SET and SSL are not competing protocols. Though they are frequently represented as being competing protocols, they are very different. In fact if they are presented in an article as competing protocols, it is a glaring clue that the author of that article does not understand what is going on.

Over the last few months a lot of newsprint and electrons have been expended about the reluctance of the Irish banks to engage in E-Commerce. Much of this reluctance can be attributed to a fear of innovation. Banking is a very conservative business. Some of the reluctance seems to be due to fear of fraud. Perhaps they were burned with their own bumbling attempts at internet shopping malls. The glacial pace at which banks seem to move is largely unsuited to the internet. By waiting for SET to be implemented, the banks have largely given a free reign to alternative methods. On the internet, widely accepted methods have a habit of  turning into de-facto standards. However these alternative methods are fundamentally different to SET.

On a recent RTE news report, VISA was quoted as saying that 50% of its fraudulent transactions are internet related. The same report detailed a number of fraudulent transactions on an Irish credit card. The transactions were apparently for some sites known to use SSL.

The banks have apparently refused to give new creditcard merchant accounts to internet start-up companies. The result is that many of the businesses in Ireland are now making arrangements with foreign banks to process creditcard orders. The best example of this is the WorldPay operation. However despite the all the feigned exasperation in newsprint, the transactions all have one thing in common - they are treated as card-absent transactions by the banks.

All of the e-money ventures so far seem to have failed because of the lack of universal backing from the banks. The SET may signal a move towards a real electronic currency as it has the idea of identity built into the system. The irrevocable SET digital certificate is intended to inspire the same level of confidence as knowing that the five pound note in your pocket is not a forgery.

With SSL, there is no proof of identity. It is merely encryption. Encrypted fake information is still fake. With SET there is proof of identity. The card user is who he says he is and the merchant is who he says he is. SET is a payment assurance product where as SSL is not. Thus a credit card transaction via SSL is still treated as a card absent transaction with all the risks associated with such a transaction. The SET transaction will be treated by the bank as if there is a creditcard present.

The banks are reluctant to grant merchant accounts to internet businesses because the transactions are invariably card-absent ones and thus have a percentage of fraud. The fact that an ISP or virtual server provider has SSL as an option is a red herring.

Where SET falls down is with all the talk of smartcards. Smartcards are impractical when compared to entering in a credit card number. Everything tends towards simplicity and unless computers are sold with smartcard slots built in then smartcard based SET is not necessarily the way things will go. A more logical e-commerce solution is the token based one. This is a small calculator sized device. You are presented with a challenge number on screen and you enter it into the token. It returns a response number which you enter into the computer and the transaction takes place. Alternatively the process could be handled by an electronic wallet on the computer but that would not be the most secure way as Windows 95 and Windows 98 are not secure systems.

It looks like SET is very much the infrastructure for a true electronic currency or at least a true internet payment assurance system and over the next few years there is going to be a major battle to have it implemented. The banks' credit card handling divisions may eventually announce a phase-out date for card-absent transactions for anything other than mail order forcing internet retailers  to move to SET whether they want to or not.