SET
SET stands for Secure Electronic Transactions and is a proposed standard for performing credit card transactions over the Internet. SET, is an open network payment-card protocol.
It is primarily designed to enable the user to securely employ their credit c ard payment infrastructure on the open network, such as the Internet. It is developed jointly by Visa and MasterCard, with technical assistance from various Internet, information systems, and cryptology companies such as IBM, Microsoft, Netscape, RSA, and VeriSign.(VeriSign is the world’s largest Internet trust services provider, which has taken over the Cyber Cash’s Internet payments business.) With these names behind it, in the future SET may very well become the dominant method for paying by credit card over the Internet.4.1. Features of SET
• Provide confidentiality of payment information and enable confidentiality of order information that is transmitted along with the payment information.
• Ensure the integrity of all transmitted data.
• Provide authentication that a cardholder is a legitimate user of a branded payment card account.
• Provide authentication that a merchant can accept branded payment card transactions through its relationship with an acquiring financial institution.
• Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction.
• Create a protocol that neither depends on transport security mechanisms nor prevents their use.
• Facilitate and encourage interoperability among software and network providers.
4.2. SET Security
SET is a very comprehensive security protocol, which utilizes cryptography to provide confidentiality of information, ensure payment integrity, and enable identity authentication.
For authentication purposes, cardholders, merchants, and acquirers are issued digital certificates by their sponsoring organizations.
It relies on cryptography and digital certificate to ensure message confidentiality and security. Digital envelop is widely used in this protocol. Message data is encrypted using a randomly generated key that is further encrypted using the recipient's public key. This is referred to as the “digital envelope” of the message and is sent to the recipient with the encrypted message. The recipient decrypts the digital envelope using a private key and then uses the symmetric key to unlock the original message. Digital certificates are also called electronic credentials or digital IDs, are digital documents attesting to the binding of a public key to an individual or entity. Both cardholders and merchants have to register with a CA before they can engage in transactions. The cardholder thereby obtains electronic credentials to prove that he is trustworthy. The merchant similarly registers and obtains credentials. These credentials do not contain sensitive details such as credit card numbers. Later, when the customer wants to make purchases, he and the merchant exchange their credentials. If both parties are satisfied then they can proceed with the transaction. Credentials must be renewed every few years, and presumably are not available to known fraudsters.SET uses both methods in its encryption process. The secret-key cryptography used in SET is the well-known Data Encryption Standard, which is used by financial institutions to encrypt PINs. And the public-key cryptography used in SET is RSA.
4.3. SET Process
The SET protocol utilizes cryptography to provide confidentiality of information, ensure payment integrity, and enable identity authentication (Figure 8). For authentication purposes, cardholders, merchants, and acquirers will be issued digital certificates by their sponsoring organizations. It also use dual signature that hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy.
Figure 8.
A SET payment transaction
• Before the parties perform a successful SET payment, they must do some steps:
The consumer obtains a credit card account from the bank, which supports the SET payment.
• The consumer receives a certificate from the cardholder certificate authority.
• The merchants obtain their own certificates, and the merchant also needs a copy of the payment gateway’s public-key certificate.
To effect a successful SET payment, a cardholder invokes software on his device that initiates the following sequence:
1. The cardholder clicks the SET Paying Button after he/she chooses the items and determines the prices.
2. The merchant responses the order information along with a copy of its certificate, so that the consumer can ensure that the merchant is a valid seller;
3. After the verification, the cardholder sends the order and the payment information to the merchant, together with a copy of his/ her certificate. The order information confirms the purchased items and the payment information contains the account details. The payment information is encrypted by the public-key certificate of the payment gateway, so that the merchant can’t read it. The consumer’s certificate enables the merchant to verify the buyer.
4. The merchant forwards the payment information to the payment-processing organization (the payment gateway or acquirer), requesting the authorization that the consumer’s credit is sufficient for this purchase.
5. The authorization is handled by the paymentprocessing organization using existing financial networks;
6. The merchant receives the authorization result;
7. The merchant sends the cardholder confirmation that the payment has been accepted;
8. After collecting some authorization response, the merchant sends a settlement request to the payment-processing organization;
9. The clearing and settlement is processed by the payment-processing organization just as the normal payment card transaction.
10. The merchant receives confirmation that the transaction has been finished.
4.4. Entities Involved in SET
There are mainly five entities involved in SET.
1. SET Payment Gateway: The payment gateway is the bridge between SET and the existing payment network. The payment gateway translates SET messages for the existing payment system to complete an electronic transaction.
2. SET Merchant Point of Sale Server: A merchant offers goods or services for sale in the Internet and accepts electronic credit card payments. Merchant that accepts payment cards must have a relationship with an acquirer. The merchant Point of Sale Server provides an interface between the cardholder and the acquirer payment gateway.
3. Cardholder and Electronic Wallet: Cardholder is an authorized holder of a payment card supported and issued by an issuing bank. Cardholders use electronic wallets to store digital representations of credit cards and make purchases with them. SET ensures that the interactions the cardholder has with a merchant keep the payment card account information confidential.
4. Acquiring Bank: An acquirer is the financial institution that establishes an account with a merchant and processes payment card authorizations and payments.
5. Issuing Bank: The issuing bank establishes an account for a cardholder and issues the payment card to the cardholder. The issuer guarantees payment for authorized transactions using the payment card.
4.5. Disadvantages of SET
SET is a protocol that is not completely secure in user authentication. SSL-based methods are ignoring essential security necessities. Some disadvantages of SET are:
• SET is designed for wired networks and does not meet all the challenges of wireless network.
• As the SET protocol was designed to maintain the traditional flow of payment data Customer Agent to Merchant Agent to Merchant’s Bank. There is a need of an end-to-end security mechanism.
• The third element is the direction of the transaction flow. In SET, transactions are carried out between the Customer Agent and the Merchant. So it is vulnerable to various attacks like merchant can modify transactions data by altering the balance.
• Transaction flow is from Customer to Merchant so all the details of users credit cards/debit cards must flow via merchant’s side. It increases the user’s risk, since data can be copied and used later to access customer account without authorization.
• There is no notification to the Customer from the customer’s Bank after the successful transfer. The user has to check his/ her balance after logging on bank website again.
• SET is only for card based (credit or debit) transactions. Account based transactions are not included in SET.
5.