P1: JDV
Merkow WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 12:46 Char Count= 0
258 SECUREELECTRONICTRANSACTIONS(SET)the Holy Grail of card-present transactions to the Inter-
net. By the end of 2002, Mastercard International agreed
to also support the 3D Secure Payer Authentication pro-
tocol and put an end to inter-association card acceptance
problems.Surrogate Credit Card Numbers
Still another approach that some issuer banks have
adopted is called surrogate card numbers and appear
in forms like Private Payments from American Express.
With a surrogate card number, a shopper visits his or
her issuer bank Web site and requests a “disposable” card
number for one-time use at a merchant. The issuer bank
keeps track of the real card number when it processes the
authorization request and settlement records but conceals
the number from the merchant site. Even in the event the
merchant site is hacked and the tables of credit card num-
bers are copied, these surrogate payment card numbers
would be rejected on a second authorization request and
treated as fraudulent.
Although VbV, SPA, and surrogate payments may ap-
pear as evidence that the card associations cannot agree
on a single secure payment system, implementing these
approaches is easier than implementing SET could ever
be. Vendors are offering systems and services in the mar-
ketplace to accommodate issuer banks and merchants
with remotely hosted Web services applications and low-
cost processing and overhead to support VbV, SPA, and
surrogate card numbers. Software is available in the 2002
marketplace and is written to hide the various imple-
mentation details from the issuer banks and from the
merchants to prevent the need for multiple systems to
accomplish the same work. Clearly these moves are a step
in the right direction.CONCLUSION
Even as the SET specification continues to collect dust on
the bookshelves of so many developers and bankers, SET’s
legacy is peppered with plenty of lessons to learn and mis-
takes to avoid. Still, SET is revolutionary, and over time,
its resurrection in some form or another may materialize
to finally bring an end to the intolerable state of Internet
credit card fraud.GLOSSARY
Abstract Syntax Notation One (ASN.1) A standard,
flexible method that (a) describes data structures for
representing, encoding, transmitting, and decoding
data, (b) provides a set of formal rules for describing
the structure of objects independent of machine-
specific encoding techniques, (c) is a formal network-
management transmission control protocol/Internet
protocol (TCP/IP) language that uses human-readable
notation and a compact, encoded representation of the
same information used in communications protocols,
and (d) is a precise, formal notation that removes am-
biguities.
Acquiring bank A bank that does business with mer-
chants who wish to accept credit cards. Merchants are
given accounts to deposit the value of batch’s card sales.The banks acquire batches of sales slips from any is-
suer bank cards and credit their value to the merchants’
accounts.
Authorization A process whereby transactions are ap-
proved or declined by card issuers. Successful charge
authorizations reduce the amount of available credit
on a credit card but do not actually charge the customer
or move money to the seller. Authorizations can be per-
formed via telephone, POS terminal, or the Internet.
Batch settlement A process whereby accumulated
credit card transactions are submitted for final settle-
ment with a merchant’s acquirer bank. Batches can be
submitted for processing throughout the day or they
can continue to grow until their value is sufficiently
large and worthwhile to process.
Bolt-on application A “helper” or plug-in applica-
tion program that extends the functionality of an-
other program. SET is bolted onto existing merchant
commerce servers and consumer Web browsers to
provide POS functionality and e-wallet functionality,
respectively.
Brand certificate authorities Trusted parties that serve
a payment card brand (e.g., Visa, MasterCard) in per-
forming the services needed for SET brand digital cer-
tificate management.
Branded payment cards Credit or charge cards that
bear a company brand name (e.g., Visa, MasterCard,
American Express).
Card associations Consist of operating banks that sup-
port franchises for particular payment card brands
(e.g., Visa) and establish the by-laws that frame the uses
of the franchise and the products within it.
Card issuer A bank or payment card company that is-
sues branded cards to its customers.
Card-not-present transactions These are said to oc-
cur where the physical plastic card is not present for
the merchant to see. These transactions are considered
riskier than card-present transactions and typically oc-
cur with mail order/telephone order (MOTO) and In-
ternet purchasing.
Cardholder A user (typically a consumer) of a credit or
charge card issued by an issuer bank.
Certificate authorities Trusted parties who operate on
the behalf of the SET Consortium (SETCo) and pay-
ment card brands to manage the distribution and cur-
rency of SET digital certificates.
Certificate revocation list (CRL) A mechanism that
certificate authorities use to ensure that revoked cer-
tificates are not used in transactions. CRLs contain re-
voked certificate serial numbers, their date of revoca-
tion, the date the CRL was generated, its expiration
date, the issuer name, and the serial number of the CA
certificate used to sign the original certificate.
Certification The process of attesting to a person or en-
tity’s proof of identity and is performed prior to the
issuance of a signed (notarized) certificate bearing the
entity’s public key.
Clearing A process of exchanging transaction details
between a merchant bank (acquirer bank) and an is-
suer bank. Clearing posts charges to cardholder ac-
counts and reconciles the merchant’s batch of settle-
ment records.