P1: JDV
Merkow WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 12:46 Char Count= 0
SS
Secure Electronic Transactions (SET)Secure Electronic Transactions (SET)
Mark S. Merkow,E-commerce GuideIntroduction to Secure Electronic
Transactions (SET) 247
Background 247
Incompatible Payment Card Standards 248
Not So Different After All 248
SET Consortium Established 248
Complying with the SET Standard 249
Credit Card Processing and Corresponding
SET Phases 249
Roles in Card Processing 249
Basic Credit Card Schemes 250
SET Digital Certificate Management 250
SET in Action During Charge Processing 250
Digital Certificates for SET 252
Certifying SET Participants 252
Summary of Certificate Types 253
SET Appears on the Market 253Cardholder E-wallets 253
Merchant POS Servers 253
Payment Gateway Systems 254
Industry Attempts to Assuage SET User
Concerns 254
International Field Trials of SET 254
EasySET 254
Dutch Trials 255
Struggles to Keep SET Pertinent 255
Lessons Learned and New Directions in Secure
Online Payments 255
Verified by Visa 256
Surrogate Credit Card Numbers 258
Conclusion 258
Glossary 258
Cross References 260
Further Reading 260INTRODUCTION TO SECURE
ELECTRONIC TRANSACTIONS (SET)
Credit card theft on the Internet has reached epidemic
proportions, and everyone who handles credit card num-
bers and expiration dates clearly needs to understand that
the handling is akin totoxic chemical handlingand man-
dates the utmost of care and diligence. The risks of theft
and misuse of credit card data by thieves and nefarious
users who target the databases and systems that store and
maintain the data are too great to ignore or treat casually.
Daily reports of security breaches, extortion, identity
theft, and general havoc continue to dog e-commerce and
drive away large proportions of the buying public. To par-
tially answer these concerns, the banking associations—
Visa and Mastercard—jointly issued Secure Electronic
Transactions (SET) as a specification to implement the
business services needed for worldwide processing of
credit, debit, and charge card transactions over open
channels like the Internet.
SET opens the doors to e-commerce but comes with a
steep price both in time and in dollars to implement. SET
is complex—so complex that possible future use of the
banking standard remains an open question. Unlike most
other efforts aimed at secure e-commerce, SET mandates
the involvement of all its participants—buyers, suppliers,
card processors, and back-end bank system operators.
SET compliance requires onerous efforts on everyone’s
part. In 2002, many industry observers and experts would
say that SET is dead with the selling public still satisfiedto use secure sockets layer (SSL), but perhaps SET is only
hibernating, awaiting an elusive market catalyst.Background
Early in the 1990s, banks were refusing to accept or pro-
cess charges originating on the Internet and required mer-
chants who wanted to sell their merchandise online to use
existing infrastructures (dial-up, etc.) for charge autho-
rizations; point-of-sale transactions, phoned-in requests
for charge authorizations, and follow-on batch processing
activities. These banks, led by pressures on two sides—
merchants and consumers—began pressuring the Visa
and MasterCard Associations to develop secure standards
for using credit cards over any insecure channel, such as
the Internet.
Visa and Microsoft responded with one standard they
released in September 1995. TheSecure Transaction Tech-
nology(STT) specification was posted to the Visa Web site
for download by interested parties. At the same time, Mi-
crosoft announced that it would develop STT implemen-
tation tools for Windows 95 and Windows NT that could
be licensed by developers. Tools for other desktop plat-
forms would be developed by Spyglass Technology, which
was behind what is known in 2002 as Microsoft’s Internet
Explorer software.
Meanwhile, MasterCard and its allies, Netscape, IBM,
Cybercash, and GTE (now Baltimore Technologies),
had developed theSecure Electronic Payment Protocol
(SEPP) as a proposed specification and posted it to the247