The following set of steps illustrates SET in action.
13. The customer opens a MasterCard or Visa account with a bank.
14. The customer receives a digital certificate (an electronic file), which functions as a credit card for on-line transactions. The certificate includes a public key with an expiration date and has been digitally signed by the bank to ensure its validity.
15. Third-party merchants also receive digital certificates from the bank. These certificates include the merchant's public key and the bank's public key.
16. The customer places an electronic order from a merchant's Web page.
17. The customer's browser receives and confirms that the merchant's digital certificate is valid.
18. The browser sends the order information. This message is encrypted with the merchant's public key, the payment information, which is encrypted with the bank's public key (which can't be read by the merchant), and information that ensures the payment can be used only with the current order.
19. The merchant verifies the customer by checking the digital signature on the customer's certificate. This may be done by referring the certificate to the bank or to a third-party verifier.
20. The merchant sends the order message along to the bank. This includes the bank's public key, the customer's payment information (which the merchant can't decode), and the merchant's certificate.
21. The bank verifies the merchant and the message. The bank uses the digital signature on the certificate with the message and verifies the payment part of the message.
22. The bank digitally signs and sends authorization to the merchant, who can then fill the order.
23. The customer receives the goods and a receipt.
24. The merchant gets paid according to its contract with its bank.
25. The customer gets a monthly bill from the bank issuing the credit card.
The advantage of SET is that a consumer's credit card number cannot be deciphered by the merchant. Only the bank and card issuer can decode this number. This facility provides an additional level of security for consumers, banks, and credit card issuers, because it significantly reduces the ability of unscrupulous merchants to establish a successful Web presence.
In order to succeed, SET must displace the current standard for electronic transactions, SSL, which is simpler than SET but less secure. Because of SSL's simplicity, it is expected to provide tough competition, and may remain the method of choice for the interface between the on-line buyer and the merchant. The combination of SSL and fraud-detection software has so far provided low-cost, adequate protection for electronic commerce.
- 1252 reads
