By Charlotte Dunlap
Armonk, N.Y. -- The security community is up in arms after IBM Corp. and VeriFone Inc. unveiled earlier this month plans to add their own revision to the IEFT-approved credit-card specification SET.
The two commerce giants said the Secure Electronic Transactions (SET) credit-card payment security standard did not offer vendors interoperability so they in turn would offer their own reference spec to the public domain around mid-1998.
Vendors said IBM and VeriFone were motivated to create a revision of SET due to internal problems creating SET-compliant products. By authoring a new set of guidelines to SET, vendors said, IBM and VeriFone are making the industry comply with their own set of technologies vs. adhering to a neutral specification that received the IETF's stamp of approval.
"I think this announcement is unhelpful and conflicts with the established SET standardization and certification process. It comes from two of the largest payment system vendors, who have had great difficulty in fielding SET-compliant products," said Allan Schiffman, chief technology officer for Terisa Systems Inc., Menlo Park, Calif. "I can't help but think that this PR effort is primarily intended to draw attention away from the difficulties they have had with their products. "
In an E-mail letter sent via a public mailing list and addressed to executives of Visa International and MasterCard International-the backers of the SET specification-Tim Sullivan, vice president and chief technology officer of Maithean, condemned the credit-card giants for endorsing the IBM-VeriFone move.
"The IBM-VeriFone announcement is a self-serving marketing ploy by IBM and VeriFone to influence and manipulate the SET marketplace, specifically financial institutions, merchants and consumers. Your endorsement of and participation in such a plan, regardless of how passive, is in direct conflict with the espoused values and official positions of both Visa and MasterCard as well as the guiding principles of SET," Sullivan said.
He said Visa and MasterCard were responsible for maintaining vendor neutrality and for maintenance of an open vendor forum for SET encouraging widespread vendor participation.
In addition to Visa and MasterCard, the SET standard was initially created by IBM, Microsoft Corp., Netscape Communications Corp. and others to ensure interoperability of products in three areas of electronic commerce:at the gateway in front of financial institutions' systems; at the merchant location; and on the wallet side, which is technology residing on a user's PC.
Officials from Netscape and Microsoft said they support the effort. However, these two companies do not compete with IBM and VeriFone at the security technology level as Terisa does.
"The whole purpose of SET is to move toward that direction [of interoperability], but the problem is companies today are creating gateways that don't necessarily work with the payment component for merchant-side applications," said Jonathan Weinstein, lead product manager for Site Server commerce marketing, Microsoft.
He said Microsoft is not worried about IBM and VeriFone having an unfair competitive advantage by issuing the specification. "There's no need for payment technology companies to fight over shelf space when we're still trying to build the supermarket," he said.
IBM and VeriFone are a major driving force in the electronic-commerce arena, supplying a range of hardware and software technology to merchants and financial institutions.
George Hoyem, vice president and general manager of the Internet division, VeriFone, a subsidiary of Hewlett-Packard Co., defended the move and likened it to spec additions made to the 56-Kbps modem standards.
"Even though standards bodies create the framework, it's only tight collaboration among the industry that can drive products together," Hoyem said.
Copyright (c) 1997 CMP Media Inc.
CryptoSoft GmbH
Postfach 171
D-61444 Steinbach/Ts.
Fon/Fax: +49 6171 980 4831
Feedback: webmaster@cryptosoft.com
Copyright ©1995-1998 Cryptosoft GmbH
All Rights Reserved