Secure Electronic Transaction (SET)
MasterCard, Visa, and several other companies developed the Secure Electronic Transaction or the SET protocol which specifically handle electronic payments. SET version 1.0 was released in May 1997. Fraud prevention is the prime reason for the development of SET. SET employs cryptography technique similar to SSL though, using a combination of the DES secret key and RSA public key schemes. SET uses two public/private key pairs i.e. one for key exchange and another for digital signatures.
In SET, message data is encrypted using a randomly generated key that is further encrypted using the recipient’s public key which is called the “digital envelope” of the message and is sent to the recipient with the encrypted message. The recipient decrypts the digital envelope using a private key and then uses the symmetric key to unlock the original message.
Digital certificates, which are also called electronic credentials or digital IDs, are digital documents attesting to the binding of a public key to an individual or entity. Both cardholders and merchants must register with a certificate authority (CA) before any transactions. The cardholder obtains electronic credentials to prove trustworthiness. The merchant similarly registers and obtains credentials. These credentials do not contain sensitive details such as credit card numbers. Later, when the customer wants to make purchases, he and the merchant exchange their credentials. If both parties are satisfied then they can proceed with the transaction. Credentials must be renewed every few years, and presumably are not available to known fraudsters.
Both cardholders and merchants must register with CA (certificate authority) first, before they can buy or sell on the Internet. Once registration is done, cardholder and merchant can start to do transactions, which involve following steps
- Customer browses website and decides on what to purchase
- Customer sends order and payment information, which includes 2 parts in one message:
- Purchase Order – this part is for merchant
- Card Information – this pat is for merchant’s bank only.
- Merchant forwards card information (second part) to their bank
- Merchant’s bank checks with Issuer for payment authorization
- Issuer send authorization to Merchant’s bank
- Merchant’s bank send authorization to merchant
- Merchant completes the order and sends confirmation to the customer
- Merchant captures the transaction from their bank Issuer prints credit card bill (invoice) to customer