Secure Electronic

Transaction(SET)

PRESENTED BYHARSH MEHTA

What Is SET?• SET is an open encryption and security specification designed to protect credit card transactions on the Internet.

• SET is not itself a payment system. Rather it is a set of security protocols and formats that enables users to use the credit card payment infrastructure on an open network, such as the Internet, in a secure fashion.

• It was first used in February 1996 and was proposed by Visa and Master Card. A wide range of companies were involved in developing the initial specification, including IBM, Microsoft, Netscape, RSA, Terisa, and Verisign

Key Features of SET• Confidentiality of information.

• Integrity of Data.

• Cardholder account authentication.

• Merchant authentication.

Confidentiality of Information

• A credit card holder’s personal and payment information is secured as it travels across the network.

• An interesting feature of SET is that the merchant never sees the credit card number.

•This is only provided to the issuing bank. Conventional encryption using DES is used to provide confidentiality.

Integrity of Data• Payment information sent from cardholders to merchants include

i. personal information,

ii. payment instructions.

iii. order information.

• SET guarantees that these message contents are not altered in transit. Using SHA-1 hash codes, data integrity provided.

Cardholder Account Authentication

• SET enables merchants to verify that a cardholder is legitimate user of a valid card account number.

• SET uses X.509v3 digital certificates with RSA signatures for this purpose.

Merchant Authentication• SET enables cardholders to verify that a merchant has a relationship with a financial institution which allow it to accept payment cards.

• SET uses X.509v3 digital certificates with RSA signatures for this purpose.

SET Components and Participants

SET Participants• Cardholder

• Merchant

• Issuer

• Acquirer

• Payment Gateway

• Certification Authority

Cardholder & Merchant Cardholder

◦ This is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer.

Merchant

◦ This is a person or organization who has things to sell to the cardholder. Ex.flipcart,ebay.

Issuer & Acquirer

Issuer

◦ This is a financial institution such as a bank that provides the card holder with the payment card. Ex: mastercard,visa card.

Acquirer

◦ This is a financial institution that establishes an account with the merchant and processes credit card authorizations and payments.

◦ The acquirer provides authorization to the merchant that a given card account is active. ◦ The Acquirer also provides electronic payments transfers to the merchant’s account.

Payment Gateway

• This is a function that can be undertaken by the acquirer that processes merchant payment messages.

• The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions.

Certification Authority(CA)• This is an entity that is entrusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways.

SET Transactions

Events required for a Successful SET

Transaction The customer opens an account with a card issuer.◦MasterCard, Visa, etc.

The customer receives a X.509 V3 certificate signed by a bank.◦X.509 V3

A merchant who accepts a certain brand of card must possess two X.509 V3 certificates.◦One for signing & one for key exchange

The customer places an order for a product or service with a merchant’s website.

The merchant sends a copy of its certificate for verification.

Events required for a Successful SET Transaction

Cont’d The customer sends order and payment information to the merchant.

The merchant requests payment authorization from the payment gateway prior to shipment.

The merchant confirms order to the customer.

The merchant provides the goods or service to the customer.

The merchant requests payment from the payment gateway.

SET’s Dual Signature The purpose of the dual signature is to link two messages that are going to different recipients.◦ Order Information (OI): Customer to Merchant◦ Payment Information (PI): Customer to Bank

The customer needs to send OI and PI to merchant and bank respectively.

The merchant does not need to know the customers credit card number.

The bank does not need to know what the customer is buying.

however the two items must be linked in a way that can be used to resolve disputes if necessary.

Dual Signature

The operation for dual signature is as follows:Take the hash (SHA-1) of the payment and order information.These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed.Customer encrypts the final hash with a private key creating the dual signature.

DS = EKRC [ H(H(PI) || H(OI)) ]

DS Verification by Merchant• The merchant has the public key of the customer obtained from the customer’s certificate.

• Now, the merchant can compute two values:

H(PIMD || H(OI))

DKUC[DS]

• Should be equal!

DS Verification by Bank• The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following:

H(H(PI) || OIMD)

DKUC [ DS ]

purchase request exchange consists of four messages:

1. Initiate Request

2. Initiate Response

3. Purchase Request

4. Purchase Response

Purchase Request

Initiate Request Basic Requirements:◦ Cardholder Must Have Copy of Certificates for Merchant and Payment

Gateway

Customer Requests the Certificates in the Initiate Request Message to Merchant◦ Brand of Credit Card◦ ID Assigned to this Request/response pair by customer.◦ nonce(timestamp) used to ensure timeliness.

Initiate Response Merchant Generates a Response• Signs with Private Signature Key.• Transaction ID for Purchase Transaction• Merchant’s Signature Certificate• Payment Gateway’s Key Exchange Certificate• the nonce from the customer• another nonce for the customer to return in the next message

Purchase Request Cardholder Verifies Two Certificates(merchant and gateway) Using Their CAs and Creates the OI and PI.

First SET Message Includes:◦Purchase-related Information◦Order-related Information◦Cardholder Certificate

Purchase Request – Customer

Purchase Request – Merchant

Purchase Response Message

Message that Acknowledges the Order and References Corresponding Transaction Number

Response Block is◦Signed by Merchant Using its Private Key◦Block and Signature Are Sent to Customer Along with Merchant’s

Signature Certificate

Upon Reception◦Verifies Merchant Certificate◦Verifies Signature on Response Block◦Takes the Appropriate Action

Payment Process The payment process is broken down into two steps:◦Payment authorization◦Payment capture

Payment Authorization The merchant sends an authorization request message to the payment gateway consisting of the following:Purchase-related information

◦PI◦Dual signature calculated over the PI & OI and signed with

customer’s private key.◦The OI message digest (OIMD)◦The digital envelop

Continue..◦Authorization-related information

An authorization block including:◦A transaction ID◦Signed with merchant’s private key◦Encrypted one-time session key

◦Certificates◦Cardholder’s signature key certificate◦Merchant’s signature key certificate◦Merchant’s key exchange certificate

Payment Gateway Authorization• verifies all certificates

• decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block

• verifies merchant's signature on authorization block

• decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block

• verifies dual signature on payment block

• verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer

• requests & receives an authorization from issuer

• sends authorization response back to merchant

Authorization Response Authorization Response Message◦Authorization-related Information◦Capture Token Information◦Certificate