Introduction to secure electronic transactions (SET)
Credit card theft on the Internet has reached epidemic proportions, and everyone who handles credit card numbers and expiration dates clearly needs to understand that the handling is akin to toxic chemical handling and mandates the utmost care and diligence. The risks of theft and misuse of credit card data by thieves and nefarious users who target the databases and systems that store and maintain the data are too great to ignore or treat casually.
Early in the 1990s, banks were refusing to accept or process charges originating on the Internet and required merchants who wanted to sell their merchandise online to use existing infrastructures (dial-up, etc.) for charge authorizations; point-of-sale transactions, phoned-in requests for charge authorizations, and follow-on batch processing activities. These banks, led by pressures on two sides— merchants and consumers—began pressuring the Visa and MasterCard Associations to develop security standards for using credit cards over an insecure channel, such as the Internet.
Incompatible Payment Card Standards
STT and SEPP generated such heated debate and finger-pointing between the two opposing factions that the entire industry was at odds. Both sides claimed their standards were defined with “openness in mind” and were designed in cooperation with the Internet standards-setting bodies, the W3 Consortium, the Internet Engineering Task Force (IETF), Commerce Net, and the Financial Services Technology Consortium.
Not So Different After All
In fact, STT and SEPP both attempted to achieve the same objectives but did so from different directions. These objectives included.
Complying with the SET Standard
Because SET is an open and neutral protocol, in theory, it is possible to purchase any implementation from anyone who offers it without concern for proprietary ingredients. To turn this theory into a reality, independent testing is required to ensure compliance as defined by the specification.
Developer interpretation of the specification was at the root of the problem. For SET to ever succeed, it needed a single, unambiguous understanding among developers that eliminated the possibility of proprietary implementations of SET. That is one of the major tasks of Secure Electronic Transaction, LLP, or SETCo.
Compliance Testing and Certification
SETCo operates under the sponsorship of the card associations but is independent of them. They assume the responsibility for SET’s development, maintenance, evolution, and market acceptance, and they regulate the use of the SET mark for products that successfully pass a rigorous compliance testing program. The sector also maintains a dispute resolution board that decides how to best handle disputes or questions regarding implementation. The SET Compliance Administrator (SCA) serves the administrative functions for Sector, evaluating test results submitted by software developers and maintaining SET testing tool suites.
Basic Credit Card Schemes
There are two major approaches to credit card schemes— closed loops and open loops. In a closed-loop system, the issuer and the acquirer are the same organization— they manage both the cardholder and merchant relationships. Examples of closed-loop systems include Discover (Novus), American Express, Japan Credit Bank (JCB), and Diner’s Club (operated by Citibank). In an open-loop system, the issuer of a credit card may or may not be the same as the acquiring bank.
SET in Action during Charge Processing
In-person, it is easy to check for a matching signature on a card or to ask a person for an ID. On the Internet, it is virtually impossible. Authentication thus can only occur through cryptography. SET uses a robust set of digital certificates to accomplish the identification and authentication activity. Each participant in a SET transaction requires a specific certificate or set of certificates that not only uniquely identify them, but also attest to their privileges as holders of payment cards or merchant accounts. Before any transaction can take place, everyone involved needs one or more SET digital certificates. Without now looking specifically at how they are obtained, assume that the digital certificate issuance process has already occurred and everyone is prepared.
Even as the SET specification continues to collect dust on the bookshelves of so many developers and bankers, SET’s legacy is peppered with plenty of lessons to learn and mistakes to avoid. Still, SET is revolutionary, and over time, its resurrection in some form or another may materialize to finally bring an end to the intolerable state of Internet credit card fraud.