Secure electronic transaction

From Wikipedia, the free encyclopedia

Secure Electronic Transaction (SET) is a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET is not itself a payment system, but rather a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network in a secure fashion.

SET was developed by VISA and MasterCard (involving other companies such as GTE, IBM, Microsoft, Netscape, RSA and VeriSign) starting in 1996.

SET is based on X.509 certificates with several extensions. SET uses a blinding algorithm that, in effect, lets merchants substitute a certificate for a user's credit-card number. This allows traders to credit funds from clients' credit cards without the need of the credit card numbers.

SET makes use of cryptographic techniques such as digital certificates and public key cryptography to allow parties to identify themselves to each other and exchange information securely.

SET was heavily publicised in the late 1990's as the credit card approved standard, but failed to win market share. Reasons for this include:

• Network effect - need to install client software (an eWallet).
• Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing, adequate SSL based alternative.
• Client-side certificate distribution logistics.

SET was said to become the de facto standard of payment method on the Internet between the merchants, the buyers, and the credit-card companies. When SET is used, the merchant itself never has to know the credit-card numbers being sent from the buyer, which provide a benefit for e-commerce.

Contents 1 Business requirements 2 Key features 3 Participants 4 Transaction 5 Dual signature 6 See also 7 External links

[edit] Business requirements

Book 1 of the SET specification lists the following business requirements for secure payment processing with credit cards over the Internet and other networks:

• Provide confidentiality of payment and ordering information
• Ensure the integrity of all transmitted data
• Provide authentication that a cardholder is a legitimate user of a credit card account
• Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution
• Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction
• Create a protocol that neither depends in transport security mechanisms nor prevents their use
• Facilitate and encourage interoperability among software and network providers

[edit] Key features

To meet the business requirements, SET incorporates the following features:

• Confidentiality of information
• Integrity of data
• Cardholder account authentication
• Merchant authentication

[edit] Participants

A SET system includes the following participants:

• Cardholder
• Merchant
• Issuer
• Acquirer
• Payment gateway
• Certification authority

[edit] Transaction

The sequence of events required for a transaction are as follows:

1. The customer obtains a credit card account with a bank that supports electronic payment and SET
2. The customer receives an X.509v3 digital certificate signed by the bank.
3. Merchants have their own certificates
4. The customer places an order
5. The merchant sends a copy of its certificate so that the customer can verify that it's a valid store
6. The order and payment are sent
7. The merchant requests payment authorization
8. The merchant confirms the order
9. The merchant ships the goods or provides the service to the customer
10. The merchant requests payment

[edit] Dual signature

An important innovation introduced in SET is the dual signature. The purpose of the dual signature is the same as the standard electronic signature: to guarantee the authentication and integrity of data. It links two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant does not need to know the customer's credit card number, and the bank does not need to know the details of the customer's order. The link is needed so that the customer can prove that the payment is intended for this order.

[edit] See also

• SSL

[edit] External links

• Secure Electronic Transactions: An Overview
• More information on SET
• Secure data transaction standard