P1: JDV
Merkow WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 12:46 Char Count= 0
252 SECUREELECTRONICTRANSACTIONS(SET)MERCHANT
REQUESTS
AUTHORIZATIONMERCHANT
PROCESSES
RESPONSEPAYMENT GATEWAY
PROCESSES
AUTHORIZATION
REQUESTAuthorization
RequestAuthorization
ResponseAUTHORIZATION
REQUESTPAYMENT AUTHORIZATIONFigure 2: SET payment authorization flow between merchant and payment gateway.mechanisms. It turns thepublicInternet into aprivate
network that protects every SET message pair.
SET uses two forms of messages that relate to requests
for and responses to processing between the cardholder
and the merchant, and between the merchant and the
acquirer payment cateway. There is never a direct link
between the cardholder and the payment gateway—the
merchant always serves as the message broker between
the two parties.Digital Certificates for SET
Digital certificates represent identity for all SET
participants by binding a person’s identity to a pair of
electronic encryption keys that are later used to encrypt
or sign digital information. A digital certificate helps to
verify someone’s electronically transmitted claim that he
or she is who he or she claims to be and has the right to use
the encryption keys. SET digital certificates prevent peo-
ple from using stolen or fraudulent keys to impersonate
other people. Used in conjunction with encryption, digi-
tal certificates provide a more complete security mecha-
nism than simple ID and password mechanisms and SSL
protections. The contents of a generic digital certificate
may include the following:Owner’s public key.
Owner’s name.
Expiration date of the public key.
Name of the certificate issuer.
Serial number of the certificate.
Digital signature over the entire certificate created by the
certificate issuer (CA).The most widely accepted format for digital certificates
is defined by the CCITT X.509 international standard;
thus, such certificates can be read or written by any appli-
cation complying with X.509. SET’s version of digital cer-
tificates is a special “flavor” designed exclusively for creditcards. SETextendsthe X.509 standard for e-commerce
to permit its international presence without concern for
export controls on encryption products or services.
See Figure 3 for a representation of a basic X.509 dig-
ital certificate.Certifying SET Participants
SET mandates that all users obtain salient key-pairs in
a secure manner that is impervious to attacks. Because
the cracking of keys requires inordinate time and effort,
would-be thieves typically will strike at the management
and maintenance systems that store keys, rather than
through cryptanalysis of the keys themselves.Certificate Extension(s)Certificate Extension(s)
Certificate Extension(s)
Certificate Extension(s)Certificate Extension(s)
(Type, Critical or non-critical, value)
Can have zero or moreCA’s Digital SignatureSignature Algorithm IdentifierIssuer’s Other Unique ID NumberIssuer’s Unique Certificate ID NumberSubject’s Public Key Information
(Algorithm ID and Public Key value)Validitiy PeriodIssuer (CA) X.500 NameSubject’s X.500 NameFigure 3: A basic X.509 digital certificate.