Secure electronic transaction
Encyclopedia
Secure Electronic Transaction (SET) was a standard protocol
for securing credit card
transactions over insecure networks
, specifically, the Internet
. SET was not itself a payment system
, but rather a set of security protocols and formats that enable users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain traction. VISA now promotes the 3-D Secure
scheme.
and MasterCard
(and involving other companies such as GTE
, IBM
, Microsoft
, Netscape, RSA
, Safelayer --formerly SET Projects-- and VeriSign
) starting in 1996. SET was based on X.509
certificates with several extensions. The first version was finalised in May 1997 and a pilot test was announced in July 1998.
SET allowed parties to cryptographically identify themselves to each other and exchange information securely. SET used a blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-card number. If SET were used, the merchant itself would never have had to know the credit-card numbers being sent from the buyer, which would have provided verified good payment but protected customers and credit companies from fraud.
SET was intended to become the de facto standard
of payment method on the Internet between the merchants, the buyers, and the credit-card companies. Despite heavy publicity, it failed to win market share. Reasons for this include:
: to guarantee the authentication and integrity of data. It links two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant does not need to know the customer's credit card number, and the bank does not need to know the details of the customer's order. The link is needed so that the customer can prove that the payment is intended for this order.
The message digest (MD) of the OI and the PI are independently calculated by the customer. The dual signature is the encrypted MD (with the customer's secret key) of the concatenated MD's of PI and OI. The dual signature is sent to both the merchant and the bank. The protocol arranges for the merchant to see the MD of the PI without seeing the PI itself, and the bank sees the MD of the OI but not the OI itself. The dual signature can be verified using the MD of the OI or PI. It doesn't require the OI or PI itself. Its MD does not reveal the content of the OI or PI, and thus privacy is preserved.
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...
for securing credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
transactions over insecure networks
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, specifically, the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. SET was not itself a payment system
Payment system
A payment system is a system used for transferring money. What makes it a "system" is that it employs cash-substitutes; traditional payment systems are negotiable instruments such as drafts and documentary credits such as letter of credits. With the advent of computers and electronic...
, but rather a set of security protocols and formats that enable users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain traction. VISA now promotes the 3-D Secure
3-D Secure
3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service...
scheme.
History and development
SET was developed by SETco, led by VISAVISA (credit card)
Visa Inc. is an American multinational financial services corporation headquartered on 595 Market Street, Financial District in San Francisco, California, United States, although much of the company's staff is based in Foster City, California. It facilitates electronic funds transfers throughout...
and MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
(and involving other companies such as GTE
GTE
GTE Corporation, formerly General Telephone & Electronics Corporation was the largest independent telephone company in the United States during the days of the Bell System....
, IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
, Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, Netscape, RSA
RSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
, Safelayer --formerly SET Projects-- and VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
) starting in 1996. SET was based on X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
certificates with several extensions. The first version was finalised in May 1997 and a pilot test was announced in July 1998.
SET allowed parties to cryptographically identify themselves to each other and exchange information securely. SET used a blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit-card number. If SET were used, the merchant itself would never have had to know the credit-card numbers being sent from the buyer, which would have provided verified good payment but protected customers and credit companies from fraud.
SET was intended to become the de facto standard
De facto standard
A de facto standard is a custom, convention, product, or system that has achieved a dominant position by public acceptance or market forces...
of payment method on the Internet between the merchants, the buyers, and the credit-card companies. Despite heavy publicity, it failed to win market share. Reasons for this include:
- Network effect - need to install client software (an e-walletE-walletThe Gator E-Wallet was one of the earlier and better known forms of spyware and/or adware.The program was described as your helpful online companion, that remembers your online logins and passwords. Unfortunately, the E-Wallet program installs GAIN, which is known to show pop-up ads and hijack...
). - Cost and complexity for merchants to offer support and comparatively low cost and simplicity of the existing SSLTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
based alternative. - Client-side certificate distribution logistics.
Key features
To meet the business requirements, SET incorporates the following features:- Confidentiality of information
- Integrity of data
- Cardholder account authentication
- Merchant authentication
Participants
A SET system includes the following participants:- Cardholder
- Merchant
- Issuer
- Acquirer
- Payment gatewayPayment gatewayA payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets...
- Certification authority
Transaction
The sequence of events required for a transaction are as follows:- The customer obtains a credit card account with a bank that supports electronic payment and SET
- The customer receives a X.509v3X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
digital certificate signed by the bank. - Merchants have their own certificates
- The customer places an order
- The merchant sends a copy of its certificate so that the customer can verify that it's a valid store
- The order and payment are sent
- The merchant requests payment authorization
- The merchant confirms the order
- The merchant ships the goods or provides the service to the customer
- The merchant requests payment
Dual signature
An important innovation introduced in SET is the dual signature. The purpose of the dual signature is the same as the standard electronic signatureElectronic signature
An electronic signature, or e-signature, is any electronic means that indicates either that a person adopts the contents of an electronic message, or more broadly that the person who claims to have written a message is the one who wrote it . By comparison, a signature is a stylized script...
: to guarantee the authentication and integrity of data. It links two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant does not need to know the customer's credit card number, and the bank does not need to know the details of the customer's order. The link is needed so that the customer can prove that the payment is intended for this order.
The message digest (MD) of the OI and the PI are independently calculated by the customer. The dual signature is the encrypted MD (with the customer's secret key) of the concatenated MD's of PI and OI. The dual signature is sent to both the merchant and the bank. The protocol arranges for the merchant to see the MD of the PI without seeing the PI itself, and the bank sees the MD of the OI but not the OI itself. The dual signature can be verified using the MD of the OI or PI. It doesn't require the OI or PI itself. Its MD does not reveal the content of the OI or PI, and thus privacy is preserved.