- Secure Electronic Transaction (SET)
The secure electronic transaction (SET) protocol is the protocol used to facilitate the secure transmission of consumer credit card information over insecure networks, such as the Internet. SET blocks out the details of credit card information, thus preventing merchants, hackers and electronic thieves from accessing this information. SET was developed by SETco, led by VISA and MasterCard starting in 1996. SET was based on X.509 certificates with several extensions. The first version was finalised in May 1997 and a pilot test was announced in July 1998.
SET makes use of Netscape's Secure Sockets Layer (SSL), Microsoft's Secure Transaction Technology (STT), and Secure Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (PKI).SET allowed parties to identify themselves to each other and exchange information securely. SET used a cryptographic blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-card number.
Key Features of SET
Confidentiality of Information:
In the context of IT Security Management, confidentiality of the information is one of the important aspects of SET. Here cardholder account and payment information is secured as it moves across the network. An interesting and important feature of SET is that it prevents the merchant from learning the cardholder’s credit card number; this is only provided to the issuing bank. The conventional encryption by DES is used to provide confidentiality.
Integrity of Data
Integrity of data is achieved by SET protocol. Payment information sent from cardholders to merchants includes order information, personal data, and payment instructions. SET guarantees that these message contents are not altered in transit. RSA digital signatures, using SHA-1 hash codes, provide message integrity. Certain messages are also protected by HMAC using SHA-1.
Cardholder Account Authentication
To authenticate cardholders SET enables merchants to verify that a cardholder is a legitimate user of a valid card account number. SET uses X.509v3 digital certificates with RSA signatures for this purpose.
SET also helps in authenticating Merchants. SET enables cardholders to verify that a merchant has a relationship with a financial institution allowing it to accept payment cards. SET uses X.509v3 digital certificates with RSA signatures for this purpose.
An important innovation introduced in SET is the dual signature. We use dual signature for the same purpose as we use standard electronic signature: to guarantee the authentication and integrity of data. It links two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant does not need to know the customer's credit card number, and the bank does not need to know the details of the customer's order. The link is needed so that the customer can prove that the payment is intended for this order.
The following are the participants in the SET system:
- Cardholder Acquirer
- Certificate Authority
In the electronic environment, consumers and corporate purchasers interact with merchants from personal computers over the Internet. A cardholder is an authorized holder of a payment card that has been issued by an issuer.
A merchant is a person or organization that has goods and services to sell to the cardholder. Typically, these goods and services are offered via a Web site or by electronic mail. A merchant that accepts payment cards must have a relationship with an acquirer.
This is a financial institution, such as a bank, that provides the cardholder with the payment card.
This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments. Merchants will usually accept more that one credit card brand but do not want to deal with multiple bankcard associations or with multiple individual issuers. The acquirer provides authorization to the merchant that a given card account is active and that the proposed purchase does not exceed the credit limit. The acquirer also provides electronic transfer of payments to the merchant’s account.
Certification Authority (CA)
This is an entity that is trusted to issue X509v3 public-key certificates for cardholders, merchants, and payment gateways. The success of SET will depend on the existence of a CA infrastructure available for this purpose.