SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. It uses digital certificates to ensure the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet.
SET is exempt from the US cryptographic export restrictions and unlike SSL can therefore use strong, 128 bit encryption for credit card numbers world-wide. In order to gain this exemption, the use of strong encryption has to be limited to the financial information only and does not include other elements of the transaction, for example details of the goods being bought and the delivery address.
Like SSL, SET allows for the merchant’s identity to be authenticated via digital certificates. However, SET also allows for the merchant to request users authenticate themselves through digital certificates. This makes it much more difficult for someone to use a stolen credit card.
A further advantage of SET is that the merchant has no access to credit card numbers and thus another source of fraud is eliminated.
There are many pilot schemes running using the SET protocol but mainstream adoption has been slower than predicted. The main reasons behind this are the growing acceptance of SSL for secure credit card transactions and the complexity and cost of the SET system.
Encryption Process
In a typical SET transaction, there is information that is private between the customer and the merchant (such as the items being ordered) and other information that is private between the customer and the bank (such as the customer’s credit card number). SET allows both kinds of private information to be included in a single, digitally signed transaction.
Information intended for the bank is encrypted using the bank’s public key whilst information for the merchant is encrypted with the merchant’s public key. This means that the merchant has no access to the credit card details and thus a source of fraud is eliminated.
In addition to this encryption, both sets of information are digitally signed. Finally these two signatures are combined to produce one signature that covers the whole transaction.
There are three parts to the SET system: a software “wallet” on the user’s computer; a commerce server that runs at the merchant’s Web site; and the payment server that runs at the merchant’s bank.
Although future versions of Microsoft’s Internet Explorer and Netscape’s Navigator will come with SET wallets pre-installed, currently users need to download and install a wallet on their computers. During the installation process the user provides credit card details and obtains user name and PIN to provide secure access to the wallet. The installation process also produces a public and private key for the user. The user also has to obtain a digital certificate from their bank or certificate agency (CA) for each credit card.
To use SET, users select products from the merchant’s Web site and then elect to pay via SET by pressing an on-screen button. This automatically starts the wallet program. The user then selects which credit card they wish to use and the wallet and the merchant’s server exchange certificates. If these are accepted, the wallet then encrypts and transmits the purchase details to the merchant.
Although the purchase details include the encrypted credit card information, the merchant can not read them. Instead he passes this on to the bank’s payment server which debits the users credit card and passes the payment to the merchant.
Related Posts:
- Enabling Technologies – Secure Sockets Layer (SSL) - Netscape’s Secure Sockets Layer (SSL) protocol is currently the most widely used method for performing secure transactions on the Web and is supported by most...
- Enabling Technologies – Frequently Asked Questions (FAQ) - Why is encryption needed for Web commerce? Encryption performs four key functions which enable secure Web transactions to take place: Authentication allows customers to be...
- Enabling Technologies – Smart Cards - Introduction At first glance, smart cards look like normal credit or debit cards. However, closer examination reveals the absence of a magnetic stripe as smart...
- Enabling Technologies – Public Key Encryption - Public-key encryption, or asymmetric encryption involves the use of two keys, one that can be used to encrypt messages (the public key) and one that...
- Enabling Technologies – Encryption Overview - Many Web store merchants understandably want to concentrate their energies on what they do best – selling – and either ignore the technical aspects or...