Secure Electronic Transaction (SET)

SET is an open encryption and security specification designed to protect credit card transaction on the Internet. It provides secure communication channel in a transaction, X.509v3 digital certificates#, and privacy to the client with dual signature.

Using the SET technology, the credit card holder could order an item with payment from a merchant over the internet. This is with the assumption that both receives certificates from Certificate Authority (CA)# so that they could place trust on each other. The merchant is verified when the order is placed. The payment authorisation will be initiated by the merchant to the payment gateway once the order is confirmed. After providing the goods and services, and merchant requests payments from the gateway. Payment gateway will verify both the holder and the merchant by asking the validation from acquirer (checking with CA). If both parties are trusted and valid, the acquirer will get the payment from issuer and redirect it to the merchant.

To protect the holder’s privacy, dual signature is implemented. It is done by hashing the concatenation of two message digests (hashed information), Payment Information Message Digest (PIDM) and Order Information Message Digest (OIDM), i.e., Payment Order Message Digest (PODM), and encrypts it with client’s private signature key. This could be understand as a mathematical formula shown below:

$$ DS = E_{KR_c} [H(H(PI)||H(OI))] $$

Where:

  • \(PI\) is the Payment Information
  • \(OI\) is the Order Information
  • \(H\) is the hash function used
  • \(E\) is the encryption scheme used
  • \(KR_c\) is the customer’s private signature key
  • \(||\) indicates concatenation

After decrypting, the merchant will get OI and PIDM whereas the issuer will get PI and OIDM. Both PIDM and OIDM could be used to verify the signature without revealing the content in them. Merchant knows and needs only the order details, and issuer knows and needs only the credit card information.

There are several SET transaction types:

  • cardholder registration
  • merchant registration
  • purchase request
  • payment authorisation
  • payment capture (request payment from payment gateway)
  • certificate inquiry and status
  • purchase inquiry
  • authorisation reversal
  • capture reversal
  • credit (refund)
  • credit reversal
  • payment gateway certificate request
  • batch administration (for merchant)
  • error message
Links to this page
#networking #security