Visa USA has dumped the difficult-to-implement SET (Secure Electronic Transaction) specification for Internet credit card transactions. Instead, the credit card company will take part in Visa International's newly announced "Secure e-Commerce Initiative" to leverage improvements in technology and best practices to proved greater security and authentication for global e-commerce transactions. Visa USA, however, will implement the initiative differently than the rest of the world. While most Visa merchants
will still use SET as part of the new initiative, Visa USA will instead use SSL (Server Socket Layer).
"Ultimately, we want to bring an extra measure of confidence to the Internet by delivering higher levels of security," said Philip Yen, executive VP for Visa's Internet and Access Channels group. "This initiative
builds upon many of the security and authentication measures we have already developed for the Web."
The initiative has two components. First, the Payment Authentication Program (PAD) is designed to reduce the risk of unauthorized use of a cardholder account and to improve customer service for buyers and sellers on the Web. Second, the Global Data Security Program (GDSP) establishes standards and best practices for e-commerce merchants allowing them to better ensure the security of cardholder data on their sites.
The PAD is based on Visa's recently "3-Domain" model. Using a globally interoperable approach to authentication, the model provides participants with the confidence that an Internet transaction has been conducted by legitimate parties, thus reducing the potential for disputes.
Visa's European region announced deployment of the 3-Domain model for implementing server-based SET in the European market, with full implementation scheduled for 2001. The Visa Latin America and Caribbean region also endorsed the 3-Domain model for server-based SET. Meanwhile, Visa USA will pilot a new 3-Domain SSL-based authentication protocol beginning this summer.
The GDSP will include a series of standards and guidelines for e-commerce transactions that both buyers and sellers should follow. A self-certification tool will be provided for merchants to evaluate and
improve security on their sites as part of the GDSP.
The SET protocol had been hailed as a way for e-commerce transactions to take place securely. Unfortunately, the very structure that makes SET so secure has prevented more merchants, especially in the U.S., from adopting it. In an interview last year, Crown Management Services CEO Chuck Crawford
explained "that for SET to work, the issuing banks need to issue a unique ID to each card customer, which only could be issued in person, obviously, for security reasons. This would be a massive and expensive undertaking."
Visa International officials expect the initiative to reduce Internet transaction disputes by up to 50 percent.