SET APPLICATIONS

Dr. Ayşe Başar Bener

WHY SET?• Security concern of:

– Consumers– Merchants– Issuer, Acquirer and Settlement Banks

• Growth in volume of credit card transactions over the internet– Need a protocol that protects consumers and merchants

alike, allowing each to verify the identities of the other parties without necessarily revealing credit card information

– This level of authentication does not exist in other cryptography-based protocols: SSL

SET: A Brief History

• Visa and Microsoft:– Secure Transaction Technology (STT): 1995

• MasterCard, Netscape, IBM, CyberCash:– Secure Electronic Payment Protocol (SEPP):

1996

SET: A Brief History

• STT ans SEPP:– Change the bankers’ treatment of internet-based credit

card transactions– Require all parties to have digital certificates– Required having public key certificate autorities– Use industry standard public key cryptography

techniques: Rivest, Shamir, Adelman (RSA)– Encrypt only credit card numbers and transactional data

rather than the entire browser and shopping sessions– Enable using any type of credit card regardless of its

issuer

SET: July 1997• Objectives:

– Provide confidentiality of payment information

– Ensure the integrity of all transmitted data

– Provide authentication that a Cardholder is a legitimate user of a branded payment card account

– Provide authentication that a Merchant can accept payment card transactions through its bank

– Ensure the use of best security practices and system design techniques to protect all legitimate parties

– Facilitate and encourage interoperability among software and network providers

SET

• Out-of-band:– Phases that are not included under SET– Activities that their implementation is left up to

the involved parties– Systems required for using SET

• Merchants and banks need to customise their own applications in order to plug into SET infrastructure

PAYMENT SYSTEMS• Closed Loop Systems

– Amex, Discover, Diners Club– The bank serves as a broker between the user of

its cards and the Merchants

• Open Loop Systems– Cardholder and Merchant having different

banks and the transaction is settled by a bank that is different than the either two

– Visa and MasterCard

Credit cards- a successful model

Cardholders Issuers

Suppliers Merchant Acquirers

Monthly Statement

Voucher

Signs Voucher

VoucherPrice of Goods Minus Interchange Fee ( 1%)

Goods

Price of Goods + Annual Fee + Interest

Price of Goods Minus Merchant Service Charge ( 1.65%)

Credit Card Arrangements

Source: Office of Fair Trade, March 1994

SETTLEMENT PROCESS

BINACCT # Amt

123

123

960

812

50

50

123 1001 50

50

50

50

50

456 225

653 678

978 842

965 433

Cards Processing Bank

Banks

interchange

Bank 123

Acct

960

812

1001

Debit

50

50

50

Credit

Bank 225

Acct

456

Debit

50

Credit

SET: enter the Certificate Authority

Source: Visa SET Presentation, 1996

Certification Authority

Cardholder Internet Merchant

AcquirerIssuer

Payment Gateway

Internet

Payment Network

SET Electronic Commerce Components

SET-security

• Implemented through Public-Private Key (PPK) cryptography through digital certificates

• SET’s Participants– Cardholders

– Merchants

– Acquirer payment gateways

– Credit and Debit Card Brand Associations

– Certificate Authorities

Digital Certificates

• Owner’s public key

• Owner’s name

• Expiration date of the public key

• Name of the certificate issuer

• Serial number of the certificate

• Digital signature of the certificate issuer

Source: Identrus

Multiple CAsTrust - Technical Architecture

Source: Identrus

Trust - Core Operating Flows

Digital Signatures

Tampering

Hostile Network

AA BBinverse

mathematical transformation

signature check

mathematical transformation

unsigned data

publicdirectory

Ali’s publickey

(not secret)

Ali’sprivate

key(secret)

SignedData

+ Message

Ali

Ali

or

SECURE ELECTRONIC TRANSACTIONS (SET)

• SET is implemented as pairs of request and response messages that serve the same functions as a POS terminal on a private network.

• These message pairs are wrapped in cryptography before being placed onto the public internet to hide their contents

• SET uses digital certificates for authentication of the customer and the merchant

SET

• Each participant in a SET transaction requires a specific certificate– uniquely identify the participant

– confirms privileges as a card holder or a as a merchant

• cardholder certificates are constructed– physical piece of plastic

– signature at the back of it

SET

• Merchant certificates assure transaction acquirer and the cardholders that– legitimate operator

– honest brand

• SET certificate management and processing– certificates are kept current, safe, and always ready for

use

SET• Steps in SET

– all SET software and digital certificates need to be in place

– the shopping experience– item selection– check out– form of payment selection– payment initiation processing– payment authorisation request– delivery of goods– capture and settlement

SET

• Digital certificates– owner’s public key

– owner’s name

– expiration date of the public key

– name of the certificate issuer

– serial number of the certificate

– digital signature of the certificate issuer

SET

• Digital signature– on-line substitution for the written signature

– an authentication that you are who you claim to be

– legally binding endorsement of the document that you transmit

– helps to ensure that the information in the message is not altered in any way

– Digital certificates are essential for SET• used to sign messages prior to their transmission

SET

• Step 1:– a cardholder selects the payment card on the

Merchant’s SET payment module

• Step 2:– The merchant SET payment module sends to

cardholder e-wallet (specific to the card brand selected):

• merchant signature and key exchange certificates

• payment gateway signature and key exchange certificates

SET

• Step 3:– the cardholder e-wallet begins to screen the tree of trust

among the certificate chain supplied

– upon a successful screening, the e-wallet returns a copy of the cardholder signature to use in signing messages

– cardholders normally will not process key exchange certificates since they are not responsible for message processing work.

SET

• Step 4:– with certificate exchange and trust tree screening steps

complete, all parties are now authenticated and processing will begin

– message protection and confidentiality can be assured, since all parties now “trust” one another.

SET• Roles and responsibilities- cardholders

– a web browser that contains an e-wallet component• netscape and IE support e-wallet plug-ins or e-wallet programs• visit a web site and download one

– once e-wallet works properly, then obtain a digital certificate for each credit card

• visit CA on-line

– keep your private key component private through password protection

– when sending messages through the Internet, make sure that the browser supports Secure Sockets Layer (SSL) encryption.

SET• Roles and responsibilities- merchants

– merchant server POS software performs the tasks of cryptographic processing, message preparation, and merchant certificate management

– merchant servers communicate with both the cardholder’s web browser/e-wallet and acquirer payment gateways that serve the banks and payment card companies.

– Merchant POS software also communicates with the acquirer’s payment gateway for authorisation of charge requests, settlement of charges, and batch administration work.

SET

• Roles and responsibilities- acquirer payment gateways– operated on behalf of many financial institutions

– check currency and legitimacy of all certificates presented

– maintain an appropriate interface to traditional banking systems that permits the Internet to behave as though it is a private leased line connection to the banking networks

SET

• Roles and responsibilities- payment card brand associations (Visa, Mastercard, Amex)– maintain the SET root key that is used to sign all Brand

certificates and establish brand certificate authority hierarchies

– establish brand certificates for legitimate SET uses

– no direct interactions with other parties

SET• Roles and responsibilities- certificate authorities

– gather authentication information from cardholders, merchants, and payment gateway operators who request certificates

– forward the authentication data to the Issuer or Acquirer for verification

– renewal processing of the previously issued certificates– maintain brand root keys– certify the presence of other CAs– Revoke certificates on cancelled accounts as instructed by the card

issuers– maintain the certificate revocation list for all compromised private

keys.

Garanti Bank Avrupa’da ilk SET işlemini gerçekleştiren ilk 10

banka arasındadır.

Visa ve Mastercard ile ilk görüşmeler, SET pilot grubuna katılma

Nisan 97 Temmuz 97 Şubat 98

Dünyadaki ilk SET uyumlu işlem San Fransisco’da gerçekleştirildi.

Garanti Bank, Spektrum Office Superstore ile birlikte Türkiye’deki ilk SET işlemini gerçekleştirdi.

SET pilot çalışmasında yer alan 4 banka1. Gesellschaft für Zahlungssysteme-Germany2. Sumimoto Credit Service-Japan3. Bank of America-USA4. Garanti Bankasi-Turkey

“Güvenli Alışverişler”

- 82 online mağaza, çalışması süren 80 mağaza daha

- SET ve SSL çözümleriyle müşteri bilgileri güvende (müşteri ve mağaza arasında SSL, mağaza ve banka arasında SET)

- Online mağaza açmak isteyen firmalara tüm desteği verirken aynı zamanda pazarı bilgilendirmek

- Yüsek sayıda işlem gerçekleşmiyor ama gelişme trendi yüksek