Michelle Gil's Technology Page

INTERNET SECURITY : SET vs. SSL
By Michelle A. Gil

Internet Security

What is SET?

The Four Functions of SET

The SET Process

SET Links and Related Articles

What is SSL?

The SSL Protocol

The SSL Handshake

SSL Articles and Related Links

The SET Process

The SET protocol depends on the cooperation of four parties: the cardholder, the merchant, the bank that issues the credit card, and the merchant's bank. SET uses public/private key pairs and signed certificates to establish each participants identity and allow them to send private messages to one another. There are generally nine steps involved in the SET transaction, they are as follows:

1. The customer initiates the purchase. This first step involved the customer choosing an item he/she wants to buy, and pressing the pay button. The SET software is then initialized according the specifications of the user's browser.

2. The client's software sends the order and payment information. The SET software will create two messages. The first message contains order information consisting of the total purchase price and the order number. The second message is payment information that consists of the customer's credit card number and bank information.
The order information is encrypted using a random symmetric session key and packaged into a digital envelope using the merchant's public key. The payment information is also encrypted, but this uses the banks public key. The prevents the merchant and bank from looking at each other's information. The SET software will no hash the order and payment information and sign it with the customer's key. This allows the merchant's bank and merchant to verify the integrity of both messages.

3. The merchant passes payment information to the bank. SET software on the merchant's server will generate a request, encrypt the customer's payment information, and forward it the merchant's bank.

4. The bank checks the validity of the card. First the bank will decrypt the merchants message and verify the merchant's identity. Next, it will decrypt the cutomer's payment information and verify the customer's identity. It then generates a request to the customer's bank to check for authorization.

5. The card issuer authorizes and signs the charge slip. The customer's bank confirms the merchant's bank identity, decrypts that information, and checks the customer's account. The card issuer approves the purchase pending that the customer's account is in good standing.

6. The merchant's bank authorizes the transaction.

7. The merchant's Web server completes the transaction. The merchant's Web server will notify the customer of the approval by displaying a confirmation page, and then enters the order into the merchant's order processing system.

8. The merchant captures the transaction. This is the final physical stage in the SET process. This confirms the purchase and charges the customer's credit card account.

9. The card issuer sends a credit card bill to the customer.

GO BACK