SET stands for Secure Electronic Transactions and is a proposed standard for performing credit card transactions over the Internet. It is being developed jointly by Visa and MasterCard, with technical assistance from various Internet, information systems, and cryptology companies such as Netscape, IBM and VeriSign. With these names behind it, in the future SET may very well become the dominant method for paying by credit card over the Internet.
MasterCard and Visa are developing SET as a license-free protocol for credit card transactions over the Internet. Even though it is being developed by MasterCard and Visa, the protocol can be used by any type of credit card such as American Express or Discover. It is important to note that SET is still a work in progress. Visa and MasterCard have released drafts of both the business and technical specifications of SET for public comment. MasterCard states that testing of SET should start in the second quarter of 1996, and it should be available for use by the fourth quarter.
There are several goals they want to achieve by creating this protocol. First, they want to create a simple, inexpensive way for merchants to conduct credit card sales over the Internet. Second, they want to produce a protocol for processing credit card transactions that would have little impact on the existing financial infrastructure. Third, the SET protocol will allow software vendors to produce credit card payment software that will interoperate. Also, by being an open, license-free standard, SET will create a level playing field and insure competition among software vendors. This should keep costs down for merchants and financial institutions interested in processing credit card payments over the Internet.
On the surface, the SET protocol looks very similar to the CyberCash payment system. Merchants and buyers will both need software which follows the SET protocol in order to use SET for credit card transactions. Also, acquiring banks process credit card transaction requests delivered to them through SET in much the same way as the process requests coming through a point of sale terminal. Merchants can request the same type of transactions (authorize, authorize and capture, etc..) as they can through CyberCash.
There are differences between CyberCash and SET. CyberCash takes an active role in processing each credit card transaction that flows through their system.. CyberCash's server sits in between the merchant and the acquiring bank. It verifies the identity of the buyer and the merchant involved in the transaction. The server also handles the translation from a CyberCash format for transaction data to the format used by the acquiring banks. With SET, There is no single company which will be responsible for processing the transactions. The task of translation from SET request format to the format used by acquiring banks is done by the SET payment gateway. These gateways will either be run by companies contracted by the acquiring banks to do so on their behalf (most likely), or by the acquiring banks themselves. Identity verification of buyers, merchants, and acquiring banks is not handled by a centralized server. SET uses a system of certificates for party verification. Certificates are like the stamp a notary public places on a document to confirm the signatures on it. Certificates are issued by a trusted entity or "certificate authority" that can vouch that the party presenting a digital signature is who they say they are. The certificate shows that the signature has been proven to belong to the party in question. These certificates are passed between the buyer's, merchant's, and acquirer's payment gateway software to prove that each entity involved in the transaction is who they claim to be. For a fairly understandable and detailed explanation of how certificates work within the SET protocol, I advise the reader to download a copy of the SET business specifications.
The SET payment process is slightly more complicated than the others discussed in this paper because of the need to pass public keys between parties and verify certificates during the transaction. The payment process outlined below follows the outline set forth in the SET business specifcations. It shows a merchant requesting authorization of the credit card transaction at the time of sale, and then requesting the actual capture (charging the account) at a later time. The document does state that SET allows for the capture of the credit card charge at the same time of authorization. However, I think they wanted to present a case which closely reflects the sequence of events that takes place under credit card transactions conducted through normal retail channels.
(SET continued on next page)
