Domain: setco.org
Stories and comments across the archive that link to setco.org.
Comments · 7
-
Privacy makes a hard business model
Companies like Digicash (today eCash Technologies) or Zeroknowledge are having a hard time these days. eCash was shut down completely in Europe with the stop of the Deutsche Bank support (see here), ZKS let go more than 25% of their employees a couple of weeks ago, not many people are using Hushmail's premium service, etc. etc. yada yada. Everybody wants privacy, nobody wants to pay. It costs money to run a mixing network, it costs money to issue and check coins instead of just doing a LUN check to see if you CreditCard# is valid. SET was also a failure in the US. 3D Secure (see here) is coming up, protecting only the merchant, not the sensitive information of consumers. Why? Nobody wants to pay.
-
It's been triedThere have been several tries at this already. The Microsoft Wallet, circa 1998, was Microsoft's previous attempt in this direction. It was a response to the CyberCash Wallet, circa 1995. Then there was the Secure Electronic Transaction Initiative, a multivendor wallet standard which Microsoft said they would support, but didn't. None of these achieved significant use.
If this goes anywhere, it will be because Microsoft finds some way to cram it down everybody's throats, like building it into the Windows registration process. They'll probably make it free at first, then later change the customer agreement to take a cut on every transaction.
-
It's been triedThere have been several tries at this already. The Microsoft Wallet, circa 1998, was Microsoft's previous attempt in this direction. It was a response to the CyberCash Wallet, circa 1995. Then there was the Secure Electronic Transaction Initiative, a multivendor wallet standard which Microsoft said they would support, but didn't. None of these achieved significant use.
If this goes anywhere, it will be because Microsoft finds some way to cram it down everybody's throats, like building it into the Windows registration process. They'll probably make it free at first, then later change the customer agreement to take a cut on every transaction.
-
Re:Direct Authorization and other ideas
You've just described SET.
-
PrivatePayments Work/Stiff New Rules For MerchantsJust a few ramblings from my side of the desk:
AMEX Private Payments is a system of which you get a one time use number/exp date credit card number. All payments show up on your regular AMEX bill, but you give the merchant a different CC num and exp date.
I've used AMEX's Private Payments over a dozen times online, and it's worked beautfily every time. They have software for Windows that can autofill forms and authentic you via a smartcard. But, for those of us running under other OSes, they have a web page that gives out the numbers. Really easy to use. I just double click on the number, drag and drop it onto the merchant's webform. I do have to manually select the exp date, but that is always the end of the current month.
If you have an AMEX card, try using it. Saves time and limits your exposure to fraud. It also lowers the bogus charges to AMEX, so it saves them (and to a small extent me) money.
I sometimes wonder why we are in this mess to begin with. Merchants should _never_ _ever_ store your CC number online. I don't care if they claim it is for 'ease of use' or 'security'. Use the realtime CC submit, and just hang onto the transaction number. Most merchant processors support the use of just the transaction number or autherisation number to finalize the payment.
By the way, we could have one time payments already, but SET got bogged down in technical details and tried to do too much at once. Shame SET never got a chance to get up and running, but it required too much infrasture changes. Every CC user (you and me) had to get a digital certificate for our CC. It's kind of like X.500, too bloated and complex. I hope we would see a SET trimmed down to the needs, like LDAP trimmed down X.500.
I work for an industrial computing manufacture. We have millions of dollars of parts, inventory, and equipment around. Every year, in order to maintain our insurance, we have a physical audit at an unannoucned time.
I've been chatting with some of my friends about the whole CC on the internet mess, and I can tell you that merchant contracts are going to be stiffened up for online transactions ('card not present'). Most will have to get randomly audited on an IT/computer security level, plus new restrictions on keep the number 'on file'.
99% of merchants won't be able to qualify for 'on file' status unless they are using secured OS where the number never leaves the machine, but external machines can ask for it to be used or validated. Visa will also be planting 'fake' numbers in the database, some the company will know about, some it won't. If transactions start showing up on these fake numbers, heads start to roll if the merchant didn't inform Visa ahead of time.
On average, it costs a credit card company over 50 dollars to sort out the damage of a stolen number. Not only in reissuing a new card, but in stopping all the fraudluant transactions. Under the plan for the new rules, these costs would be thrown onto the merchant whose systems got cracked and the CC numbers gotten from. They would be charged a set fee per number that they every have had on file, plus they would be required to pay for the fraudlant charges that the crackers ring up. My guess is that few vendors will keep numbers around, or use a more secure backend online payment provider (YahooStore, etc).
Next Week: Privacy and Money, why didn't Chaum and ecash survive.
thanks
dunk -
Re:One step closer to...
It's called SET (for Secure Electronic Transactions, and it's been around for around 20 years and was developed by the credit card industry. I guess the industry decided that fraud is cheaper than security.
-
Re:Why give the CC# to the merchant ?What you speak of has already been envisioned. It's called SET, for Secure Electronic Transactions. It uses cryptography (both public key and symmetric) and X.509 certificates to allow a merchant to accept a credit card and get paid without ever knowing the credit card number. The bank can also pay the charge without ever knowing what the customer ordered (say, a Beowulf cluster of VIC-20's running FreeBSD, a Natalie Portman statuette, and a dozen packets of instant grits), but retains a one way hash of that order information in case of a customer dispute.
An overview and links to more detail are available at SETCo's site. (SETCo is an organization promoting the standard.)
This standards effort started in 1996 at the behest of MasterCard and Visa, apparently sometime shortly after someone there first made the observation that anyone handling a credit card has access to the number.