1. Henric Johnson1 Secure Electronic Transactions An open encryption and security specification. Protect credit card transaction on the Internet. Companies involved: –MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign Not a payment system. Set of security protocols and formats.

2. Henric Johnson2 SET Overview Key Features of SET: –Confidentiality of information –Integrity of data –Cardholder account authentication –Merchant authentication

3. Henric Johnson3 SET Participants

4. Henric Johnson4 Sequence of events for transactions 1.The customer opens an account. 2.The customer receives a certificate. 3.Merchants have their own certificates. 4.The customer places an order. 5.The merchant is verified. 6.The order and payment are sent.

5. Sequence of events for transactions (cotd). 7.The merchant requests payment authorization. 8.The merchant confirms the order. 9.The merchant provides the goods or service. 10.The merchant requests payments Henric Johnson5

6. 6 Dual Signature

7. Henric Johnson7 PurchaseRequest Cardholder sends Purchase Request

8. Henric Johnson8 Payment processing Merchant Verifies Customer Purchase Request

9. The transactions of SET Purchase Request Purchase Response Payment authorization Payment Capture

10. Purchase Request Initiate request –The customer requests the certificates of the merchant. This message includes the brand of the credit card used by the customer, the id for the message and a nonce Initiate Response –This includes the merchant’s signature certificate and payment gateway’s key exchange certificate

11. Purchase Request 1.Purchase related information –PI (Payment information) –The Dual Signature –The OI Message Digest (OIMD) –The digital envelope

12. Purchase Request 2. Order related information –OI (Order information) –The Dual Signature –The PI Message Digest (PIMD) –The digital envelope 3. Cardholder Certificate

13. Purchase Response This includes an acknowledgement to the purchase request and a reference number This block is signed by the merchant’s private signature key The block and signature are sent along with the signature certificate of the merchant

14. Payment Authorization 1. Authorization Request 2. Authorization Response Authorization request message The merchant sends an authorization request message to the payment gateway consisting of 1. Purchase related information PI Dual Signature OIMD and The digital envelope

15. 2. Authorization related information –This information is generated by the merchant and consists of Authorization block that includes the transaction id, signed with merchant’s private key and encrypted with the one time session key A digital envelope 3. Certificates –This includes Card holder’s signature key certificate, merchant’s signature key certificate and merchant’s key exchange certificate.

16. Authorization response is sent from payment gateway to merchant which includes the following: –1. Authorization related information –2. Capture token information –3. Gateway’s certificate

17. Payment Capture Capture request –Sends by the merchant to the payment gateway consisting of signed and encrypted payment amount and transaction id Capture response –The payment gateway notifies the merchant of the payment using this message

18. Henric Johnson18 Payment processing Payment Authorization: –Authorization Request –Authorization Response Payment Capture: –Capture Request –Capture Response

19. Henric Johnson19 Recommended Reading and WEB sites Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 MasterCard SET site Visa Electronic Commerce Site SETCo (documents and glossary of terms)