SETco on:
[Wikipedia]
[Google]
[Amazon]
Secure Electronic Transaction (SET) is a
SET was developed by the SET Consortium, established in 1996 by
communications protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer science), sem ...
standard for securing credit card transactions over networks
Network, networking and networked may refer to:
Science and technology
* Network theory, the study of graphs as a representation of relations between discrete objects
* Network science, an academic field that studies complex networks
Mathematics
...
, specifically, the Internet
The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...
. SET was not itself a payment system
A payment system is any system used to settle financial transactions through the transfer of monetary value. This includes the institutions, payment instruments such as payment cards, people, rules, procedures, standards, and technologies that ...
, but rather a set of security protocols and formats that enabled users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain attraction in the market. Visa now promotes the 3-D Secure scheme.
Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the Internet. It was supported initially by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality
History and development
SET was developed by the SET Consortium, established in 1996 by Visa
Visa most commonly refers to:
* Travel visa, a document that allows entry to a foreign country
* Visa Inc., a US multinational financial and payment cards company
** Visa Debit card issued by the above company
** Visa Electron, a debit card
** Vi ...
and Mastercard in cooperation with GTE
GTE Corporation, formerly General Telephone & Electronics Corporation (1955–1982), was the largest independent telephone company in the United States during the days of the Bell System. The company operated from 1926, with roots tracing furth ...
, IBM
International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...
, Microsoft
Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
, Netscape
Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California, and then Dulles, Virginia. Its Netscape web browser was o ...
, SAIC, Terisa Systems, RSA, and VeriSign
Verisign, Inc. is an American company based in Reston, Virginia, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and generic top-level d ...
. The consortium’s goal was to combine the card associations' similar but incompatible protocols (STT from Visa/Microsoft and SEPP from Mastercard/IBM) into a single standard.
SET allowed parties to identify themselves to each other and exchange information securely. Binding of identities was based on X.509
In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure ...
certificates with several extensions.SET Specification Book 2 p.214 SET used a cryptographic blinding algorithm that, in effect, would have let merchants substitute a certificate for a user's credit card number. If SET were used, the merchant itself would never have had to know the credit-card numbers being sent from the buyer, which would have provided verified good payment but protected customers and credit companies from fraud.
SET was intended to become the de facto standard
A ''de facto'' standard is a custom or convention that is commonly used even though its use is not required.
is a Latin phrase (literally " of fact"), here meaning "in practice but not necessarily ordained by law" or "in practice or actuality, ...
payment method on the Internet between the merchants, the buyers, and the credit-card companies.
Unfortunately, the implementation by each of the primary stakeholders was either expensive or cumbersome. There were also some external factors that may have complicated how the consumer element would be integrated into the browser. There was a rumor circa 1994-1995 that suggested that Microsoft sought an income stream of 0.25% from every transaction secured by Microsoft's integrated SET compliant components they would implement in their web browser.
Key features
To meet the business requirements, SET incorporates the following features: * Confidentiality of information * Integrity of data * Cardholder account authentication * Merchant authenticationParticipants
A SET system includes the following participants: * Cardholder *Merchant
A merchant is a person who trades in goods produced by other people, especially one who trades with foreign countries. Merchants have been known for as long as humans have engaged in trade and commerce. Merchants and merchant networks operated i ...
* Issuer
Issuer is a legal entity that develops, registers, and sells securities for the purpose of financing its operations.
Issuers may be governments, corporations, or investment trusts. Issuers are legally responsible for the obligations of the issue ...
* Acquirer
* Payment gateway
A payment gateway is a merchant service provided by an e-commerce application service provider that authorizes credit card or direct payment processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. The ...
* Certification authority
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
How it works
Both cardholders and merchants must register with the CA (certificate authority) first, before they can buy or sell on the Internet. Once registration is done, cardholder and merchant can start to do transactions, which involve nine basic steps in this protocol, which is simplified. # Customer browses the website and decides on what to purchase # Customer sends order and payment information, which includes two parts in one message: #:a. Purchase order – this part is for merchant #:b. Card information – this part is for merchant’s bank only. # Merchant forwards card information to their bank # Merchant’s bank checks with the issuer for payment authorization # Issuer sends authorization to the merchant’s bank # Merchant’s bank sends authorization to the merchant # Merchant completes the order and sends confirmation to the customer # Merchant captures the transaction from their bank # Issuer prints credit card bill (invoice) to the customerDual signature
As described in : Themessage digest
A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable-length output. The values returned by a hash function are called ''hash values'', ...
(MD) of the OI and the PI are independently calculated by the customer. These are concatenated and another MD is calculated from this. Finally, the dual signature is created by encrypting the MD with the customer's secret key. The dual signature is sent to both the merchant and the bank. The protocol arranges for the merchant to see the MD of the PI without seeing the PI itself, and the bank sees the MD of the OI but not the OI itself. The dual signature can be verified using the MD of the OI or PI, without requiring either the OI or PI. Privacy is preserved as the MD can't be reversed, which would reveal the contents of the OI or PI.
Note
References
* * * * * * * {{Authority control Credit card terminology Financial routing standards