Professional Documents
Culture Documents
Cmpe484 08
Cmpe484 08
Dr. Ay e Ba ar Bener
WHY SET?
Security concern of:
Consumers Merchants Issuer, Acquirer and Settlement Banks
SET
Out-of-band:
Phases that are not included under SET Activities that their implementation is left up to the involved parties Systems required for using SET
Merchants and banks need to customise their own applications in order to plug into SET infrastructure
PAYMENT SYSTEMS
Closed Loop Systems
Amex, Discover, Diners Club The bank serves as a broker between the user of its cards and the Merchants
Cardholders
Monthly Statement
Issuers
Goods
Signs Voucher
Voucher
Suppliers Voucher
Merchant Acquirers
Price of Goods Minus Merchant Service Charge (-1.65%) Source: Office of Fair Trade, March 1994
SETTLEMENT PROCESS
BIN
123 123 123 456 653 978 ACCT # 960 812 1001 225 678 842
Amt
Bank 123 50 50 50 50 50
Acct 960 812 Debit 50 50 50 Credit
Banks interchange
1001
Bank 225
Acct Debit 50 Credit 456
50 50
965
433
Issuer
Payment Network
SET-security
Implemented through Public-Private Key (PPK) cryptography through digital certificates SETs Participants
Cardholders Merchants Acquirer payment gateways Credit and Debit Card Brand Associations Certificate Authorities
Digital Certificates
Owners public key Owners name Expiration date of the public key Name of the certificate issuer Serial number of the certificate Digital signature of the certificate issuer
Source: Identrus
Source: Identrus
Digital Signatures
Alis public key (not secret) public directory Alis private key (secret)
A
inverse mathematical transformation
B
mathematical transformation
signature check
Hostile Network
unsigned data
Tampering
or
SET
Each participant in a SET transaction requires a specific certificate
uniquely identify the participant confirms privileges as a card holder or a as a merchant
SET
Merchant certificates assure transaction acquirer and the cardholders that
legitimate operator honest brand
Steps in SET
SET
all SET software and digital certificates need to be in place the shopping experience item selection check out form of payment selection payment initiation processing payment authorisation request delivery of goods capture and settlement
SET
Digital certificates
owners public key owners name expiration date of the public key name of the certificate issuer serial number of the certificate digital signature of the certificate issuer
SET
Digital signature
on-line substitution for the written signature an authentication that you are who you claim to be legally binding endorsement of the document that you transmit helps to ensure that the information in the message is not altered in any way Digital certificates are essential for SET
used to sign messages prior to their transmission
SET
Step 1:
a cardholder selects the payment card on the Merchants SET payment module
Step 2:
The merchant SET payment module sends to cardholder e-wallet (specific to the card brand selected):
merchant signature and key exchange certificates payment gateway signature and key exchange certificates
SET
Step 3:
the cardholder e-wallet begins to screen the tree of trust among the certificate chain supplied upon a successful screening, the e-wallet returns a copy of the cardholder signature to use in signing messages cardholders normally will not process key exchange certificates since they are not responsible for message processing work.
SET
Step 4:
with certificate exchange and trust tree screening steps complete, all parties are now authenticated and processing will begin message protection and confidentiality can be assured, since all parties now trust one another.
SET
Roles and responsibilities- cardholders
a web browser that contains an e-wallet component
netscape and IE support e-wallet plug-ins or e-wallet programs visit a web site and download one
once e-wallet works properly, then obtain a digital certificate for each credit card
visit CA on-line
keep your private key component private through password protection when sending messages through the Internet, make sure that the browser supports Secure Sockets Layer (SSL) encryption.
SET
Roles and responsibilities- merchants
merchant server POS software performs the tasks of cryptographic processing, message preparation, and merchant certificate management merchant servers communicate with both the cardholders web browser/e-wallet and acquirer payment gateways that serve the banks and payment card companies. Merchant POS software also communicates with the acquirers payment gateway for authorisation of charge requests, settlement of charges, and batch administration work.
SET
Roles and responsibilities- acquirer payment gateways
operated on behalf of many financial institutions check currency and legitimacy of all certificates presented maintain an appropriate interface to traditional banking systems that permits the Internet to behave as though it is a private leased line connection to the banking networks
SET
Roles and responsibilities- payment card brand associations (Visa, Mastercard, Amex)
maintain the SET root key that is used to sign all Brand certificates and establish brand certificate authority hierarchies establish brand certificates for legitimate SET uses no direct interactions with other parties
SET
Roles and responsibilities- certificate authorities
gather authentication information from cardholders, merchants, and payment gateway operators who request certificates forward the authentication data to the Issuer or Acquirer for verification renewal processing of the previously issued certificates maintain brand root keys certify the presence of other CAs Revoke certificates on cancelled accounts as instructed by the card issuers maintain the certificate revocation list for all compromised private keys.
Garanti Bank Avrupa da ilk SET i lemini gerekle tiren ilk 10 banka aras ndad r.
Nisan 97 Visa ve Mastercard ile ilk gr meler, SET pilot grubuna kat lma Temmuz 97 Dnyadaki ilk SET uyumlu i lem San Fransisco da gerekle tirildi. ubat 98 Garanti Bank, Spektrum Office Superstore ile birlikte Trkiye deki ilk SET i lemini gerekle tirdi.
SET pilot al mas nda yer alan 4 banka 1. Gesellschaft fr Zahlungssysteme-Germany 2. Sumimoto Credit Service-Japan 3. Bank of America-USA 4. Garanti Bankasi-Turkey