i. Secure Electronic Transaction (SET) is an open encryption and security specification designed to protect credit card transactions on the Internet. The current version SET VI, emerged from a call for security standards by Master Card and Visa in February 1996.

ii. SET is not itself a payment system. Rather it is a set of security protocols and formats that enables users to empty the existing Credit card payment infrastructure on an open network, such as the Internet, in secure fashion.

iii. In essence, SET provides three services:

• Provides a secure communication channel among all parties involved in a transaction.
• Provides trust by the use of X.509 v3 digital certificates.
• Ensures privacy because the information is only available to parties in a transaction when and where necessary.

iv. Requirements of SET (Secure Electronic Transaction):

• Provide Confidentiality of Payment and ordering information: It is necessary to assure cardholders that this information is safe and accessible only to the intended recipient. Confidentiality also reduces the risk of fraud by either party to the transaction or by malicious third parties. SET uses encryption to provide confidentiality.
• Ensure the integrity of all transmitted data: That is ensure that no changes in content occur during transmission of SET messages. Digital Signatures are used to provide integrity.
• Provide authentication that a Cardholder is a legitimate user of a credit card account: A mechanism that links a cardholder to a specific account number reduces the incidence of fraud and the overall cost of payment processing. Digital Signatures and Certificates are sued to verify that a Cardholder is a legitimate user of a valid account.
• Provide authentication that a merchant can accept credit card transact tions through it’s relationship with a financial institution: This is the complement to the preceding requirement. Cardholders need to be able to identify merchants with whom they can conduct secure transactions. Again, digital signatures and certificates are used.
• Ensure the use of the best security practices and System design techniques to protect all legitimate parties in an electronic commerce transaction : SET is a well-tested specification based on highly secure cryptographic algorithms and protocols.
• Create a protocol that neither depends on transport security mechanisms nor prevents their use: SET can securely operate over a “raw” TCP/IP stack. However, SET does not interfere with the use of other security mechanisms, such as IPsec and SSL/TLS.
• Facilitate and encourage interoperability among software and network providers: The SET protocols and formats are independent of hardware platform, operating system and web software.

v. Key Features of SET:

• Confidentiality of Information: Cardholder account and payment information is secured as it travels across the network. An interesting and important feature of SET is that it prevents the merchant from learning the cardholder’s credit card number; This is only provided to the Issuing bank. Conventional encryption by DES is used to provide confidentiality.
• Integrity of Data: Payment Information sent from cardholders to merchants order information, personal data, and payment instructions. SET guarantees that these message contents are not altered in transit. RSA digital signatures, using SHA-1 hash codes, provide message integrity. Certain messages are also protected by HMAC using SHA-1.
• Cardholder Account Authentication: SET enables merchants to verify that a cardholder is a legitimate user of a valid card account number. SET uses X.509 v3 digital certificates with RSA signatures for this purpose.
• Merchant Authentication: SET enables cardholders to verify that a merchant has a relationship with a financial institution allowing it to accept payment cards. SET uses X.509v3 digital certificates with RSA signatures for this purpose. SET provides only one choice for each cryptographic algorithm. This makes sense, because SET is a single application with a single set of requirements, whereas IPsec and SSl/TLS are intended to support a range of applications.

vi. SET Participants:

$$\text{Figure 6.6 SET participants}$$

Figure indicates the participants in the SET system, which includes the following:

• Cardholder: In the electronic environment, consumers and corporate purchasers interact with merchants personal computers over the Internet. A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer.
• Merchant: A merchant is a person or organization that has goods or services to sell the cardholder. Typically, these goods and services are offered via a Website or by electronic mail. A merchant that accepts payment cards must have a relationship with an acquirer.
• Issuer: This is a financial institution, such as a bank, that provides the cardholder with the payment card. Typically, accounts are applied for and opened by mail or in person. Ultimately, it is the issuer that is responsible for the payment of the debt of the cardholder.
• Acquirer: This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments. Merchants will usually accept more than one credit card brand but do not want to deal with multiple bankcard associations or with multiple individual issuers. The acquirer provides authorization to the merchant that a given card account is active and that the proposed purchase does not exceed the credit limit. The acquirer also provides electronic transfer of payments to the merchant’s account. Subsequently, the acquirer is reimbursed by the issuer over some sort of payment network for electronic funds transfer.
• Payment Gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment messages. The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions. The merchant exchanges SET messages with the payment gateway over the Internet, while the payment gateway has some direct or network connection to the acquirer’s financial processing system.
• Certification Authority (CA) : This is an entity that is trusted to issue X.509v3 public key certificates for cardholders, merchants and payment gateways. The success of SET will depend on the existence of a CA infrastructure available for this purpose. A hierarchy of CAs is used, so that participants need not be directly certified by a root authority.

vii. Sequences of events required for a transaction:

1. The customer opens an account.
2. The customer receives a certificate.
3. Merchants have their own certificates.
4. The customer places an order.
5. The merchant is verified.
6. The order and payment are sent.
7. The merchant requests payment authorization.
8. The merchant confirms the order.
9. The merchant provides the goods or service.
10. The merchant request payment.