The growth of the internet has indeed led to the sprout of many online businesses using this as a platform for cheap and efficient transactions. The major impedance to this boom has caused the security threats posed by the hacking community, meaning that many businesses and users are wary about freely transacting online. As a result of this feat, two reputable companies in Visa and MasterCard have moved to tighten security in a bid to improve eCommerce transactions. The two companies teamed up to create a common payment standard known as Secure Electronic Transaction (SET) aimed at tightening security in credit card transactions over the internet. In this article, we dissect through the aspect that is currently inherent to this electronic payment standard.
Overview of SET
SET was developed by a number of companies that included Microsoft and Netscape, but MasterCard and Visa have been known to be the ones who have widely adopted the technique. In this system, a user is assigned a digital certificate for online transactions being done through a blend of digital certificates and digital signatures.
What are the Objectives of SET?
Before taking a further step, let us take a look at some of the main objectives behind the development of this standard. After all, there had been a reason behind the move by these smart card and tech powerhouses to conglomerate efforts and develop SET. The following are the major objectives of the SET standard.
- To provide optimal confidentiality of payment information and all other information submitted during a transaction.
- To deliver state-of-the-art integrity features in data communication.
- To provide seamless and efficient authentication procedures that ensure a cardholder is legitimately using a given card.
- To provide authentication to allow a merchant to accept the right card.
- To facilitate interoperability among network and software providers.
- To encourage system design features and security practices aimed at protecting all the parties involved in a transaction.
- Creating a protocol that is independent of a given transport mechanism that is used with easiness. while also allowing the mechanism is used with ease.
The idea behind principles dictated in these objectives is to protect the information in a given card, to protect information in a given communication medium and at the same time allow for identification of the merchant and user without much of a hustle.
Cryptographic Techniques used in the SET
If you are new to computer security, then cryptography is simply the science that entails the study of methods used in protecting data in communication systems. Cryptography is relying on advanced mathematical principles in ciphering data, making it very tough for eavesdroppers to reverse engineer the process. In the case of SET, a technique known as the public key cryptography is used unlike in traditional debit cards that use secret-key cryptography. So, what is the difference?
In secret-key cryptography, the information is encrypted with security bits and the receiver will need to use the same key to decrypt the information. The main security concern with this form of technology is the fact that there is widespread hardware and software implementations that can decipher content encrypted with this form of ciphering.
Public key cryptography, on the other hand, is an asymmetric cryptography technique that uses two keys-one for encryption and the other for decryption. The one used to cipher content is known as the public key while the other is known as the private key and the two keys have mathematical relationships. The catch with this technique is that it is based on very complex mathematical problems like discrete logarithms, elliptic curves, and large integer factorization making it very hard for hackers to decipher them. It is thus safe to say that a private key can be sent over a network given that hackers can get hold of the key but will usually find it difficult to determine the corresponding public key.
Mechanisms of SET
To understand SET better, let us take a peek at the mechanics involved in the transaction in an eCommerce scenario. The first thing is to ensure that before communication, the authenticity of the parties wishing to communicate has been verified. How is this done? SET uses trusted third parties to ensure that public keys being sent are more authentic rather than from parties wishing to circumvent the system. Third-party, which may be MasterCard, will create a digital document that has details including its checksum plus the public key than sign it.
Statistical computations are used to generate a checksum from a given message character. If in any case, the message characters are changed, then the checksum will not match. This way, message integrity is ensured. The checksum/message digest is encrypted with a private key resulting in a digital signature of a sender. The receiver will use the public key to recover the checksum.
The message being sent is encrypted using an efficient symmetric algorithm which involves the random symmetric key being encrypted using the receiver’s public key. This way, only the receiver can decrypt the symmetric key since it possesses its own private key. After receiving the symmetric key, the receiver can retrieve the digital signature, and then it can get hold of the message by using the sender’s public key to decrypt the digital signature.
How SET work?
For a SET to work in a transaction a given merchant is issued with a digital certificate from a given bank. A customer will also be issued with a digital certificate that has a public key from the same bank. When a user makes a transaction from a given web page, the browser compares the two certificates to ensure they are the same. The merchant will then verify the customer by checking the digital signature on the certificate. This can be achieved by referring the certificate to a third party verifier or a bank. In the next step, the merchant sends the order info along with the public key to the bank. The bank will then have to verify the merchant and the message then digitally sign and authorize the merchant to fill in the order.
Best practices to fraud proof electronic payments
Let us now turn our attention to the methods that can be used for fraud proof electronic payments. There are number of things that can be done by companies to achieve this:
- Vendors on-Boarding:
One of the best practice is vendor on-boarding. This is particularly important when establishing a relationship with a new vendor. It involves things like getting rid of duplicate vendor master entries, limiting the ability to edit the entries among others. Vendors identity should be checked with required compliance and laws like Anti-terrorism, money laundering, narcotics trafficking.
- Shared Device Reputation:
This involves sharing of relevant information pertaining fraudsters within a given industry. This will reduce chances of first time attacks as well as boost Return of Investment (ROI).
- Proxy Identification:
Malicious persons to execute attacks normally use proxies, thus, it is important to keep an eye on them. A database of proxies that users use to hide IP is always encouraged in the case of merchants.
Geo-location is particularly a good way to determine a global location of a user. By using such tools, a merchant can be able to compare the IP address of the user.
Encryption is a main practice for e-payments as it is wise to check whether the e-payment information is safe from hackers. The information of e-payment should be encrypted so others would not read it. Encryption helps to secure any traveling vendor information or other sensitive information. It is also recommended that there is an additional security layer on top of the traditional user-login layer. This can be done using Multi-Factor Authentication (MFA). The goal of MFA is to make a coated defense and makes it difficult for an unlawful individual to get significant data or making payments.
- Customer Validation:
This entails using public and private sources to validate customer information. A merchant can check on billing address as per a third party issuer to validate a customer. Customer validation can also be established through identity validation-validating the user based on the information they provided. In high risk CNP transactions, knowledge based authentication is recommended. Other very fraud proof practices include: biometric identification, 3D secure, Mobile Secure location verification, Email Verification, Social Media Validation.
There are many other practices, but the basis of all these is to facilitate safe transactions in eCommerce and other electronic payment terminals. The finest practices defined in this article will facilitate you to choose a secure resolution and set up risk-lessening procedures. It is expected that attacks will change in the future, but for now, implementing SET and fraud-proof practices is the safest route for businesses.
Related Posts :