SET is an open specification system that enhances the existing paymentcard-based schemes. The features of SET include cryptography, verification, and authentication. (Please refer to the Appendix for detailed information on SET.)
The protocol involves three major stages, shown in Figure 3. In the first stage, both the merchant and the cardholder have to register separately with a trusted CA to obtain merchant and cardholder certificates, respectively. Information such as a unique identity code and acquirer/financial institute account information has to be provided for the CA to verify. The possession of these certificates effectively authenticates their identities to any other parties who enter into an SET transaction with them. The sequence for cardholder registration is shown in Figure 4.
After the cardholder shops at the merchant's Web site, it initiates a purchase request to the merchant (Figure 5). The two parties authenticate each other's identity by exchanging their SET certificates and the cardholder transmits the encrypted order and payment information to the merchant.
The merchant uses this payment information to make a payment authorization request to a payment gateway. If these payment instructions are approved, a capture token is sent to the merchant. After completing the processing of an order, the merchant can request the actual payment. The payment sum would usually be directly credited into the merchant's bank account from the card issuer. There would normally be a significant time lapse between payment authorization and payment capture in accordance to normal financial transaction procedures.
To initiate the payment capture process, a capture request would first have to be generated by the merchant. This includes information such as the total payment amount, the transaction identifier, etc. The request together with the capture token from the earlier payment authorization process are encrypted using the payment gateway's public key. When the payment gateway receives the capture request, it decrypts the request message and capture token. It verifies if both have consistent payment information and then uses the information to format a clearing request that is sent to the card issuer to carry out the actual credit transfer through financial networks.