P1: JDV
Merkow WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 12:46 Char Count= 0
250 SECUREELECTRONICTRANSACTIONS(SET)A card association (e.g., Visa and Mastercard) dictates the
conditions under which its branded cards may be used
and provides the network and processing to permit the
three primary constituents (cardholder, merchant, and
acquiring bank) to transact business.Basic Credit Card Schemes
There are two major approaches to credit card schemes—
closed loops and open loops. In a closed loop system,
the issuer and the acquirer are the same organization—
they manage both the cardholder and merchant relation-
ships. Examples of closed loop systems include Discover
(Novus), American Express, Japan Credit Bank (JCB), and
Diner’s Club (operated by Citibank). In an open loop sys-
tem, the issuer of a credit card may or may not be the same
as the acquiring bank. Because the Visa and Mastercard
networks consist of well over 20,000 banks worldwide,
there are a tremendous number of possible combinations
(4× 108 ) of issued cards and acquirer processors for any
given charge transaction. For example, a cardholder hold-
ing a Visa card issued by Bank A may shop at a merchant
who has a merchant account at Bank B. As the charge
card is swiped on the merchant’s point of sale (POS) ter-
minal, a charge request is initiated and sent to Bank B
(the acquiring bank), which places a charge authoriza-
tion request on VisaNet. The Visa network then routes
the request to Bank A to determine account status and
sufficiency of credit for approving a new charge to the
account. The response to this authorization request is an
authorization response, containing an approve or decline
status, along with a code for the merchant to use when the
sale is completed (goods are shipped) and the merchant
is ready to settle the charges.
SET provides the specifications forrequest–response
message pairsthat permits the parties involved to use open
networks like the Internet to perform the same work that
previously was performed using the private networks that
the banks mandated for moving credit card information
around. These message pairs offer the same business ser-
vices that the private-network POS system offers, without
the cost of dedicated network links and maintenance.
SET message pairs correspond to the following busi-
ness services used for credit card processing:Inquiry into charge transaction status
Payment processing
Authorization reversal when customers change their
minds
Capture reversal when goods are returned for credit
Credit issuance when goods are returned for credit
Batch administration to settle charges and clear transac-
tions
Certificate issuance for all entities
Certificate inquiries on pending certificate requests or
status information
Error handlingSET Digital Certificate Management
SET certificate management and processing are in addi-
tion to any other transaction-based processing that takesoccurs. The purpose of such processing is to ensure that
certificates are current, are accurate, and are always ready
for use when needed. SET cardholder certificates are
constructed to mimic both the physical piece of plastic
and the signature on the back of it. Merchant certifi-
cates ensure the transaction acquirer and the cardhold-
ers that they are dealing with a legitimate operator who
is contractually obligated to the brand to remain honest.
Charge processors and merchants are ensured that they
are dealing with cardholders who have legitimate rights
to use a brand product. Both merchants and cardholders
are ensured that their transactions are seen and pro-
cessed only by those charge processors who have legiti-
mate rights to see and process them.
In some cases, a SET payment gateway is needed to
validate SET digital certificates and preprocess authoriza-
tion, capture, and settlement work. Payment gateways are
operated by companies that perform the charge process-
ing duties for merchants and banks. The termsacquirer
payment gatewayandpayment gatewayare synonyms. One
example of a card processor in the U.S. is First Data Cor-
poration in Omaha.
Because an SET merchant server takes the place of POS
terminals, it needs to perform all the work POS terminals
do, and then some. One significant benefit of using the
Internet, rather than private networks and dial-up lines,
is its flexible nature, which makes it possible to commu-
nicate freely. With Internet connections, it is possible to
avoid some third-party work (with a resultant saving of
their fees) by connecting directly to acquiring banks or
card company payment gateways.SET in Action During Charge Processing
SET is implemented as pairs of request and response mes-
sages that are enciphered using strong cryptography be-
fore being placed onto the public Internet to hide their
contents to all but those intended to receive and process
them.
In person, it is easy to check for a matching signature
on a card or to ask a person for an ID. On the Internet, it
is virtually impossible. Authentication thus can only oc-
cur through cryptography. SET uses a robust set of digital
certificates to accomplish the identification and authen-
tication activity. Each participant in a SET transaction
requires a specific certificate or set of certificates that not
only uniquely identify them, but also attest to their privi-
leges as holders of payment cards or merchant accounts.
Before any transaction can take place, everyone in-
volved needs one or more SET digital certificates. Without
now looking specifically at how they are obtained, assume
that the digital certificate issuance process has already oc-
curred and everyone is prepared. Call this Phase 0.Phase 0: All SET Software and Requisite Digital
Certificates in Place
A cardholder of a Bank A credit card possesses a corre-
sponding cardholder digital certificate and has installed
the SET E-wallet software to operate with their Web
browser. A merchant with an account at Bank B has in-
stalled the SET Merchant POS System and installed the
requisite merchant digital certificates to enable it to op-
erate. Bank B’s payment gateway is up and running with