|
For business-to-business, or business-to-customer transactions, there must be one single standard for authentication and encryption. SET (Secure Electronic
Transactions) was developed to address this need, and utilises encryption, digital signatures and digital certificates.
SET was developed by Mastercard and Visa, in conjunction with IBM, Verisign, SAIC, Teresa Systems, Microsoft and Netscape. Although SSL (Secure Socket Layer)
has been improved since this study, SET offers the best solution to the three transaction requirements outlined below.
When a customer makes a purchase or order over the Internet, the following secure transaction requirements must take place:
- Any sensitive information e.g. credit card details, must be protected i.e. an attacker is unable to read or modify the data. Customers and merchants must
use encryption technologies, - where an algorithm is applied to data and converts it into an unreadable form. Only users with a specific key can then convert (decrypt) the data to readable form.
- The identity of the purchaser must be assured. For example, mail order over the Internet provides merchants with no security. The merchants cannot
confirm the identity of their customers, and therefore customers can challenge the transactions made with their cards. Authentication of customer purchases is the solution where integrity of a transmitted
message and the identity of the customer is verified.
- Non-repudiation of receipt and delivery: With non-repudiation of receipt and delivery a customer cannot deny that a delivery or payment has been made.
Digital certificates which authenticate both merchants and customers are issued by third-party organizations known as certification authorities.
The ‘Cert-co’ holds a ‘root’ certificate, which is used to sign digital certificates issued to each card brand-holder. These are then used to sign
certificates to merchants and cardholders. This is known as a ‘hierarchy of trust’, with each issuer knowing the recipient through an existing relationship.
An important security feature of SET transactions is that a financial
institution known as an ‘acquirer’ authenticates both the merchant and the customer.
The merchant cannot view the customer’s credit card details, only the customer’s financial institution reads and authenticates the customer’s credit details. Once the acquirer has authenticated the customer, the
digital certificate is stored on the customer’s computer so that further transactions can be made. However, the storing of certificates on the client PC poses a security risk and it means that the client can only
use this hardware for transactions. A solution to this problem is smartcards, which will be used in SET transactions.
Smartcards are akin to credit cards, but they have a microchip instead of a magnetic strip. The microchip is used to store data, including electronic cash,
and digital certificates for identity authentication. Smartcards are emerging as the preferred storage medium for digital certificates. They offer greater security for digital certificates than a hard disk and also
enable the cardholder to use SET from any device with a card reader.
Smartcard readers can be incorporated into any electronically connected device, including telephones and PCs, with existing users having a reader incorporated
into the dialer or keyboard. The developers of SET are now testing uses for all forms of Internet identification including business-to-business purchases [End-to-End Security (E2S)]. ©1998 Colin Germain
|
