemes.Other enhancements to SET that were planned in-
cluded these:Support for chip cards (smart cards);
An architecture to support debit cards with SET; and
Chip electronic commerce (CEC) to add SET messaging
to the Europay, Mastercard, and Visa (EMV) specifica-
tions for chip-card payments on EMV-compatible ter-
minals. CEC was designed as an extension to EMV
(prevalent in POS systems in Europe and South
America) for use on the Internet.SET Version 2.0 never saw the light of day.
By the middle of 2002, SET had completely failed to
catch on in the U.S. and it continues to languish in in-
ternational markets, even as it struggles. In Spain, the
Netherlands, and Finland, SET appears to have gained
some traction, as dozens of merchants are SET-compliant,
and the market appears to be growing.LESSONS LEARNED AND NEW
DIRECTIONS IN SECURE
ONLINE PAYMENTS
The card associations eventually arrived at the realiza-
tion that SET would not succeed in the U.S., and took
what they learned from the experience, and went back to
the drawing board. In the fall of 2001, Visa emerged with
a new specification to support secure online credit card
payments, called Verified by Visa, or VbV. VbV is based on
the 3D-Secure payer authentication protocol, designed to
authenticate cardholder identities—in real time—at the