Secure Electronic Transaction (SET)

This document was created to provide a introductory view of an emerging technology; secure electronic transaction. This overview was written as a class project for Patterns of Electronic Commerce Fall 1997 at Goizueta Business School.

Introduction

Today, when you want to buy a new shirt you go to a store of choice. You choose a shirt and walk to the cash register to pay. The store clerk smiles and rings up your purchase. You smile back and provide you method of payment. You leave the store happy with your new shirt in hand. Electronic commerce would change this scenario. You would be in a cybermall or web site shopping. No human interaction is involved. One of the important features of electronic commerce is the cashless transactions. The Internet has provided a low cost and easy access for sellers to reach a buying community. The easy of use the Internet creates a major obstacle; security. When a buyer sends a message to purchase to the seller several questions are generated:

• Is the seller who they claim to be?
• Did my message make it to the seller?
• If so, was it changed or intercepted by an intruder?
• Is the buyer who they claim to be?

There is a need to create a process that ensures that both parties are who they claim to be, the data is kept secret and not changed during transmission, the method of payment is valid, and the transaction can be confirmed.

Secure electronic transaction (SET) is a technology which offers end to end secure payment processing transactions via the Internet. Essentially, SET protects key bits of information required for credit card purchases. The SET protocol is designed to protect both buyer and seller from credit card fraud. Instead of providing merchants with access to credit card numbers, SET encodes the numbers so only the consumer and financial institution have access to them.

In 1995 Netscape developed an encrypt credit card protocol, Secure Socket Layer (SSL). Initially, Visa International, Inc. and Microsoft Corp. proposed one standard for secure transactions called SET (Secured Electronic Transactions). MasterCard International, Inc. and Netscape Communications Corp. supported another standard called STT (Secure Transaction Technology). The banking community encourage the two parties to get together to develop one set of standards. Visa and MasterCard combined forces with Microsoft, Netscape, IBM, GTE Corp., Securities Industry Automation Corp., and VeriSign, Inc. to implement security standards. The SET standards were developed in 1996 and pilots are scheduled to begin November 1997.

There are four major players involved in the SET system.

Buyer (Cardholder)

The buyer is issued an electronic version of a payment card or certificate. The certificate contains information about card number and the certificate authority. The buyer must install software on a PC which supports the use of a digital certificate. This software is called an "electronic wallet" can communicate with an Internet browser.

Seller (Merchant)

A seller also receives a digital certificate that contains merchant information and the connection to card acquirer and certificate authority. The merchant installs software that enables secure communication and identification of the merchant.

Certificate Authority

A certificate authority is a trusted party, such as VeriSign, Inc. or CyberTrust, which is authorized by the card issuer and the card acquirer to issue electronic digital certificates to cardholders and merchants. A certificate consist of a set of electronic data, containing cryptographic keys and other data. The certificate is a foolproof way of identifying both consumer and merchant. It is not credit; it only verifies identity of user.

Card Acquirer

The card acquirer validates the cardholder’s (buyer) and merchant’s (seller) certificates and reads the buyer’s payment data. The card aquirer works with several different card issuers.

How does SET work?

SET requires that an individual possess a digital certificate for each credit card that he or she plans to use. The buyer will install the electronic wallet software and request the digital certificate. The card issuer or its certificate authority will create a digital certificate and transmit it to the cardholder’s PC. A similar process takes place between the merchant and the card acquirer. All communications during the certificate issuance is encrypted.

The buyer and seller are ready to conduct secure business transactions. Let’s use the shirt buying experience from above as an example. The buyer goes to the home page on the Internet and finds a shirt to purchase. The buyer chooses the payment card from the electronic wallet on the PC. The software at the cardholder’s PC will verify the merchant’s certificate and transmit the certificate attached to the payment card. The cardholder’s software creates a digital signature. The signature is verified by the recipient by means of the certificate. SET transactions are encrypted mathematically. The SET encryption ensures that the payment instructions which are created by the cardholders PC cannot be read by the merchant or anyone else. Only the card issuer and the card acquirer can read the payment instructions. The order data cannot be read by the card issuer or the card acquirer.

When the order and payment information is received by the merchant, the card aquirer is sent the payment data to authorize (approval) from the card issuer. The card aquirer decrypts the cardholder’s payment instructions. When approval is granted by the card issuer, it will be transmitted via the card acquirer to the merchant. The merchant confirms approval to the cardholder. The seller (merchant) ships the shirt to the buyer.

Effects of SET on E-Commerce

SET is going to make fraud more difficult. Merchants will be divided between secure and non secure. Consumers will become more comfortable with purchases. The credit card information never goes to merchants. Will provide a seamless fraud resistant way to financial transactions; like fingerprints. Offers end to end secure processing from point of sale to clearance by relevant financial institution over the Internet.

SET could lead to an explosion of on-line commerce once customers become comfortable with the safety of the standards. Visa has estimated that $1 billion US worth of e-commerce transactions are conducted over the Internet. Of that amount 80% use credit cards as a means of payment (New Straits Times October 23, 1997) Last year (1996) web commerce racked sales of just $73 million in consumer market and $12 million in the business to business market. (Estimated) By the year 2000 consumers will spend $10 billion and business $134 billion over the web according to a survey by Boston based Yankee Group, Inc. Other predictions are from $95 billion to $730 billion. (World Trade, April 1997) MasterCard forecast that Internet based electronic commerce will rise to $10 billion in the year 2000 from $800 million in 1996.

SET solves the security challenges of privacy which entails account number protection, message integrity; and industry standards. International: The European community is slightly ahead of US in secure transactions. Visa has chosen Europe for its largest pilot program to test secure electronic commerce.

Potential limitations of SET

1. Does not provide standards for checks. The only method of payment is for credit cards

2. Does not solve the dilemma of product returns.

3. Extra steps involved in getting a certificate may be perceived as cumbersome to consumer.  However, the cost of electronic wallet is insignifcant to the consumer.

4. The cost of implementing SET could be significant depending on implementation method used by business. If a company has a web site currently, the implementation would not be as costly. They could also join a cybermall to reduce cost. For the financial institutions, it could be a substainal investment for the gateway infastructure. Cost could be reduced if they share a common gateway for transaction clearence.

Although cost is a major concern, security is by far the critical issue. SET provides an industry wide solution to the problem.

For comments or questions contact: Raquel Morgan at Raquel_Morgan@bus.emory.edu

This page created with Netscape Navigator Gold