Chapter 8

Internet Security Protocols (cont’d)

2

Secure Electronic Transaction (SET) An open encryption and security specification

that is designed for protecting credit card transactions on the Internet.

Done in 1996 by MasterCard and Visa and joined by IBM, Microsoft, Netscape, RSA, Terisa and VeriSign.

1998, the 1st generation of SET-compliant products appeared in the market.

3

SET (cont’d)

Need for SET MasterCard and Visa realized that for e-

commerce payment processing, s/w vendors were coming up with new and conflicting standards. Microsoft drove these on one hand, and IBM on the

other. SET is not a payment system. It is a set of

security protocols and formats that enable the users to employ the existing credit card payment infrastructure on the Internet in a secure manner.

4

SET (cont’d)

SET services can be summarized as follows: Provide a secure communication channel among

all the parties involved in an e-commerce transaction.

Provide authentication by the use of digital certificates.

Ensure confidentiality, because the information is only available to the parties involved in a transaction, and that too only when and where necessary.

5

SET Participants

Cardholder: an authorized holder of a payment card such as MasterCard or Visa that has been issued by an Issuer.

Merchant: a person or an organization that wants to sell goods or services to cardholders.

Issuer: a financial institution (such as a bank) that provides a payment card to a cardholder.

6

SET Participants (cont’d)

Acquirer: a financial institution that has a relationship with merchants for processing payment card authorizations and payments.

Payment Gateway: Act as an interface between SET and the existing card

payment networks for payment authorizations. Certification Authority (CA): an authority that is

trusted to provide public key certificates to cardholders, merchants and payment gateways.

7

SET Process1. The customer open an account.2. The customer receives a certificate. 3. The merchant receives a certificate.4. The customer places an order.5. The merchant is verified.6. The order and payment details are sent.7. The merchant requests payment authorizations.8. The payment gateway authorizes the payment.9. The merchant confirms the order.10. The merchant provides goods or services.11. The merchant requests payment

8

How SET Achieves its Objectives Main concern with online payment

mechanism: Customer sends credit card details in clear text

which provides an intruder to use it with malicious intentions. Solution: SSL

The credit card number is available to the merchant, who can misuse it. Solution: SET

9

How SET Achieves its Objectives (cont’d) The way SET hides the cardholder’s credit

card details from the merchant by the concept of digital envelope.

10

How SET Achieves its Objectives (cont’d)

SET s/w prepares the Payment Information (PI) on the card holder’s computer exactly the same way as it happens in any Web-based payment system.

Cardholder’s computer creates a one-time session key.

Cardholder’s computer encrypts the PI using one-time session key. (PIEO)

Cardholder’s computer wraps the one-time session key with the public key of the payment gateway to form a digital envelope (OEP)

Send the encrypted PI (PIEO) & (OEP) to the merchant (who has to pass it on to the payment gayteway).

11

SET Internals

Major transactions supported by SET: Purchase Request Payment Authorization Payment Capture

12

SET Internals: Purchase Request Step1: Initiate request

3 agencies involved:1. The agency that issues credit cards (FI)2. CA3. Payment Gateway (PG), which can be the same as the acquirer

Cardholder

Please send me digital certificates of you and that of the payment gateway. Here is a unique id to identify our interaction and here is my credit card issuer’s name

Merchant

13

SET Internals: Purchase Request Step 2: Initiate Response

Cardholder

Here is my transaction id and here are the digital certificates of the payment gateway, and myself as you had requested for.

Merchant

14

SET Internals: Purchase Request Step 3: Purchase request

Cardholder

Here are my OI and PI details. I am also sending my digital certificate that contains my public key, so that you and the payment gateway can decrypt the order/payment details.

Merchant

15

SET Internals: Purchase Request To ensure the merchant and the PG received the

information that they require, Dual Signature is used.

16

SET Internals: Purchase Request (cont’d)Step1: Merchant calculates its own OIMD, and uses it and the PIMD

received from the cardholder to generate its own POMD (say POMD1).

OI H OIMD

PIMD+ H POMD1

Step 2: Merchant decrypts DS received from the cardholder to retrieve the POMD, as was calculated by the cardholder (say POMD2).

DS D POMD2

Step 3: Merchant compares POMD1 with POMD2. If they are equal, it trusts the message, as it is assured that the message came from the cardholder.

POMD2POMD1POMD1 = ? If yes, accept; else reject message

Verification of cardholder’s authenticity by the merchant.

17

SET Internals: Purchase Request (cont’d)Step1: Payment gateway calculates its own PIMD, and uses it and the OIMD

received from the cardholder to generate its own POMD (say POMD1).

PI H PIMD

OIMD+ H POMD1

Step 2: Payment gateway decrypts DS received from the cardholder to retrieve the POMD, as was calculated by the cardholder (say POMD2).

DS D POMD2

Step 3: Payment gateway compares POMD1 with POMD2. If they are equal, it trusts the message, as it is assured that the message came from the cardholder.

POMD2POMD1POMD1 = ? If yes, accept; else reject message

Verification of cardholder’s authenticity by the payment gateway

18

SET Internals: Purchase Request Step 4: Purchase response

Cardholder

Ok, here is the result of processing your order

Merchant

19

SET Internals: Payment Authorization Consist of 2 messages:

Authorization Request Authorization Response

Merchant

Here are:a) Purchase Informationb) Authorization informationc) Cardholder’s and my certificates. Payment

Gateway

Authorization Request

20

SET Internals: Payment Authorization

Merchant

Validations were ok! Here are the authorization information, token information and my digital certificate. Payment

Gateway

Authorization Response

21

SET Internals: Payment Capture Contains 2 messages:

Capture Request Capture Response

Merchant

I need to have the payment for this purchase. Here are the transaction id, amount and my digital certificate. Payment

Gateway

Capture Request

22

SET Internals: Payment Capture

Merchant

Payment to you is authorized. Here are the details. Also enclosed is my digital certificate.

Payment Gateway

Capture Response

23

SET Conclusion

SSL and SET are both used for facilitating using secure exchange of information.

SSL is used for exchange information of any kind between only two parties (a client and a server).

SET is designed for conducting e-commerce transactions

24

SSL VERSUS SETIssue SSL SET

Main aim Exchange of data in an encrypted form

E-commerce related payment mechanism

Certification Two parties exchange certificates All the involved parties must be certified by a trusted third party

Authentication Mechanisms in place, but not very strong

Strong mechanisms for authenticating all the parties involved

Risk of merchant fraud

Possible, since customer gives financial data to merchant

Unlikely, since customer gives financial data to payment gateway

Action in case of customer fraud

Merchant is liable Payment gateway is liable

Practical usage High Low at the moment, expected to grow