Concepts of secure electronic transaction

SET (Secure Electronic Transaction) is a very comprehensive security protocol, which utilizes cryptography to provide confidentiality of information, ensure payment integrity and enable identity authentication. For authentication purposes, cardholders, merchants and acquirers will be issued digital certificates by their sponsoring organizations.

It relies on cryptography and digital certificate to ensure message confidentiality and security.  Digital envelop is widely used in this protocol. Message data is encrypted using a randomly generated key that is further encrypted using the recipient’s public key.  This is referred to as the “digital envelope” of the message and is sent to the recipient with the encrypted message. The recipient decrypts the digital envelope using a private key and then uses the symmetric key to unlock the original message.

Digital certificates, which are also called electronic credentials or digital IDs, are digital documents attesting to the binding of a public key to an individual or entity.  Both cardholders and merchants must register with a certificate authority (CA) before they can engage in transactions.  The cardholder thereby obtains electronic credentials to prove that he is trustworthy.  The merchant similarly registers and obtains credentials. These credentials do not contain sensitive details such as credit card numbers.  Later, when the customer wants to make purchases, he and the merchant exchange their credentials.  If both parties are satisfied then they can proceed with the transaction.  Credentials must be renewed every few years, and presumably are not available to known fraudsters.

Purpose

The purpose of the SET protocol is to establish payment transactions, that provide confidentiality of information, ensure the integrity of payment instructions for goods and services order data, authenticate both the cardholder and the merchant .

How it Works 

Both cardholders and merchants must register with CA (certificate authority) first, before they can buy or sell on the Internet, which we will talk about later.  Once registration is done, cardholder and merchant can start to do transactions, which involve 6 basic steps in this protocol, which is simplified.

1. Customer browses website and decides on what to purchase.
2. Customer sends order and payment information, which includes 2 parts in one message:
3. Purchase Order – this part is for merchant
4. Card Information – this pat is for merchant’s bank only.
5. Merchant forwards card information (part b) to their bank.
6. Merchant’s bank checks with Issuer for payment authorization.
7. Issuer send authorization to Merchant’s bank.
8. Merchant’s bank send authorization to merchant.