Seeking to address users’ demands for transaction security on the Internet, a consortium of financial and software companies, led by MasterCard International Inc and Visa International Inc, last year proposed a technical specification. The first draft of the Secure Electronic Transaction, SET, protocol was published in June 1996, and the first version should be released in June 1997. But because of the importance of credit card shopping to the suppliers, companies such as IBM Corp, Netscape Communications Corp and Microsoft Corp are already implementing SET.
By Jessica Twentyman
SET members decided that to provide adequate security for Internet transactions, three main issues must be addressed. First, the authenticity of both cardholder and merchant must be established. Second, the integrity of the order data must be maintained across the network. Last, the data must be delivered in such a way that only the intended recipient has access to it. SET is almost guaranteed success. It fulfills all the criteria for a successful standard; it is open, can be easily adopted by any supplier, is consistent with the existing infrastructure for credit card payments, and has the backing of a number of influential participants. Along with MasterCard and Visa, the protocol has already been endorsed by American Express, Discovery and JCB credit card organizations. Furthermore, SET is already being incorporated into ‘merchantware’ products, the server-based software used by traders to support Internet transactions. The backing of these major vendors, say analysts, will help to legitimize the concept of Internet shopping. Unlike the Secure Socket Layer, SSL, security protocol, which is currently supported in products such as Netscape’s Navigator, SET attempts to solve several problems, such as authentication, encryption, and providing a method of linking to settlement systems. The SET protocol has been developed using security systems developed for use in electronic data interchange, EDI, private networks. The first stage of a SET transaction is for the buyer and the seller – the consumer and the merchant – to identify each other.
Trusted third party
This is done using a digital certificate – an encrypted, tamper proof registration number buried in a piece of software. The certificate also contains name, address and other credit details. The certificate is issued by a trusted third party – usually the credit card company, such as MasterCard or Visa. Once installed on a personal computer, or other device, it will be automatically accessible from a browser. Before making a transaction, a user will also have to use a password or PIN number. The encryption technique uses the widely accepted public/private key method. The public key, which can be a long (between 40 and 1,000-bit) number, is what is sent over the Internet and is known as the SET ID. But it is useless unless the recipient also knows the private key, which only the number issuer – credit card company or bank – knows. The merchant never gets to see the credit card number, but simply matches its SET traders number with the SET ID and sends the two numbers off for authentication, for authorization and for settlement. This processing is done by the credit card issuers, which carry out their communication over the secure private networks, such as VisaNet or BankNet. No-one is arguing that SET is absolutely foolproof. Certainly, it is far safer than traditional credit card use.
This article is taken from a longer piece that appeared in the April 1997 edition of our sister publication Computer Business Review.