Content 
Frame
Skip 
Breadcrumb Navigation
Home  arrow Student Resources  arrow Material from Previous Editions  arrow Internet Commerce Using SET

Internet Commerce Using SET

[Section 7.7.2 of the First Edition]

Secure electronic transactions (SET) is a protocol specifically designed to secure payment-card transactions over the Internet. It was originally developed by Visa International and MasterCard International in February 1996 with participation from leading technology companies around the world. SET Secure Electronic Transaction LLC (commonly referred to as SETCo) was established in December 1997 as a legal entity to manage and promote the global adoption of SET [SetCo 1999]. Some of the principle characteristics of SET are as follows:

A SET transaction uses three software components:

In what follows, we give a highly simplified overview of the SET protocol. In reality, the protocol is substantially more complex.

Steps in Making a Purchase

Suppose Bob wants to purchase a good over the Internet from Alice Incorporated using SET.

  1. Bob indicates to Alice that he is interested in making a credit card purchase.

  2. Alice sends Bob an invoice and a unique transaction identifier.

  3. Alice sends Bob the merchant's certificate, which includes the merchant's public key. Alice also sends the certificate for her bank, which includes the bank's public key. Both of these certificates are encrypted with the private key of a certifying authority.

  4. Bob uses the certifying authority's public key to decrypt the two certificates. Bob now has Alice's public key and the bank's public key.

  5. Bob generates two packages of information: the order information (OI) package and the purchase instructions (PI) package. The OI, destined for Alice, contains the transaction identifier and brand of card being used; it does not include Bob's card number. The PI, destined for Alice's bank, contains the transaction identifier, the card number, and the purchase amount agreed to by Bob. The OI and PI are dual encrypted: the OI is encrypted with Alice's public key; the PI is encrypted with Alice's bank's public key. (We are bending the truth here in order to see the big picture. In reality, the OI and PI are encrypted with a customer-merchant session key and a customer-bank session key.) Bob sends the OI and the PI to Alice.

  6. Alice generates an authorization request for the card payment request, which includes the transaction identifier.

  7. Alice sends to her bank a message encrypted with the bank's public key. (Actually, a session key is used.) This message includes the authorization request, the PI package received from Bob, and Alice's certificate.

  8. Alice's bank receives the message and unravels it. The bank checks for tampering. It also makes sure that the transaction identifier in the authorization request matches the one in Bob's PI package.

  9. Alice's bank then sends a request for payment authorization to Bob's payment-card bank through traditional bank-card channels--just as Alice's bank would request authorization for any normal payment-card transaction.

  10. Once Bob's bank authorizes the payment, Alice's bank sends a response to Alice, which is (of course) encrypted. The response includes the transaction identifier.

  11. If the transaction is approved, Alice sends her own response message to Bob. This message serves as a receipt and informs Bob that the payment was accepted and that the goods will be delivered.

One of the key features of SET is the nonexposure of the credit number to the merchant. This feature is provided in Step 5, in which the customer encrypts the credit-card number with the bank's key. Encrypting the number with the bank's key prevents the merchant from seeing the credit card. Note that the SET protocol closely parallels the steps taken in a standard payment-card transaction. To handle all the SET tasks, the customer will have a so-called digital wallet that runs the client-side of the SET protocol and stores customer payment-card information (card number, expiration date, etc.). Readers interested in learning more about SET are encouraged to see the SETCo page [SetCo 1999] or the SET documentation at the MasterCard site [MasterCard 1999]. There are also several good books on SET [Merkow 1998; Loeb 1998].




Pearson Copyright © 1995 - 2010 Pearson Education . All rights reserved. Pearson Addison Wesley is an imprint of Pearson .
Legal Notice | Privacy Policy | Permissions

Return to 
the Top of this Page