SET is an open specification system that enhances the existing paymentcard-based schemes . The features of SET are:
Cryptography ‚ Use of message encryption ensures confidentiality of all transmitted information.
Verification ‚ Provision for digital signatures to ensure the integrity of payment information received.
Authentication ‚ SET uses digital signatures and cardholder certificates to ensure the authentication of the cardholder account.
The cardholder makes payment using a payment card through the SET protocol. A merchant offers goods or services for sale in exchange for payment. A merchant capable of SET transactions can offer its clients (cardholders) secure electronic interactions. A merchant that accepts payment cards must have a relationship with an acquirer. An issuer is a financial institution that establishes an account for a cardholder and issues the payment card. The issuer guarantees payment for authorized transactions using the payment card. An acquirer is the financial institution that establishes an account with a merchant and processes payment card authorizations and payments.
The payment gateway is a device operated by an acquirer or a designated third party that processes merchant payment messages, including payment instructions from cardholders. Payment gateways would already have been identified and located by merchants before it can carry out SET transactions. The certificate authority (CA) is the provider of trusted digital certificates. In the SET context, CAs should be able to process registration requests from cardholders or merchants and issue authentication certificates.
Security in SET is based on public key infrastructure (PKI). As opposed to symmetric cryptography, it removes the need to use the same key for encryption and decryption. Keys come in pairs of matched public and private keys. The public key can be distributed in a public manner without compromising the private key, which must be kept secret by its owner. Encryption done with the public key can only be undone with the corresponding private key. It means that anyone with access to a public key can send a securely encrypted message to the key owner. Only the intended recipient (the key owner) can decipher this message .
A digital signature is used in PKI to authenticate the origin of a message as well as to ensure that the message has not been tampered with in transit. A message is signed using the sender's private key while the sender's public key is used by the recipient to verify the signature. The slightest change in a signed document will cause the digital signature verification process to fail.
Public key cryptography requires public access to the users' public keys. In a large network, digital certificates are used as a solution to this public key distribution problem. The CA is an entity that issues certificates. To obtain a certificate from the CA, one has usually to prove his identity or that of the organization that he claims to represent. Digital certificates are used within SET to authenticate the trustworthiness of the other participant in a transaction. The certificates also show that the participants are SET-capable. The public keys of the SET participants are also distributed through the SET key-exchange certificates.