Harsh Mehta, profile picture
Uploaded byHarsh Mehta
PPT, PDF9,783 views

secure electronics transaction

The document provides an overview of the Secure Electronic Transaction (SET) protocol. It discusses: - SET is an open encryption standard designed to securely process credit card transactions over the internet. It uses digital certificates and signatures. - Key components of SET include confidentiality of information, integrity of data, cardholder authentication, and merchant authentication. - A SET transaction involves a cardholder, merchant, issuer, acquirer, payment gateway, and certification authority going through an initiate request, initiate response, purchase request, and purchase response process. - Payment authorization and capture are also part of the SET transaction flow. Digital signatures and certificates are used to authenticate parties and messages.

Embed presentation

Downloaded 526 times
Secure Electronic Transaction (SET) PRESENTED BY HARSH MEHTA
What Is SET? • SET is an open encryption and security specification designed to protect credit card transactions on the Internet. • SET is not itself a payment system. Rather it is a set of security protocols and formats that enables users to use the credit card payment infrastructure on an open network, such as the Internet, in a secure fashion. • It was first used in February 1996 and was proposed by Visa and Master Card. A wide range of companies were involved in developing the initial specification, including IBM, Microsoft, Netscape, RSA, Terisa, and Verisign
Key Features of SET • Confidentiality of information. • Integrity of Data. • Cardholder account authentication. • Merchant authentication.
Confidentiality of Information • A credit card holder’s personal and payment information is secured as it travels across the network. • An interesting feature of SET is that the merchant never sees the credit card number. •This is only provided to the issuing bank. Conventional encryption using DES is used to provide confidentiality.
Integrity of Data • Payment information sent from cardholders to merchants include i. personal information, ii. payment instructions. iii. order information. • SET guarantees that these message contents are not altered in transit. Using SHA-1 hash codes, data integrity provided.
Cardholder Account Authentication • SET enables merchants to verify that a cardholder is legitimate user of a valid card account number. • SET uses X.509v3 digital certificates with RSA signatures for this purpose.
Merchant Authentication • SET enables cardholders to verify that a merchant has a relationship with a financial institution which allow it to accept payment cards. • SET uses X.509v3 digital certificates with RSA signatures for this purpose.
SET Components and Participants
SET Participants • Cardholder • Merchant • Issuer • Acquirer • Payment Gateway • Certification Authority
Cardholder & Merchant Cardholder ◦ This is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. Merchant ◦ This is a person or organization who has things to sell to the cardholder. Ex.flipcart,ebay.
Issuer & Acquirer Issuer ◦ This is a financial institution such as a bank that provides the card holder with the payment card. Ex: mastercard,visa card. Acquirer ◦ This is a financial institution that establishes an account with the merchant and processes credit card authorizations and payments. ◦ The acquirer provides authorization to the merchant that a given card account is active. ◦ The Acquirer also provides electronic payments transfers to the merchant’s account.
Payment Gateway • This is a function that can be undertaken by the acquirer that processes merchant payment messages. • The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions.
Certification Authority(CA) • This is an entity that is entrusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways.
SET Transactions
Events required for a Successful SET Transaction The customer opens an account with a card issuer. ◦MasterCard, Visa, etc. The customer receives a X.509 V3 certificate signed by a bank. ◦X.509 V3 A merchant who accepts a certain brand of card must possess two X.509 V3 certificates. ◦One for signing & one for key exchange The customer places an order for a product or service with a merchant’s website. The merchant sends a copy of its certificate for verification.
Events required for a Successful SET Transaction Cont’d The customer sends order and payment information to the merchant. The merchant requests payment authorization from the payment gateway prior to shipment. The merchant confirms order to the customer. The merchant provides the goods or service to the customer. The merchant requests payment from the payment gateway.
SET’s Dual Signature The purpose of the dual signature is to link two messages that are going to different recipients. ◦ Order Information (OI): Customer to Merchant ◦ Payment Information (PI): Customer to Bank The customer needs to send OI and PI to merchant and bank respectively. The merchant does not need to know the customers credit card number. The bank does not need to know what the customer is buying. however the two items must be linked in a way that can be used to resolve disputes if necessary.
Dual Signature The operation for dual signature is as follows: Take the hash (SHA-1) of the payment and order information. These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed. Customer encrypts the final hash with a private key creating the dual signature. DS = EKRC [ H(H(PI) || H(OI)) ]
DS Verification by Merchant • The merchant has the public key of the customer obtained from the customer’s certificate. • Now, the merchant can compute two values: H(PIMD || H(OI)) DKUC[DS] • Should be equal!
DS Verification by Bank • The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following: H(H(PI) || OIMD) DKUC [ DS ]
purchase request exchange consists of four messages: 1. Initiate Request 2. Initiate Response 3. Purchase Request 4. Purchase Response Purchase Request
Initiate Request Basic Requirements: ◦ Cardholder Must Have Copy of Certificates for Merchant and Payment Gateway Customer Requests the Certificates in the Initiate Request Message to Merchant ◦ Brand of Credit Card ◦ ID Assigned to this Request/response pair by customer. ◦ nonce(timestamp) used to ensure timeliness.
Initiate Response Merchant Generates a Response • Signs with Private Signature Key. • Transaction ID for Purchase Transaction • Merchant’s Signature Certificate • Payment Gateway’s Key Exchange Certificate • the nonce from the customer • another nonce for the customer to return in the next message
Purchase Request Cardholder Verifies Two Certificates(merchant and gateway) Using Their CAs and Creates the OI and PI. First SET Message Includes: ◦Purchase-related Information ◦Order-related Information ◦Cardholder Certificate
Purchase Request – Customer
Purchase Request – Merchant
Purchase Response Message Message that Acknowledges the Order and References Corresponding Transaction Number Response Block is ◦Signed by Merchant Using its Private Key ◦Block and Signature Are Sent to Customer Along with Merchant’s Signature Certificate Upon Reception ◦Verifies Merchant Certificate ◦Verifies Signature on Response Block ◦Takes the Appropriate Action
Payment Process The payment process is broken down into two steps: ◦Payment authorization ◦Payment capture
Payment Authorization The merchant sends an authorization request message to the payment gateway consisting of the following: Purchase-related information ◦PI ◦Dual signature calculated over the PI & OI and signed with customer’s private key. ◦The OI message digest (OIMD) ◦The digital envelop
Continue.. ◦Authorization-related information An authorization block including: ◦A transaction ID ◦Signed with merchant’s private key ◦Encrypted one-time session key ◦Certificates ◦Cardholder’s signature key certificate ◦Merchant’s signature key certificate ◦Merchant’s key exchange certificate
Payment Gateway Authorization • verifies all certificates • decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block • verifies merchant's signature on authorization block • decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block • verifies dual signature on payment block • verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer • requests & receives an authorization from issuer • sends authorization response back to merchant
Authorization Response Authorization Response Message ◦Authorization-related Information ◦Capture Token Information ◦Certificate
secure electronics transaction

More Related Content

PPT
Digital Signature
byMohamed Talaat
 
PPTX
Cryptography
byShivanand Arur
 
PPT
Set Secure Electronic Transaction (SET)
bySuraj Dhalwar
 
PPT
Digital signature
byAJAL A J
 
PPTX
public key infrastructure
byvimal kumar
 
PPTX
Digital signature
byFilipp Kolobov
 
PPT
Digital certificates
bySheetal Verma
 
PPTX
EMV chip cards
byDilip Kumar
 
Digital Signature
byMohamed Talaat
 
Cryptography
byShivanand Arur
 
Set Secure Electronic Transaction (SET)
bySuraj Dhalwar
 
Digital signature
byAJAL A J
 
public key infrastructure
byvimal kumar
 
Digital signature
byFilipp Kolobov
 
Digital certificates
bySheetal Verma
 
EMV chip cards
byDilip Kumar
 

What's hot

PPT
Introduction to Digital signatures
byRohit Bhat
 
PPTX
Introduction to Public Key Infrastructure
byTheo Gravity
 
PDF
PolygonID Zero-Knowledge Identity Web2 & Web3
bySSIMeetup
 
PDF
2. public key cryptography and RSA
byDr.Florence Dayana
 
PPTX
Message digest 5
byTirthika Bandi
 
PPTX
Digital signatures
byReachLocal Services India
 
PDF
Public key Infrastructure (PKI)
byVenkatesh Jambulingam
 
PDF
Asymmetric Cryptography
byUTD Computer Security Group
 
PPTX
Hash function
bySalman Memon
 
PDF
SSL intro
byThree Lee
 
PPTX
Advanced cryptography and implementation
byAkash Jadhav
 
PPTX
Digital signature
byPraseela R
 
PPTX
Secure Socket Layer (SSL)
bySamip jain
 
PPTX
Secure Electronic Transaction (SET)
bySyed Taimoor Hussain Shah
 
PPTX
Digital Signature.pptx
byMd. AManullah Galib
 
PPTX
Digital signature(Cryptography)
bySoham Kansodaria
 
PDF
Digital signatures
byIshwar Dayal
 
PDF
Smart contracts
byremoved_5ef8f4100b1d7e8bfe3d2dc557fe10d0
 
PPTX
Biometric authentication ppt by navin 6 feb
byNavin Kumar
 
PPTX
Digital signature & certificate
byNetGains Technologies Pvt. Ltd.
 
Introduction to Digital signatures
byRohit Bhat
 
Introduction to Public Key Infrastructure
byTheo Gravity
 
PolygonID Zero-Knowledge Identity Web2 & Web3
bySSIMeetup
 
2. public key cryptography and RSA
byDr.Florence Dayana
 
Message digest 5
byTirthika Bandi
 
Digital signatures
byReachLocal Services India
 
Public key Infrastructure (PKI)
byVenkatesh Jambulingam
 
Asymmetric Cryptography
byUTD Computer Security Group
 
Hash function
bySalman Memon
 
SSL intro
byThree Lee
 
Advanced cryptography and implementation
byAkash Jadhav
 
Digital signature
byPraseela R
 
Secure Socket Layer (SSL)
bySamip jain
 
Secure Electronic Transaction (SET)
bySyed Taimoor Hussain Shah
 
Digital Signature.pptx
byMd. AManullah Galib
 
Digital signature(Cryptography)
bySoham Kansodaria
 
Digital signatures
byIshwar Dayal
 
Smart contracts
byremoved_5ef8f4100b1d7e8bfe3d2dc557fe10d0
 
Biometric authentication ppt by navin 6 feb
byNavin Kumar
 
Digital signature & certificate
byNetGains Technologies Pvt. Ltd.
 

Viewers also liked

PPTX
Smart Card Security
byReben Dalshad
 
PPSX
Secure electronic transaction
byNishant Pahad
 
PPTX
pgp s mime
byChirag Patel
 
PPTX
Digital Right Management
byRatul Alahy
 
PPTX
Lecture 10 intruders
byrajakhurram
 
PDF
Access Control Presentation
byWajahat Rajab
 
PPTX
IP Security
byKeshab Nath
 
PPTX
Electronic data interchange
byAbhishek Nayak
 
PDF
Secure electronic transaction (set)
byAgnė Chomentauskaitė
 
PPTX
S/MIME & E-mail Security (Network Security)
byPrafull Johri
 
PPT
Smart card
bySantosh Khadsare
 
PPT
Network security
byGichelle Amon
 
Smart Card Security
byReben Dalshad
 
Secure electronic transaction
byNishant Pahad
 
pgp s mime
byChirag Patel
 
Digital Right Management
byRatul Alahy
 
Lecture 10 intruders
byrajakhurram
 
Access Control Presentation
byWajahat Rajab
 
IP Security
byKeshab Nath
 
Electronic data interchange
byAbhishek Nayak
 
Secure electronic transaction (set)
byAgnė Chomentauskaitė
 
S/MIME & E-mail Security (Network Security)
byPrafull Johri
 
Smart card
bySantosh Khadsare
 
Network security
byGichelle Amon
 

Similar to secure electronics transaction

PPT
Secure electronic transactions (SET)
byOmar Ghazi
 
PPTX
Secure Electronic Transaction (SET)
byAjmi Siraj
 
PPTX
NETWORK SECURITY-SET.pptx
byDr.Florence Dayana
 
PPTX
Secure Electronic Transaction
byUnited International University
 
PPTX
Ecomm05.1.pptx(This is about e-commerce)
byabdulbaseerk135
 
PPTX
SSL TSL;& SET
byRamesh Ogania
 
PPTX
Electronic transaction final
byShikhaLohchab1
 
PPT
SET.ppt
bywitscollege
 
PPT
SET.ppt
byaldi219529
 
PPT
SET.ppt
bySiddharthRawat58
 
PPTX
Payment card security By Hitesh Asnani SVIT
byhiteshasnani94
 
PPTX
E transaction
byZeeshan Ahmed
 
PPT
SET (1).ppt
bychandrakaren21
 
PDF
Improving System Security and User Privacy in Secure Electronic Transaction (...
byIJERA Editor
 
PDF
Design and Implementation of Electronic Payment Gateway for Secure Online Pay...
byijtsrd
 
PPT
Secure enhancement transaction presentation
byBobby Pra A
 
PPT
Unit -- 5.ppt
byDHANABALSUBRAMANIAN
 
PPT
Secnet
bySuman Madan
 
PDF
IS Unit 9_Web Security
bySarthak Patel
 
PPT
E Payment
byAnkit Saxena
 
Secure electronic transactions (SET)
byOmar Ghazi
 
Secure Electronic Transaction (SET)
byAjmi Siraj
 
NETWORK SECURITY-SET.pptx
byDr.Florence Dayana
 
Secure Electronic Transaction
byUnited International University
 
Ecomm05.1.pptx(This is about e-commerce)
byabdulbaseerk135
 
SSL TSL;& SET
byRamesh Ogania
 
Electronic transaction final
byShikhaLohchab1
 
SET.ppt
bywitscollege
 
SET.ppt
byaldi219529
 
SET.ppt
bySiddharthRawat58
 
Payment card security By Hitesh Asnani SVIT
byhiteshasnani94
 
E transaction
byZeeshan Ahmed
 
SET (1).ppt
bychandrakaren21
 
Improving System Security and User Privacy in Secure Electronic Transaction (...
byIJERA Editor
 
Design and Implementation of Electronic Payment Gateway for Secure Online Pay...
byijtsrd
 
Secure enhancement transaction presentation
byBobby Pra A
 
Unit -- 5.ppt
byDHANABALSUBRAMANIAN
 
Secnet
bySuman Madan
 
IS Unit 9_Web Security
bySarthak Patel
 
E Payment
byAnkit Saxena
 

Recently uploaded

DOCX
Best Platforms to Buy Verified Cash App Accounts 4k Limit (Standard_BTC Enabl...
byOnline Business
 
DOCX
Buy Wise Accounts SSN Added Account.docx
by#Marketer usaallhub.com
 
DOCX
5 Best Places to Buy Snapchat Accounts Online .docx
byusatrust acc
 
PPTX
Art of Global Negotiations- Global Commons
byhritikamishra2k
 
PDF
Buy Verified PayPal Account Legit In the USA.pdf
by#Marketer usaallhub.com
 
DOCX
Is the Verified Stripe account the best account in the world_.docx
bymarketing
 
PDF
7 Trading Themes for 2026 - Special report for Deriv traders by veteran trade...
byVince Stanzione
 
PDF
Best top.,,,, 11 site PayPal Account.pdf
bymarketing
 
DOCX
5 Best Platforms to Buy Verified Binance Accounts Old & New in the US.docx
byBuy Old Gmail Accounts – Verified & Secure
 
PPTX
Poverty-and-Inequality-Understanding-the-Global-Challenge.pptx
byarooshg13
 
PDF
Beginner Trading Mistakes A Value-Based Perspective.pdf
byCelineAngel1
 
DOCX
How to Set Up a Legitimate Zelle Account with a U.S. Bank.docx
bymarketing
 
DOCX
CNCPW Market Report: Silk Road Bitcoin Transfers and Liquidity Analysis
byCNCPW Sobrenome
 
DOCX
The Dual-Layer Strategy: YWWSDC Insights on Digital Asset Adoption
byYWWSDC YWWSDC
 
PDF
The Best Method To Swap Sidra Token (ST) to Sidra Digital Asset (SDA)
byTRADERS / CRYPTO SPACE 💱
 
PDF
Lion One Presentation November 2025 updated
byAdnet Communications
 
PDF
Measuring Inflation | Basic Economics - UOK
bySyed Muhammad Danish Ali Abidi
 
DOCX
Best Platforms to Buy Verified Wise Accounts in the US.docx
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
DOCX
Buy Verified PayPal Accounts 100% Working - Digital Payment Accounts.docx
by#Marketer usaallhub.com
 
DOCX
How To Buy Old Facebook Accounts In The USA - Family A new of it_.docx
byusatrust acc
 
Best Platforms to Buy Verified Cash App Accounts 4k Limit (Standard_BTC Enabl...
byOnline Business
 
Buy Wise Accounts SSN Added Account.docx
by#Marketer usaallhub.com
 
5 Best Places to Buy Snapchat Accounts Online .docx
byusatrust acc
 
Art of Global Negotiations- Global Commons
byhritikamishra2k
 
Buy Verified PayPal Account Legit In the USA.pdf
by#Marketer usaallhub.com
 
Is the Verified Stripe account the best account in the world_.docx
bymarketing
 
7 Trading Themes for 2026 - Special report for Deriv traders by veteran trade...
byVince Stanzione
 
Best top.,,,, 11 site PayPal Account.pdf
bymarketing
 
5 Best Platforms to Buy Verified Binance Accounts Old & New in the US.docx
byBuy Old Gmail Accounts – Verified & Secure
 
Poverty-and-Inequality-Understanding-the-Global-Challenge.pptx
byarooshg13
 
Beginner Trading Mistakes A Value-Based Perspective.pdf
byCelineAngel1
 
How to Set Up a Legitimate Zelle Account with a U.S. Bank.docx
bymarketing
 
CNCPW Market Report: Silk Road Bitcoin Transfers and Liquidity Analysis
byCNCPW Sobrenome
 
The Dual-Layer Strategy: YWWSDC Insights on Digital Asset Adoption
byYWWSDC YWWSDC
 
The Best Method To Swap Sidra Token (ST) to Sidra Digital Asset (SDA)
byTRADERS / CRYPTO SPACE 💱
 
Lion One Presentation November 2025 updated
byAdnet Communications
 
Measuring Inflation | Basic Economics - UOK
bySyed Muhammad Danish Ali Abidi
 
Best Platforms to Buy Verified Wise Accounts in the US.docx
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
Buy Verified PayPal Accounts 100% Working - Digital Payment Accounts.docx
by#Marketer usaallhub.com
 
How To Buy Old Facebook Accounts In The USA - Family A new of it_.docx
byusatrust acc
 

secure electronics transaction

  • 1.
  • 2.
    What Is SET? •SET is an open encryption and security specification designed to protect credit card transactions on the Internet. • SET is not itself a payment system. Rather it is a set of security protocols and formats that enables users to use the credit card payment infrastructure on an open network, such as the Internet, in a secure fashion. • It was first used in February 1996 and was proposed by Visa and Master Card. A wide range of companies were involved in developing the initial specification, including IBM, Microsoft, Netscape, RSA, Terisa, and Verisign
  • 3.
    Key Features ofSET • Confidentiality of information. • Integrity of Data. • Cardholder account authentication. • Merchant authentication.
  • 4.
    Confidentiality of Information • Acredit card holder’s personal and payment information is secured as it travels across the network. • An interesting feature of SET is that the merchant never sees the credit card number. •This is only provided to the issuing bank. Conventional encryption using DES is used to provide confidentiality.
  • 5.
    Integrity of Data •Payment information sent from cardholders to merchants include i. personal information, ii. payment instructions. iii. order information. • SET guarantees that these message contents are not altered in transit. Using SHA-1 hash codes, data integrity provided.
  • 6.
    Cardholder Account Authentication • SETenables merchants to verify that a cardholder is legitimate user of a valid card account number. • SET uses X.509v3 digital certificates with RSA signatures for this purpose.
  • 7.
    Merchant Authentication • SETenables cardholders to verify that a merchant has a relationship with a financial institution which allow it to accept payment cards. • SET uses X.509v3 digital certificates with RSA signatures for this purpose.
  • 8.
    SET Components andParticipants
  • 9.
    SET Participants • Cardholder •Merchant • Issuer • Acquirer • Payment Gateway • Certification Authority
  • 10.
    Cardholder & Merchant Cardholder ◦This is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. Merchant ◦ This is a person or organization who has things to sell to the cardholder. Ex.flipcart,ebay.
  • 11.
    Issuer & Acquirer Issuer ◦This is a financial institution such as a bank that provides the card holder with the payment card. Ex: mastercard,visa card. Acquirer ◦ This is a financial institution that establishes an account with the merchant and processes credit card authorizations and payments. ◦ The acquirer provides authorization to the merchant that a given card account is active. ◦ The Acquirer also provides electronic payments transfers to the merchant’s account.
  • 12.
    Payment Gateway • Thisis a function that can be undertaken by the acquirer that processes merchant payment messages. • The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions.
  • 13.
    Certification Authority(CA) • Thisis an entity that is entrusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways.
  • 14.
  • 15.
    Events required fora Successful SET Transaction The customer opens an account with a card issuer. ◦MasterCard, Visa, etc. The customer receives a X.509 V3 certificate signed by a bank. ◦X.509 V3 A merchant who accepts a certain brand of card must possess two X.509 V3 certificates. ◦One for signing & one for key exchange The customer places an order for a product or service with a merchant’s website. The merchant sends a copy of its certificate for verification.
  • 16.
    Events required fora Successful SET Transaction Cont’d The customer sends order and payment information to the merchant. The merchant requests payment authorization from the payment gateway prior to shipment. The merchant confirms order to the customer. The merchant provides the goods or service to the customer. The merchant requests payment from the payment gateway.
  • 17.
    SET’s Dual Signature Thepurpose of the dual signature is to link two messages that are going to different recipients. ◦ Order Information (OI): Customer to Merchant ◦ Payment Information (PI): Customer to Bank The customer needs to send OI and PI to merchant and bank respectively. The merchant does not need to know the customers credit card number. The bank does not need to know what the customer is buying. however the two items must be linked in a way that can be used to resolve disputes if necessary.
  • 18.
    Dual Signature The operationfor dual signature is as follows: Take the hash (SHA-1) of the payment and order information. These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed. Customer encrypts the final hash with a private key creating the dual signature. DS = EKRC [ H(H(PI) || H(OI)) ]
  • 19.
    DS Verification byMerchant • The merchant has the public key of the customer obtained from the customer’s certificate. • Now, the merchant can compute two values: H(PIMD || H(OI)) DKUC[DS] • Should be equal!
  • 20.
    DS Verification byBank • The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following: H(H(PI) || OIMD) DKUC [ DS ]
  • 21.
    purchase request exchangeconsists of four messages: 1. Initiate Request 2. Initiate Response 3. Purchase Request 4. Purchase Response Purchase Request
  • 22.
    Initiate Request Basic Requirements: ◦Cardholder Must Have Copy of Certificates for Merchant and Payment Gateway Customer Requests the Certificates in the Initiate Request Message to Merchant ◦ Brand of Credit Card ◦ ID Assigned to this Request/response pair by customer. ◦ nonce(timestamp) used to ensure timeliness.
  • 23.
    Initiate Response Merchant Generatesa Response • Signs with Private Signature Key. • Transaction ID for Purchase Transaction • Merchant’s Signature Certificate • Payment Gateway’s Key Exchange Certificate • the nonce from the customer • another nonce for the customer to return in the next message
  • 24.
    Purchase Request Cardholder VerifiesTwo Certificates(merchant and gateway) Using Their CAs and Creates the OI and PI. First SET Message Includes: ◦Purchase-related Information ◦Order-related Information ◦Cardholder Certificate
  • 25.
  • 26.
  • 27.
    Purchase Response Message Message thatAcknowledges the Order and References Corresponding Transaction Number Response Block is ◦Signed by Merchant Using its Private Key ◦Block and Signature Are Sent to Customer Along with Merchant’s Signature Certificate Upon Reception ◦Verifies Merchant Certificate ◦Verifies Signature on Response Block ◦Takes the Appropriate Action
  • 28.
    Payment Process The paymentprocess is broken down into two steps: ◦Payment authorization ◦Payment capture
  • 29.
    Payment Authorization The merchantsends an authorization request message to the payment gateway consisting of the following: Purchase-related information ◦PI ◦Dual signature calculated over the PI & OI and signed with customer’s private key. ◦The OI message digest (OIMD) ◦The digital envelop
  • 30.
    Continue.. ◦Authorization-related information An authorizationblock including: ◦A transaction ID ◦Signed with merchant’s private key ◦Encrypted one-time session key ◦Certificates ◦Cardholder’s signature key certificate ◦Merchant’s signature key certificate ◦Merchant’s key exchange certificate
  • 31.
    Payment Gateway Authorization • verifiesall certificates • decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block • verifies merchant's signature on authorization block • decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block • verifies dual signature on payment block • verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer • requests & receives an authorization from issuer • sends authorization response back to merchant
  • 32.
    Authorization Response Authorization ResponseMessage ◦Authorization-related Information ◦Capture Token Information ◦Certificate

Editor's Notes

  • #9 Stallings Fig 17-8.
  • #19 The customer takes the hash (using SHA-1) of the PI and the hash of the OI, concatenates them, and hashes the result. Finally,the customer encrypts the final hash with his or her private signature key, creating the dual signature. This can be summarized as: DS=E(PRc, [H(H(PI)||H(OI))])
  • #26 Stallings Figure 17.10 shows the details of the contents of the Purchase Request message generated b y the customer. The message includes the following: Purchase-related information, which will be forwarded to the payment gateway by the merchant and consists of: PI, dual signature, & OI message digest (OIMD). 2. Order-related information, needed by the merchant and consists of: OI, dual signature, PI message digest (PIMD). 3. Cardholder certificate. This contains the cardholder’s public signature key.
  • #27 The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number. This block is signed by the merchant using its private signature key.The block and its signature are sent to the customer, along with the merchant’s signature certificate.
  • #32 During the processing of an order from a cardholder, the merchant authorizes the transaction with the payment gateway (step 3 in merchants list previously). The payment authorization ensures that the transaction was approved by the issuer, guarantees the merchant will receive payment, so merchant can provide services or goods to customer. The payment authorization exchange consists of two messages: Authorization Request and Authorization response. The payment gateway performs the tasks shown on receiving the Authorization Request message.