Secure Electronic Transaction (SET) is an open encryption and security specification (available at http:// www.setco.org/) designed to protect credit-card transactions on the Internet. The current version, SET 1.0, emerged from a call for security standards by MasterCard and Visa in February 1996. A wide range of companies were involved in developing the initial specification, including IBM, Microsoft, Netscape, RSA, Terisa, and Verisign. Beginning in 1996, there have been numerous tests of the concept, and by 1998, the first wave of SET- compliant products was available.

SET is not itself a payment system. Rather, it is a set of security protocols and formats that enables users to employ the existing credit-card payment infrastructure on an open network, such as the Internet, in a secure fashion. In essence, SET provides three services:

Provides a secure communications channel among all parties involved in a transaction.

Provides trust by the use of X.509 Version 3 digital certificates.

Ensures privacy because the information is only available to parties in a transaction when and where necessary.

The SET Scene

SET involves interaction among credit-card holders, merchants, issuing banks, payment processing organizations, and public-- key certificate authorities. SET is a complex specification defined in three "books" (also available for download at http:// www.setco.org/), including a programmer's guide, issued in May of 1997 and running nearly 1000 pages. SET incorporates important features needed for secure credit-card transactions over the Internet:

Confidentiality of information. Cardholder account and payment information is secured as it travels across the network. An interesting and important feature of SET is that it prevents merchants from learning the cardholder's credit-card number; this is only provided to the issuing bank. Conventional encryption by DES is used to provide confidentiality.

Integrity of data. Payment information sent from cardholders to merchants includes order information, personal data, and payment instructions. SET guarantees that these message contents are not altered in transit. RSA digital signatures, using SHA-1 hash codes, provide message integrity. Certain messages are also protected by the message authentication code HMAC, using SHA-1.

Cardholder account authentication. SET lets merchants verify that a cardholder is a legitimate user of a valid card account number. SET uses X.509v3 digital certificates with RSA signatures for this purpose.

Merchant authentication. SET lets cardholders verify that a...