Beautiful Trade/Secure Electronic Transaction
Secure Electronic Transaction
Secure Electronic Transaction (SET) is a protocol Visa and MasterCard developed in 1996 for securing credit card transactions over insecure networks such as the Internet. SET utilizes X.509 certificates and extensions, along with public key cryptography to identify each party within the e-commerce transaction and transmit the data while maintaining confidentiality. SET’s unique binding algorithm substitutes a temporary certificate for the consumer’s account number, so that the online merchant never needs access to this sensitive information. Each party is required to preregister with the certificate authority (CA), allowing the card issuer to perform due diligence before it allows the merchant to perform e-commerce transactions, and then authenticating all parties in the transaction.
On the consumer end, SET creates a hash value of the order information together with the payment information. The payment information is sent to the bank along with the signed hash of the order information. The consumer-side software also sends the order information to the merchant with the signed hash of the payment information. Both the cardholder and the merchant create equivalent hashes, compared when they are received by the bank or payment gateway.
This protocol offers a number of different protections for the transaction:
• It authenticates all parties in the initial transaction at time of registration with the CA. • It performs additional authentication at transaction time through the exchange of certificates with the consumer, merchant, and payment gateway. • Sensitive data such as the account number is shared only between the consumer and the bank and kept on a “need to know” basis, freeing the merchant from the need to store or transmit this information.
The sequence of events required for a transaction follow:
1. The customer obtains a credit card account with a bank that supports electronic payment and SET.
2. The customer receives an X.509 v3 digital certificate signed by the bank.
3. The customer places an order.
4. Each merchant has its own certificate, which it sends to the customer so his software can verify that it’s a valid store.
5. The order and payment are sent.
6. The merchant requests payment authorization from the issuing bank.
7. The merchant confirms the order.
8. The merchant ships the goods or provides the service to the customer.
9. The merchant requests payment.
Evaluation of SET
Unfortunately, due to the amount of overhead involved in the massive Public Key Infrastructure (PKI) and registration process required by SET, it will never be widely adopted. The complexities with managing it become unbearable given the size of the e-commerce market.