 Open encryption & security specifications that is designed

for protecting credit card transactions on Internet

 Came to light as MasterCard & Visa realized that for

ecommerce processing s/w vendors were coming up with
new & conflicting standards

 To avoid future incompatibility MasterCard & Visa decided

to come up with standards ignoring differences & in the
process involving major s/w manufactures

 SET is not a payment system but a set of formats &

protocols that enable to employ existing credit card
payment infrastructure on the internet in secure way
 SET provides

 Secure communication channel among all the

partners involved in communication
 Authentication by digital signature
 Ensure confidentiality as communication is
available to parties only
 Cardholder:-authorized holder of payment card issued by Issuer
 Merchant:- Seller of good, have relationship with Acquire for
accepting payment on net
 Issuer:- Financial institute ,provide payment card & ultimately
responsible of payment of card holders debt
 Acquirer:- Financial institute having relationship with merchant,
provide assurance to merchant that cardholders a/c is active &
payment can be made
 Payment Gateway:- Processes the payment message process on
behalf of merchant
Acts as interface b/w SET & existing card payment n/w for
payment authorization
Merchant exchange SET message with payment gateway over
internet
The payment gateway is connected to Acquirer’s system

 CA:-
1) The customer opens an account
2) The customer receives a certificate

3) The merchant receives a certificate

4) The customer places an order

5) The merchant is verified

6) The order & payment details are sent

7) The merchant requests payment authorization

8) The payment gateway authorizes the payment

9) The merchant confirms the order

10)The merchant provides goods or services

11)The merchant requests payment

1) The SET s/w prepares the Payment Information (PI) on
the cardholders computers exactly the same way as it
happens in any Web-based payment system

2) Cardholder’s computer creates a one-time session key

3) Using this one-time session key , the cardholder’s

computer now encrypts the payment information

4) The cardholder’s computers now wraps the one-time

session key with the public key of the payments gateway
to form a digital envelop

5) It then sends the encrypted payments information (st-3)

and the digital envelop (st-5) together to the merchant
A. Purchase Request:- user is expected to
have completed the shopping part i.e.
selection of goods

B. Payment Authorization:-Ensures that the

issuer of he credit card approved the
transactions

C. Payment Capture :- For obtaining

payment the merchant engages the
payment gateway in this transaction
Purchase Request

Step 1. Initiate Request

Step 2.Initiate response

Step 3.Purchase request

Step 4.Purchase response

 SET uses digital certificate heavily .Three entities used
here are

a)Financial institute:- bank credit cards for people to make

purchase without cash, members of common credit card
payment system groups , also set up & monitor various
merchant and bank related services pertaining to credit cards

b)CA :- they authenticate individual organization & issue

digital certificates to conduct ecommerce transaction , also
help in ensuring non- fraudant transactions over web &
involve in SET protocol indirectly

c)Payment gateways :- 3rd party payment processors who

process payment on behalf of merchant by tying up with, may
be outsourced by FI to 3rd parties
  Please send digital
certificates of you & that of
payment gateway
Card holder Merchant
 Here is an unique if to
identify our interaction &
here is my credit card issuer’s
name
 Initiated by merchant

 Merchant prepares message in response to cardholder

 For ensuring non-repudiation it encrypts with

merchants private key (digital signature of merchant)

 Contains unique transaction ID created by merchant

 Has digital certificate of merchant and payment

gateway
  Here is my transaction ID

Card holder  Here is my digital Merchant

certificate & payment
gateway’s too as requested
 Main action of SET protocol happens here
 The card holder ensures the identity of merchant & the
payment gateway by verifying digital signature of both
 If successful verification ,then cardholder creates 2
critical blocks of information
 Order Information (OI) :- reference number of order
 Payment Information (PI):- card details
 For security purpose both PI & OI is appended with
transaction ID created by merchant
 Cardholder then prepares Purchase Request package , a
run time key is also generated
 Message contains the following parts
1. Purchase related information :-mainly for payment gateway
i) PI
ii) Digital signature calculated by PI & OI
a. Contains
iii) OI message digest (OIMD) , calculated
over OI by signing it with cardholder’s
private key
b. All these are encrypted with K
c. A digital envelop created by encryption of K with payment
gateway’s public key , forwarded to payment gateway
2. Order related information:- meant for merchant
a. Contains i) OI
ii) Digital signature calculated by PI & OI
iii) PI message digest (PIMD) , calculated
by encrypting small portion of PI with
cardholder’s private key
3. Cardholders Certificate:-contains public key of card
holder
  Here are my OI & PI details
also sending digital certificate
containing my public key
Card holder Merchant
 Help you & payment
gateway to decrypt the OI &
PI with it
 A concept is introduced here as Dual Signature, which ensures that
merchant & payment gateway receive the information that they
require & yet the cardholder protects the credit card details form the
merchant

PI H PIMD

+ H POMD E

OI H OIMD
Dual Signature
(DS)

 The card holder hashes PI to get PIMD & OI to get OIMD, combines both
and hashes together to get POMD , encrypted with its private key to
generate DS, thus POMD is available to both merchant & payment
gateway
 The card holder sends the Merchant OI,DS,PIMD (but not PI) ,helps in
verifying that order came from card holder
Step 1:- merchant calculates its own OIMD & uses it & the PIMD received
from the cardholder to generate its own POMD( say POMD1)

Step 2:- merchant decrypts DS from the cardholder to retrieve the POMD
as was calculated by the customer (say POMD2)

Dual Signature
D POMD2
(DS)

Step 3:- merchant compares POMD1 With POMD2. If they are equal it
trusts the message, as it is assured that the message came from the
cardholder

POMD1 = POMD2 ? If yes , accept ; else reject message

 Payment gateway gets PI, DS, & OIMD ,
using which the payment gateway can
verify POMD

 Thisverifies payment gateway that the

payment information came from
cardholder
Step 1:- Payment gateway calculate its own PIMD & uses it and the OIMD
received from the cardholder to generate its own POMD( say POMD1)

Step 2:- Payment gateway decrypts DS received from the cardholder to

retrieve the POMD , as was calculated by the cardholder (say POMD2)

Dual Signature
D POMD2
(DS)

Step 3:- Payment gateway compares POMD1 With POMD2. If they are
equal it trusts the message, as it is assured that the message came from
the cardholder

POMD1 = POMD2 ? If yes , accept ; else reject message

Verification of cardholder’s authenticity by payment gateway

 Cardholder protects its information from merchant in
the following ways
 Cardholder creates PI, DS, OIMD & encrypts the whole thing with
one time session key K

 Cardholder then encrypts the session key K with the payment

gateway’s public key

 These two together forms digital envelop

 Cardholder sends the digital envelope to the merchant , instructing

it to forward it to payment gateway

 Since the merchant doesn’t have the private key of payment

gateway hence decrypting it to obtain payment details is
impossible
 On receiving the purchase request it does:
 Verify cardholder’s certificate by means of its CA
signature

 Verifies signature created over PI & OI using cardholder’s

public key ensuring order not being tampered

 Process the order & forwards the PI to payment gateway

 Sends purchase response back to cardholder

 Purchase Response includes message acknowledging the

order & reference to the transaction number
  Here is the result of
Card holder processing your order Merchant
 This process ensures that the issuer of the credit card
approves the transaction

 Happens when merchant sends the payment details to

payment gateway

 Payment gateway verifies the details & authorizes the

payment ensuring that the merchant will receive payment

 Payment authorization contains two message

 Authorization request & Authorization Response

 Prepared by merchant & sent to payment gateway
containing:-
1. Information related to purchase :- contains PI, DS, OIMD

2. Authorization related information:- merchant takes the

transaction id ,signs it and encrypts it with one time
symmetric key , this key generated by merchant

3. Digital certificates:- necessary certificates attached,

sending both cardholder’s and merchant’s digital
certificates
  Here are :
Payment
Merchant a) Purchase information Gateway
b) Authorization Information

c) Cardholder’s & my
certificates
 Payment gateway sends back authorization response
message to merchant containing:-
1. Authorization related block:- signed with payment
gateway’s private key ensuring non-repudiation also
encrypts this by one time random key generated with
merchants public key

2. Capture token information :- for payment process to

happen correctly later this is needed & merchant passes
it to card holder

3. Digital certificates:- necessary certificates attached,

with message
  Validations were ok
Payment
Merchant Here are the authorization
Gateway
information , token
information & my digital
certificate
 For obtaining payment merchant involves payment gateway in a
payment capture transaction, which contains Capture Request &
Capture Response
 Step 1 Capture Request :- merchant creates capture request
block containing
a.amount to be paid
b.transaction id , needs to be both signed & encrypted

c.encrypted capture token

 On receiving capture request the payment gateway decrypts the
capture request block & capture token ensuring consistency it
prepares a payment clearing request which is sent to issuer bank
resulting in fund transfer to merchant
 Step 2 Capture Response :- Payment gateway notifies the
merchant of payment includes capture response block signed &
encrypted by Payment gateway( contains digital certificates )
 merchant processes this message & stores this information for
later use
  I need to have the payment
for this purchase Payment
Merchant
Gateway
Here are the transaction id ,
amount & my digital
certificate
  Payment to you is
authorized
Payment
Merchant
Gateway
Here are my details also
enclosed is my digital
certificate
 SSL & SET both are used for ensuring secure
exchange of information but the purpose of the
are different
 SSL is used for securing information between
only two parties, dealing with encryption &
decryption of information doesn’t specify how
payment are to be made
 SET is designed for conducting Ecommerce
transactions
 SET involves a 3rd party called payment gateway
,responsible for issuing credit card authorization,
payment to merchant
 Egrg
 shsht
Please verify the
cardholder’s certificate Certificate Please verify merchant’s certificate
Authority
Group
You can act as CA You can act as CA
Certificate Certificate
Authority A Authority B

Merchant’s Cardholder’s Request for

Request for a certificate
a certificate certificate certificate

Purchase Request
Merchant Cardholder
Purchase Response

Authorization request

Authorization Payment
Response Gateway
PI H PIMD

+ H POMD E

OI H OIMD
Dual Signature
(DS)
 PIMD

+ H POMD1

OI H OIMD
PI H PIMD

+ H POMD1

OIMD