![Page 1: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/1.jpg)
SET APPLICATIONS
Dr. Ayşe Başar Bener
![Page 2: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/2.jpg)
WHY SET?• Security concern of:
– Consumers– Merchants– Issuer, Acquirer and Settlement Banks
• Growth in volume of credit card transactions over the internet– Need a protocol that protects consumers and merchants
alike, allowing each to verify the identities of the other parties without necessarily revealing credit card information
– This level of authentication does not exist in other cryptography-based protocols: SSL
![Page 3: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/3.jpg)
SET: A Brief History
• Visa and Microsoft:– Secure Transaction Technology (STT): 1995
• MasterCard, Netscape, IBM, CyberCash:– Secure Electronic Payment Protocol (SEPP):
1996
![Page 4: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/4.jpg)
SET: A Brief History
• STT ans SEPP:– Change the bankers’ treatment of internet-based credit
card transactions– Require all parties to have digital certificates– Required having public key certificate autorities– Use industry standard public key cryptography
techniques: Rivest, Shamir, Adelman (RSA)– Encrypt only credit card numbers and transactional data
rather than the entire browser and shopping sessions– Enable using any type of credit card regardless of its
issuer
![Page 5: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/5.jpg)
SET: July 1997• Objectives:
– Provide confidentiality of payment information
– Ensure the integrity of all transmitted data
– Provide authentication that a Cardholder is a legitimate user of a branded payment card account
– Provide authentication that a Merchant can accept payment card transactions through its bank
– Ensure the use of best security practices and system design techniques to protect all legitimate parties
– Facilitate and encourage interoperability among software and network providers
![Page 6: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/6.jpg)
SET
• Out-of-band:– Phases that are not included under SET– Activities that their implementation is left up to
the involved parties– Systems required for using SET
• Merchants and banks need to customise their own applications in order to plug into SET infrastructure
![Page 7: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/7.jpg)
PAYMENT SYSTEMS• Closed Loop Systems
– Amex, Discover, Diners Club– The bank serves as a broker between the user of
its cards and the Merchants
• Open Loop Systems– Cardholder and Merchant having different
banks and the transaction is settled by a bank that is different than the either two
– Visa and MasterCard
![Page 8: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/8.jpg)
Credit cards- a successful model
Cardholders Issuers
Suppliers Merchant Acquirers
Monthly Statement
Voucher
Signs Voucher
VoucherPrice of Goods Minus Interchange Fee ( 1%)
Goods
Price of Goods + Annual Fee + Interest
Price of Goods Minus Merchant Service Charge ( 1.65%)
Credit Card Arrangements
Source: Office of Fair Trade, March 1994
![Page 9: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/9.jpg)
SETTLEMENT PROCESS
BINACCT # Amt
123
123
960
812
50
50
123 1001 50
50
50
50
50
456 225
653 678
978 842
965 433
Cards Processing Bank
Banks
interchange
Bank 123
Acct
960
812
1001
Debit
50
50
50
Credit
Bank 225
Acct
456
Debit
50
Credit
![Page 10: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/10.jpg)
SET: enter the Certificate Authority
Source: Visa SET Presentation, 1996
Certification Authority
Cardholder Internet Merchant
AcquirerIssuer
Payment Gateway
Internet
Payment Network
SET Electronic Commerce Components
![Page 11: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/11.jpg)
SET-security
• Implemented through Public-Private Key (PPK) cryptography through digital certificates
• SET’s Participants– Cardholders
– Merchants
– Acquirer payment gateways
– Credit and Debit Card Brand Associations
– Certificate Authorities
![Page 12: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/12.jpg)
Digital Certificates
• Owner’s public key
• Owner’s name
• Expiration date of the public key
• Name of the certificate issuer
• Serial number of the certificate
• Digital signature of the certificate issuer
![Page 13: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/13.jpg)
Source: Identrus
Multiple CAsTrust - Technical Architecture
![Page 14: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/14.jpg)
Source: Identrus
Trust - Core Operating Flows
![Page 15: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/15.jpg)
Digital Signatures
Tampering
Hostile Network
AA BBinverse
mathematical transformation
signature check
mathematical transformation
unsigned data
publicdirectory
Ali’s publickey
(not secret)
Ali’sprivate
key(secret)
SignedData
+ Message
Ali
Ali
or
![Page 16: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/16.jpg)
SECURE ELECTRONIC TRANSACTIONS (SET)
• SET is implemented as pairs of request and response messages that serve the same functions as a POS terminal on a private network.
• These message pairs are wrapped in cryptography before being placed onto the public internet to hide their contents
• SET uses digital certificates for authentication of the customer and the merchant
![Page 17: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/17.jpg)
SET
• Each participant in a SET transaction requires a specific certificate– uniquely identify the participant
– confirms privileges as a card holder or a as a merchant
• cardholder certificates are constructed– physical piece of plastic
– signature at the back of it
![Page 18: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/18.jpg)
SET
• Merchant certificates assure transaction acquirer and the cardholders that– legitimate operator
– honest brand
• SET certificate management and processing– certificates are kept current, safe, and always ready for
use
![Page 19: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/19.jpg)
SET• Steps in SET
– all SET software and digital certificates need to be in place
– the shopping experience– item selection– check out– form of payment selection– payment initiation processing– payment authorisation request– delivery of goods– capture and settlement
![Page 20: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/20.jpg)
SET
• Digital certificates– owner’s public key
– owner’s name
– expiration date of the public key
– name of the certificate issuer
– serial number of the certificate
– digital signature of the certificate issuer
![Page 21: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/21.jpg)
SET
• Digital signature– on-line substitution for the written signature
– an authentication that you are who you claim to be
– legally binding endorsement of the document that you transmit
– helps to ensure that the information in the message is not altered in any way
– Digital certificates are essential for SET• used to sign messages prior to their transmission
![Page 22: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/22.jpg)
SET
• Step 1:– a cardholder selects the payment card on the
Merchant’s SET payment module
• Step 2:– The merchant SET payment module sends to
cardholder e-wallet (specific to the card brand selected):
• merchant signature and key exchange certificates
• payment gateway signature and key exchange certificates
![Page 23: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/23.jpg)
SET
• Step 3:– the cardholder e-wallet begins to screen the tree of trust
among the certificate chain supplied
– upon a successful screening, the e-wallet returns a copy of the cardholder signature to use in signing messages
– cardholders normally will not process key exchange certificates since they are not responsible for message processing work.
![Page 24: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/24.jpg)
SET
• Step 4:– with certificate exchange and trust tree screening steps
complete, all parties are now authenticated and processing will begin
– message protection and confidentiality can be assured, since all parties now “trust” one another.
![Page 25: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/25.jpg)
SET• Roles and responsibilities- cardholders
– a web browser that contains an e-wallet component• netscape and IE support e-wallet plug-ins or e-wallet programs• visit a web site and download one
– once e-wallet works properly, then obtain a digital certificate for each credit card
• visit CA on-line
– keep your private key component private through password protection
– when sending messages through the Internet, make sure that the browser supports Secure Sockets Layer (SSL) encryption.
![Page 26: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/26.jpg)
SET• Roles and responsibilities- merchants
– merchant server POS software performs the tasks of cryptographic processing, message preparation, and merchant certificate management
– merchant servers communicate with both the cardholder’s web browser/e-wallet and acquirer payment gateways that serve the banks and payment card companies.
– Merchant POS software also communicates with the acquirer’s payment gateway for authorisation of charge requests, settlement of charges, and batch administration work.
![Page 27: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/27.jpg)
SET
• Roles and responsibilities- acquirer payment gateways– operated on behalf of many financial institutions
– check currency and legitimacy of all certificates presented
– maintain an appropriate interface to traditional banking systems that permits the Internet to behave as though it is a private leased line connection to the banking networks
![Page 28: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/28.jpg)
SET
• Roles and responsibilities- payment card brand associations (Visa, Mastercard, Amex)– maintain the SET root key that is used to sign all Brand
certificates and establish brand certificate authority hierarchies
– establish brand certificates for legitimate SET uses
– no direct interactions with other parties
![Page 29: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/29.jpg)
SET• Roles and responsibilities- certificate authorities
– gather authentication information from cardholders, merchants, and payment gateway operators who request certificates
– forward the authentication data to the Issuer or Acquirer for verification
– renewal processing of the previously issued certificates– maintain brand root keys– certify the presence of other CAs– Revoke certificates on cancelled accounts as instructed by the card
issuers– maintain the certificate revocation list for all compromised private
keys.
![Page 30: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/30.jpg)
Garanti Bank Avrupa’da ilk SET işlemini gerçekleştiren ilk 10
banka arasındadır.
Visa ve Mastercard ile ilk görüşmeler, SET pilot grubuna katılma
Nisan 97 Temmuz 97 Şubat 98
Dünyadaki ilk SET uyumlu işlem San Fransisco’da gerçekleştirildi.
Garanti Bank, Spektrum Office Superstore ile birlikte Türkiye’deki ilk SET işlemini gerçekleştirdi.
SET pilot çalışmasında yer alan 4 banka1. Gesellschaft für Zahlungssysteme-Germany2. Sumimoto Credit Service-Japan3. Bank of America-USA4. Garanti Bankasi-Turkey
![Page 31: SET APPLICATIONS Dr. Ayşe Başar Bener. WHY SET? Security concern of: –Consumers –Merchants –Issuer, Acquirer and Settlement Banks Growth in volume of](https://reader034.vdocuments.net/reader034/viewer/2022042718/56649e765503460f94b78408/html5/thumbnails/31.jpg)
“Güvenli Alışverişler”
- 82 online mağaza, çalışması süren 80 mağaza daha
- SET ve SSL çözümleriyle müşteri bilgileri güvende (müşteri ve mağaza arasında SSL, mağaza ve banka arasında SET)
- Online mağaza açmak isteyen firmalara tüm desteği verirken aynı zamanda pazarı bilgilendirmek
- Yüsek sayıda işlem gerçekleşmiyor ama gelişme trendi yüksek