To provide secure commerce across the Web, Merchant System will rely
on Secure Sockets Layer (SSL), a protocol for securing transactions between two
applications, and Secure Electronic Transactions (SETs), a way to provide
digital certificates of authenticity. Netscape developed the SSL protocol, which
is built into many popular browsers, such as Microsoft Internet Explorer and
Netscape Navigator.
SSL uses public and private encryption keys to provide privacy between two
communicating applications and authenticates the server and (optionally) the
client. The protocol begins with a handshake phase. During this phase, SSL
negotiates an encryption algorithm and (symmetric) session keys before using
certified asymmetric public keys to authenticate a server to the client. After
the handshake, transmission of application data begins. SSL uses the session
keys negotiated during the handshake to encrypt data. A customer can use a
non-SSL compliant browser, but the transmission will not be secure.
SET is being developed by VISA, MasterCard, IBM, Netscape, SAIC, GTE,
Terisa Systems, VeriSign, and Microsoft for release this year. It will guarantee
a digitally signed transaction across the Internet. SET is not SSL. SET provides
digital certificates so that a customer and a merchant can guarantee each
other's authenticity. A certificate authority, such as VISA, issues a digital
certificate to the customer and the merchant. Each certificate guarantees that
each party is who it claims to be. At the time of the transaction, each party's
SET-compliant software validates both the merchant and customer (cardholder)
before exchanging any information. The validation involves checking digital
certificates that an authorized, trusted third party issues. This approach helps
reduce credit card fraud.
When a customer buys something, the browser requests a public key from the
merchant and another key from the financial institution that will process the
payment. The SET software in your browser encrypts the data using these keys.
Order information goes to the merchant and payment information goes to the
financial institution. After the financial institution processes payment,
VeriFone vPOS software sends a key to the merchant to unlock the order. The
merchant unlocks and processes the order with the financial institution's key.
The merchant never sees the credit card information, and the financial
institution never sees the order. The process is similar to the authorization
code merchants use today during an in-store credit card transaction.
SET uses a 160-bit encryption algorithm to ensure that nothing in the order
or payment has been altered since the customer signed and sent this information.
SET calculates this algorithm according to the contents of your message. Because
the encryption algorithm is used only for financial purposes, the US government
has accepted this process for exporting the Microsoft Merchant System for use
internationally. The government usually allows only 40-bit encryption on export
products.