SET APPLICATIONS

1
SET APPLICATIONS

• Dr. Ayse Basar Bener

2
WHY SET?

• Security concern of
• Consumers
• Merchants
• Issuer, Acquirer and Settlement Banks
• Growth in volume of credit card transactions over
  the internet
• Need a protocol that protects consumers and
  merchants alike, allowing each to verify the
  identities of the other parties without
  necessarily revealing credit card information
• This level of authentication does not exist in
  other cryptography-based protocols SSL

3
SET A Brief History

• Visa and Microsoft
• Secure Transaction Technology (STT) 1995
• MasterCard, Netscape, IBM, CyberCash
• Secure Electronic Payment Protocol (SEPP) 1996

4
SET A Brief History

• STT ans SEPP
• Change the bankers treatment of internet-based
  credit card transactions
• Require all parties to have digital certificates
• Required having public key certificate autorities
• Use industry standard public key cryptography
  techniques Rivest, Shamir, Adelman (RSA)
• Encrypt only credit card numbers and
  transactional data rather than the entire browser
  and shopping sessions
• Enable using any type of credit card regardless
  of its issuer

5
SET July 1997

• Objectives
• Provide confidentiality of payment information
• Ensure the integrity of all transmitted data
• Provide authentication that a Cardholder is a
  legitimate user of a branded payment card account
• Provide authentication that a Merchant can accept
  payment card transactions through its bank
• Ensure the use of best security practices and
  system design techniques to protect all
  legitimate parties
• Facilitate and encourage interoperability among
  software and network providers

6
SET

• Out-of-band
• Phases that are not included under SET
• Activities that their implementation is left up
  to the involved parties
• Systems required for using SET
• Merchants and banks need to customise their own
  applications in order to plug into SET
  infrastructure

7
PAYMENT SYSTEMS

• Closed Loop Systems
• Amex, Discover, Diners Club
• The bank serves as a broker between the user of
  its cards and the Merchants
• Open Loop Systems
• Cardholder and Merchant having different banks
  and the transaction is settled by a bank that is
  different than the either two
• Visa and MasterCard

8
Credit cards- a successful model
9
SETTLEMENT PROCESS
ACCT
BIN
Amt
Bank 123
123 123
960 812
50 50
Acct 960 812 1001
Debit 50 50 50
Credit
123
1001
50
Banks interchange
Cards Processing Bank
50
456
225
50
653
678
Bank 225
Acct 456
Debit 50
Credit
978
842
50
50
965
433
10
SET enter the Certificate Authority
11
SET-security

• Implemented through Public-Private Key (PPK)
  cryptography through digital certificates
• SETs Participants
• Cardholders
• Merchants
• Acquirer payment gateways
• Credit and Debit Card Brand Associations
• Certificate Authorities

12
Digital Certificates

• Owners public key
• Owners name
• Expiration date of the public key
• Name of the certificate issuer
• Serial number of the certificate
• Digital signature of the certificate issuer

13
Multiple CAsTrust - Technical Architecture
Source Identrus
14
Trust - Core Operating Flows
Source Identrus
15
Digital Signatures
Alis private key (secret)
Alis public key (not secret)
public directory
A
B
inverse mathematical transformation
mathematical transformation
Hostile Network
signature check
unsigned data
Tampering
4
8
or
16
SECURE ELECTRONIC TRANSACTIONS (SET)

• SET is implemented as pairs of request and
  response messages that serve the same functions
  as a POS terminal on a private network.
• These message pairs are wrapped in cryptography
  before being placed onto the public internet to
  hide their contents
• SET uses digital certificates for authentication
  of the customer and the merchant

17
SET

• Each participant in a SET transaction requires a
  specific certificate
• uniquely identify the participant
• confirms privileges as a card holder or a as a
  merchant
• cardholder certificates are constructed
• physical piece of plastic
• signature at the back of it

18
SET

• Merchant certificates assure transaction acquirer
  and the cardholders that
• legitimate operator
• honest brand
• SET certificate management and processing
• certificates are kept current, safe, and always
  ready for use

19
SET

• Steps in SET
• all SET software and digital certificates need to
  be in place
• the shopping experience
• item selection
• check out
• form of payment selection
• payment initiation processing
• payment authorisation request
• delivery of goods
• capture and settlement

20
SET

• Digital certificates
• owners public key
• owners name
• expiration date of the public key
• name of the certificate issuer
• serial number of the certificate
• digital signature of the certificate issuer

21
SET

• Digital signature
• on-line substitution for the written signature
• an authentication that you are who you claim to
  be
• legally binding endorsement of the document that
  you transmit
• helps to ensure that the information in the
  message is not altered in any way
• Digital certificates are essential for SET
• used to sign messages prior to their transmission

22
SET

• Step 1
• a cardholder selects the payment card on the
  Merchants SET payment module
• Step 2
• The merchant SET payment module sends to
  cardholder e-wallet (specific to the card brand
  selected)
• merchant signature and key exchange certificates
• payment gateway signature and key exchange
  certificates

23
SET

• Step 3
• the cardholder e-wallet begins to screen the tree
  of trust among the certificate chain supplied
• upon a successful screening, the e-wallet returns
  a copy of the cardholder signature to use in
  signing messages
• cardholders normally will not process key
  exchange certificates since they are not
  responsible for message processing work.

24
SET

• Step 4
• with certificate exchange and trust tree
  screening steps complete, all parties are now
  authenticated and processing will begin
• message protection and confidentiality can be
  assured, since all parties now trust one
  another.

25
SET

• Roles and responsibilities- cardholders
• a web browser that contains an e-wallet component
• netscape and IE support e-wallet plug-ins or
  e-wallet programs
• visit a web site and download one
• once e-wallet works properly, then obtain a
  digital certificate for each credit card
• visit CA on-line
• keep your private key component private through
  password protection
• when sending messages through the Internet, make
  sure that the browser supports Secure Sockets
  Layer (SSL) encryption.

26
SET

• Roles and responsibilities- merchants
• merchant server POS software performs the tasks
  of cryptographic processing, message preparation,
  and merchant certificate management
• merchant servers communicate with both the
  cardholders web browser/e-wallet and acquirer
  payment gateways that serve the banks and payment
  card companies.
• Merchant POS software also communicates with the
  acquirers payment gateway for authorisation of
  charge requests, settlement of charges, and batch
  administration work.

27
SET

• Roles and responsibilities- acquirer payment
  gateways
• operated on behalf of many financial institutions
• check currency and legitimacy of all certificates
  presented
• maintain an appropriate interface to traditional
  banking systems that permits the Internet to
  behave as though it is a private leased line
  connection to the banking networks

28
SET

• Roles and responsibilities- payment card brand
  associations (Visa, Mastercard, Amex)
• maintain the SET root key that is used to sign
  all Brand certificates and establish brand
  certificate authority hierarchies
• establish brand certificates for legitimate SET
  uses
• no direct interactions with other parties

29
SET

• Roles and responsibilities- certificate
  authorities
• gather authentication information from
  cardholders, merchants, and payment gateway
  operators who request certificates
• forward the authentication data to the Issuer or
  Acquirer for verification
• renewal processing of the previously issued
  certificates
• maintain brand root keys
• certify the presence of other CAs
• Revoke certificates on cancelled accounts as
  instructed by the card issuers
• maintain the certificate revocation list for all
  compromised private keys.

30
Garanti Bank Avrupada ilk SET islemini
gerçeklestiren ilk 10 banka arasindadir.
Nisan 97
Temmuz 97
Subat 98
Visa ve Mastercard ile ilk görüsmeler, SET pilot
grubuna katilma
Dünyadaki ilk SET uyumlu islem San Fransiscoda
gerçeklestirildi.
Garanti Bank, Spektrum Office Superstore ile
birlikte Türkiyedeki ilk SET islemini
gerçeklestirdi.
SET pilot çalismasinda yer alan 4 banka
1. Gesellschaft für Zahlungssysteme-Germany 2.
Sumimoto Credit Service-Japan 3. Bank of
America-USA 4. Garanti Bankasi-Turkey
31
Güvenli Alisverisler
- 82 online magaza, çalismasi süren 80 magaza
daha - SET ve SSL çözümleriyle müsteri bilgileri
güvende (müsteri ve magaza arasinda SSL, magaza
ve banka arasinda SET) - Online magaza açmak
isteyen firmalara tüm destegi verirken ayni
zamanda pazari bilgilendirmek - Yüsek sayida
islem gerçeklesmiyor ama gelisme trendi yüksek