To provide secure commerce across the Web, Merchant System will rely on Secure Sockets Layer (SSL), a protocol for securing transactions between two applications, and Secure Electronic Transactions (SETs), a way to provide digital certificates of authenticity. Netscape developed the SSL protocol, which is built into many popular browsers, such as Microsoft Internet Explorer and Netscape Navigator.
SSL uses public and private encryption keys to provide privacy between two communicating applications and authenticates the server and (optionally) the client. The protocol begins with a handshake phase. During this phase, SSL negotiates an encryption algorithm and (symmetric) session keys before using certified asymmetric public keys to authenticate a server to the client. After the handshake, transmission of application data begins. SSL uses the session keys negotiated during the handshake to encrypt data. A customer can use a non-SSL compliant browser, but the transmission will not be secure.
SET is being developed by VISA, MasterCard, IBM, Netscape, SAIC, GTE, Terisa Systems, VeriSign, and Microsoft for release this year. It will guarantee a digitally signed transaction across the Internet. SET is not SSL. SET provides digital certificates so that a customer and a merchant can guarantee each other's authenticity. A certificate authority, such as VISA, issues a digital certificate to the customer and the merchant. Each certificate guarantees that each party is who it claims to be. At the time of the transaction, each party's SET-compliant software validates both the merchant and customer (cardholder) before exchanging any information. The validation involves checking digital certificates that an authorized, trusted third party issues. This approach helps reduce credit card fraud.
When a customer buys something, the browser requests a public key from the merchant and another key from the financial institution that will process the payment. The SET software in your browser encrypts the data using these keys. Order information goes to the merchant and payment information goes to the financial institution. After the financial institution processes payment, VeriFone vPOS software sends a key to the merchant to unlock the order. The merchant unlocks and processes the order with the financial institution's key. The merchant never sees the credit card information, and the financial institution never sees the order. The process is similar to the authorization code merchants use today during an in-store credit card transaction.
SET uses a 160-bit encryption algorithm to ensure that nothing in the order or payment has been altered since the customer signed and sent this information. SET calculates this algorithm according to the contents of your message. Because the encryption algorithm is used only for financial purposes, the US government has accepted this process for exporting the Microsoft Merchant System for use internationally. The government usually allows only 40-bit encryption on export products.
