SET APPLICATIONS

Dr. Ay e Ba ar Bener

WHY SET?
Security concern of:
Consumers Merchants Issuer, Acquirer and Settlement Banks

Growth in volume of credit card transactions over the internet

Need a protocol that protects consumers and merchants alike, allowing each to verify the identities of the other parties without necessarily revealing credit card information This level of authentication does not exist in other cryptography-based protocols: SSL

SET: A Brief History

Visa and Microsoft:
Secure Transaction Technology (STT): 1995

MasterCard, Netscape, IBM, CyberCash:

Secure Electronic Payment Protocol (SEPP): 1996

SET: A Brief History

STT ans SEPP:
Change the bankers treatment of internet-based credit card transactions Require all parties to have digital certificates Required having public key certificate autorities Use industry standard public key cryptography techniques: Rivest, Shamir, Adelman (RSA) Encrypt only credit card numbers and transactional data rather than the entire browser and shopping sessions Enable using any type of credit card regardless of its issuer

SET: July 1997

Objectives:
Provide confidentiality of payment information Ensure the integrity of all transmitted data Provide authentication that a Cardholder is a legitimate user of a branded payment card account Provide authentication that a Merchant can accept payment card transactions through its bank Ensure the use of best security practices and system design techniques to protect all legitimate parties Facilitate and encourage interoperability among software and network providers

SET
Out-of-band:
Phases that are not included under SET Activities that their implementation is left up to the involved parties Systems required for using SET

Merchants and banks need to customise their own applications in order to plug into SET infrastructure

PAYMENT SYSTEMS
Closed Loop Systems
Amex, Discover, Diners Club The bank serves as a broker between the user of its cards and the Merchants

Open Loop Systems

Cardholder and Merchant having different banks and the transaction is settled by a bank that is different than the either two Visa and MasterCard

Credit cards- a successful model

Credit Card Arrangements
Price of Goods + Annual Fee + Interest

Cardholders

Monthly Statement

Issuers

Goods

Signs Voucher

Voucher

Price of Goods Minus Interchange Fee (-1%)

Suppliers Voucher

Merchant Acquirers

Price of Goods Minus Merchant Service Charge (-1.65%) Source: Office of Fair Trade, March 1994

SETTLEMENT PROCESS
BIN
123 123 123 456 653 978 ACCT # 960 812 1001 225 678 842

Amt
Bank 123 50 50 50 50 50
Acct 960 812 Debit 50 50 50 Credit

Cards Processing Bank

Banks interchange

1001

Bank 225
Acct Debit 50 Credit 456

50 50

965

433

SET: enter the Certificate Authority

SET Electronic Commerce Components
Cardholder Internet Merchant

Internet Certification Authority

Issuer

Payment Network

Acquirer Payment Gateway

Source: Visa SET Presentation, 1996

SET-security
Implemented through Public-Private Key (PPK) cryptography through digital certificates SETs Participants
Cardholders Merchants Acquirer payment gateways Credit and Debit Card Brand Associations Certificate Authorities

Digital Certificates
Owners public key Owners name Expiration date of the public key Name of the certificate issuer Serial number of the certificate Digital signature of the certificate issuer

Multiple CAs Trust - Technical Architecture

Source: Identrus

Trust - Core Operating Flows

Source: Identrus

Digital Signatures
Alis public key (not secret) public directory Alis private key (secret)

A
inverse mathematical transformation

Signed + Message Data

B
mathematical transformation

signature check

Hostile Network
unsigned data

Tampering

or

SECURE ELECTRONIC TRANSACTIONS (SET)

SET is implemented as pairs of request and response messages that serve the same functions as a POS terminal on a private network. These message pairs are wrapped in cryptography before being placed onto the public internet to hide their contents SET uses digital certificates for authentication of the customer and the merchant

SET
Each participant in a SET transaction requires a specific certificate
uniquely identify the participant confirms privileges as a card holder or a as a merchant

cardholder certificates are constructed

physical piece of plastic signature at the back of it

SET
Merchant certificates assure transaction acquirer and the cardholders that
legitimate operator honest brand

SET certificate management and processing

certificates are kept current, safe, and always ready for use

 Steps in SET

SET

all SET software and digital certificates need to be in place the shopping experience item selection check out form of payment selection payment initiation processing payment authorisation request delivery of goods capture and settlement

SET
Digital certificates
owners public key owners name expiration date of the public key name of the certificate issuer serial number of the certificate digital signature of the certificate issuer

SET
Digital signature
on-line substitution for the written signature an authentication that you are who you claim to be legally binding endorsement of the document that you transmit helps to ensure that the information in the message is not altered in any way Digital certificates are essential for SET
used to sign messages prior to their transmission

SET
Step 1:
a cardholder selects the payment card on the Merchants SET payment module

Step 2:
The merchant SET payment module sends to cardholder e-wallet (specific to the card brand selected):
merchant signature and key exchange certificates payment gateway signature and key exchange certificates

SET
Step 3:
the cardholder e-wallet begins to screen the tree of trust among the certificate chain supplied upon a successful screening, the e-wallet returns a copy of the cardholder signature to use in signing messages cardholders normally will not process key exchange certificates since they are not responsible for message processing work.

SET
Step 4:
with certificate exchange and trust tree screening steps complete, all parties are now authenticated and processing will begin message protection and confidentiality can be assured, since all parties now trust one another.

SET
Roles and responsibilities- cardholders
a web browser that contains an e-wallet component
netscape and IE support e-wallet plug-ins or e-wallet programs visit a web site and download one

once e-wallet works properly, then obtain a digital certificate for each credit card
visit CA on-line

keep your private key component private through password protection when sending messages through the Internet, make sure that the browser supports Secure Sockets Layer (SSL) encryption.

SET
Roles and responsibilities- merchants
merchant server POS software performs the tasks of cryptographic processing, message preparation, and merchant certificate management merchant servers communicate with both the cardholders web browser/e-wallet and acquirer payment gateways that serve the banks and payment card companies. Merchant POS software also communicates with the acquirers payment gateway for authorisation of charge requests, settlement of charges, and batch administration work.

SET
Roles and responsibilities- acquirer payment gateways
operated on behalf of many financial institutions check currency and legitimacy of all certificates presented maintain an appropriate interface to traditional banking systems that permits the Internet to behave as though it is a private leased line connection to the banking networks

SET
Roles and responsibilities- payment card brand associations (Visa, Mastercard, Amex)
maintain the SET root key that is used to sign all Brand certificates and establish brand certificate authority hierarchies establish brand certificates for legitimate SET uses no direct interactions with other parties

SET
Roles and responsibilities- certificate authorities
gather authentication information from cardholders, merchants, and payment gateway operators who request certificates forward the authentication data to the Issuer or Acquirer for verification renewal processing of the previously issued certificates maintain brand root keys certify the presence of other CAs Revoke certificates on cancelled accounts as instructed by the card issuers maintain the certificate revocation list for all compromised private keys.

Garanti Bank Avrupa da ilk SET i lemini gerekle tiren ilk 10 banka aras ndad r.
Nisan 97 Visa ve Mastercard ile ilk gr meler, SET pilot grubuna kat lma Temmuz 97 Dnyadaki ilk SET uyumlu i lem San Fransisco da gerekle tirildi. ubat 98 Garanti Bank, Spektrum Office Superstore ile birlikte Trkiye deki ilk SET i lemini gerekle tirdi.

SET pilot al mas nda yer alan 4 banka 1. Gesellschaft fr Zahlungssysteme-Germany 2. Sumimoto Credit Service-Japan 3. Bank of America-USA 4. Garanti Bankasi-Turkey

Gvenli Al veri ler

- 82 online ma aza, al mas sren 80 ma aza daha - SET ve SSL zmleriyle m teri bilgileri gvende (m teri ve ma aza aras nda SSL, ma aza ve banka aras nda SET) - Online ma aza amak isteyen firmalara tm deste i verirken ayn zamanda pazar bilgilendirmek - Ysek say da i lem gerekle miyor ama geli me trendi yksek