Secure Electronic Transaction

Last updated November 02, 2022

Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enabled users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain attraction in the market. Visa now promotes the 3-D Secure scheme.

Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality

History and development

SET was developed by the SET Consortium, established in 1996 by Visa and Mastercard in cooperation with GTE, IBM, Microsoft, Netscape, SAIC, Terisa Systems, RSA, and VeriSign.^[1] The consortium’s goal was to combine the card associations' similar but incompatible protocols (STT from Visa/Microsoft and SEPP from Mastercard/IBM) into a single standard.

SET allowed parties to identify themselves to each other and exchange information securely. Binding of identities was based on X.509 certificates with several extensions.^[2] SET used a cryptographic blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit card number. If SET were used, the merchant itself would never have had to know the credit-card numbers being sent from the buyer, which would have provided verified good payment but protected customers and credit companies from fraud.

SET was intended to become the de facto standard payment method on the Internet between the merchants, the buyers, and the credit-card companies.

Unfortunately, the implementation by each of the primary stakeholders was either expensive or cumbersome. There were also some external factors that may have complicated how the consumer element would be integrated into the browser. There was a rumor circa 1994-1995 that suggested that Microsoft sought an income stream of 0.25% from every transaction secured by Microsoft's integrated SET compliant components they would implement in their Internet browser.

Key features

To meet the business requirements, SET incorporates the following features:

Confidentiality of information
Integrity of data
Cardholder account authentication
Merchant authentication

Participants

A SET system includes the following participants:

How it works

Both cardholders and merchants must register with the CA (certificate authority) first, before they can buy or sell on the Internet. Once registration is done, cardholder and merchant can start to do transactions, which involve nine basic steps in this protocol, which is simplified.

Customer browses the website and decides on what to purchase
Customer sends order and payment information, which includes two parts in one message:
a. Purchase order – this part is for merchant
b. Card information – this part is for merchant’s bank only.
Merchant forwards card information to their bank
Merchant’s bank checks with the issuer for payment authorization
Issuer sends authorization to the merchant’s bank
Merchant’s bank sends authorization to the merchant
Merchant completes the order and sends confirmation to the customer
Merchant captures the transaction from their bank
Issuer prints credit card bill (invoice) to the customer

Dual signature

As described in ( Stallings 2000 ):

An important innovation introduced in SET is the dual signature. The purpose of the dual signature is to link two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant does not need to know the customer's credit-card number, and the bank does not need to know the details of the customer's order. The customer is afforded extra protection in terms of privacy by keeping these two items separate. However, the two items must be linked in a way that can be used to resolve disputes if necessary. The link is needed so that the customer can prove that this payment is intended for this order and not for some other goods or service.

The message digest (MD) of the OI and the PI are independently calculated by the customer. These are concatenated and another MD is calculated from this. Finally, the dual signature is created by encrypting the MD with the customer's secret key. The dual signature is sent to both the merchant and the bank. The protocol arranges for the merchant to see the MD of the PI without seeing the PI itself, and the bank sees the MD of the OI but not the OI itself. The dual signature can be verified using the MD of the OI or PI, without requiring either the OI or PI. Privacy is preserved as the MD can't be reversed, which would reveal the contents of the OI or PI.

Note

↑ Merkow p.248
↑ SET Specification Book 2 p.214

Related Research Articles

A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term plastic card includes the above and as an identity document. These are similar to a credit card, but unlike a credit card, the money for the purchase must be in the cardholder's bank account at the time of a purchase and is immediately transferred directly from that account to the merchant's account to pay for the purchase.

Electronic funds transfer at point of sale is an electronic payment system involving electronic funds transfers based on the use of payment cards, such as debit or credit cards, at payment terminals located at points of sale. EFTPOS technology was developed during the 1980s. In Australia and New Zealand, it is also the brand name of a specific system used for such payments; these systems are mainly country-specific and do not interconnect. In Singapore, it is known as NETS.

Visa Inc. is an American multinational financial services corporation headquartered in San Francisco, California. It facilitates electronic funds transfers throughout the world, most commonly through Visa-branded credit cards, debit cards and prepaid cards. Visa is one of the world's most valuable companies.

Mastercard Inc. is the second-largest payment-processing corporation worldwide. It offers a range of financial services. Its headquarters are in Purchase, New York. Throughout the world, its principal business is to process payments between the banks of merchants and the card-issuing banks or credit unions of the purchasers who use the Mastercard-brand debit, credit and prepaid cards to make purchases. Mastercard has been publicly traded since 2006.

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

Mastercard Maestro is a brand of debit cards and prepaid cards owned by Mastercard that was introduced in 1991. Maestro is accepted at around fifteen million point of sale outlets in 93 countries.

Mondex was a smart card electronic cash system, implemented as a stored-value card and owned by Mastercard.

An e-commerce payment system facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increasingly popular due to the widespread use of the internet-based shopping and banking.

Dynamic currency conversion (DCC) or cardholder preferred currency (CPC) is a process whereby the amount of a credit card transaction is converted at the point of sale, ATM or internet to the currency of the card's country of issue. DCC is generally provided by third party operators in association with the merchant, and not by a card issuer. Card issuers permit DCC operators to offer DCC in accordance with the card issuers’ processing rules. However, using DCC, the customer is usually charged an amount in excess of the transaction amount converted at the normal exchange rate, though this may not be obviously disclosed to the customer at the time. The merchant, the merchant's bank or ATM operator usually impose a markup on the transaction, in addition to the exchange rate that would normally apply, sometimes by as much as 18%.

A chargeback is a return of money to a payer of a transaction, especially a credit card transaction.

A payment gateway is a merchant service provided by an e-commerce application service provider that authorizes credit card or direct payments processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. The payment gateway may be provided by a bank to its customers, but can be provided by a specialised financial service provider as a separate service, such as a payment service provider.

A merchant account is a type of bank account that allows businesses to accept payments in multiple ways, typically debit or credit cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions. In some cases a payment processor, independent sales organization (ISO), or member service provider (MSP) is also a party to the merchant agreement. Whether a merchant enters into a merchant agreement directly with an acquiring bank or through an aggregator, the agreement contractually binds the merchant to obey the operating regulations established by the card associations. A high-risk merchant account is a business account or merchant account that allows the business to accept online payments though they are considered to be of high-risk nature by the banks and credit card processors. The industries that possess this account are adult industry, travel, Forex trading business, multilevel marketing business. "High-Risk" is the term that is used by the acquiring banks to signify industries or merchants that are involved with the higher financial risk.

<span class="mw-page-title-main">Payment card</span> Card issued by a financial institution that can be used to make a payment

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer and access automated teller machines (ATMs). Such cards are known by a variety of names including bank cards, ATM cards, client cards, key cards or cash cards.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

Network for Electronic Transfers, colloquially known as NETS, is a Singaporean electronic payment service provider. Founded in 1985, by a consortium of local banks, it aims to establish the debit network and drive the adoption of electronic payments in Singapore. It is owned by DBS Bank, OCBC Bank and United Overseas Bank (UOB).

The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

<span class="mw-page-title-main">Credit card</span> Card for financial transactions from a line of credit

A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt. The card issuer creates a revolving account and grants a line of credit to the cardholder, from which the cardholder can borrow money for payment to a merchant or as a cash advance. There are two credit card groups: consumer credit cards and business credit cards. Most cards are plastic, but some are metal cards, and a few gemstone-encrusted metal cards.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud.

Electronic Commerce Modeling Language (ECML) is a protocol which enables the e-commerce merchants to standardize their online payment processes. Through the application of ECML, customers' billing information in their digital wallet can be easily transferred to fill out the checkout forms.

References

Merkow, Mark S. (2004). "Secure Electronic Transactions (SET)". In Hossein Bidgoli (ed.). The Internet Encyclopedia. John Wiley & Sons. pp. 247–260. ISBN 978-0-471-22203-3.
Stallings, William (Nov 1, 2000). "The SET Standard & E-Commerce". Dr. Dobb's.
SET Secure Electronic Transaction Specification (V1.0) Book 1 (PDF). Mastercard and Visa. May 1997.
SET Secure Electronic Transaction Specification (V1.0) Book 2 (PDF). Mastercard and Visa. May 1997.
SET Secure Electronic Transaction Specification (V1.0) Book 3 (PDF). Mastercard and Visa. May 1997.
External Interface Guide to SET Secure Electronic Transaction (PDF). Mastercard and Visa. September 1997.
SETco Main Page, SETco, archived from the original on 2002-08-02, retrieved 2013-11-07

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Merkow p.248

[2] SET Specification Book 2 p.214

[1]

[2]