SET Protocol: What Is It and How Does It Work?

Secure electronic transaction (SET) protocol is a security tool used on eCommerce platforms to safeguard electronic payment data through a specific network. As you’re probably aware, “eCommerce” refers to the buying and selling of goods and services on the internet. When implemented, the SET protocol ensures a private, secure online transaction environment for everyone involved. Now, the obvious question: How? We explain exactly that below!

What Is the Secure Electronic Transaction (SET) Protocol?

Secure electronic transaction (SET) protocol utilizes different hashing and data encryption techniques to secure electronic credit and debit card payments over the internet. Supported early on by major credit card networks like Visa and Mastercard, the SET protocol was developed to protect consumers’ card details and financial information from hackers. It was also created to help merchants verify customers’ card information without seeing it, as all online sales are card-not-present (CNP) transactions.

How Does the SET Protocol Work?

SET protocols use digital certificates to provide electronic access to funds from a bank account or a credit line. Each time a purchase is made electronically, an encrypted digital certificate generates for the merchant, financial institution, or customer. This certificate comes with matching digital keys to verify the transaction and confirm each certificate. Because SET algorithms ensure only participants with the corresponding digital key can confirm the specific transaction, customers’ card details remain secure from malicious actors online.

The History of Secure Electronic Transactions

In 1996, Mastercard and Visa—along with Microsoft, Netscape, and IBM—developed the SET protocol in response to widespread security issues raised by the use of credit and debit cards via eCommerce.

The first version of secure electronic transactions was released in early 1997. Later that year, major credit card companies and eCommerce networks established SET Secure Electronic Transaction LLC. This new company was meant to implement, test, and maintain the SET protocol, as well as increase the adoption of the SET standard globally.

Following its long-anticipated launch, the SET protocol proved disappointing—so much so that competitors, such as the Secure Sockets Layer (SSL) encryption scheme, took over. The SET protocol was viewed as inflexible and difficult to implement compared to other security protocols, even though it was the most secure technology for safeguarding online payments.

In the 2000s, amid reports of widespread credit card fraud and abuse, interest in the SET protocol returned. Major credit card companies once again integrated the protocol into their payment processing systems. During this new resurgence, the SET protocol aimed to remove the prior inconveniences and enhance the overall security features.

SET Security Architecture

The SET protocol was designed to fill the gaps left by SSL and Transport Layer Security (TLS) in regard to securing sensitive consumer data. To do this, SET uses 56-bit session long keys, transmitted asymmetrically, as well as symmetric Data Encryption Standard (DES) encryption, and Public Key Infrastructure (PKI) for key management.

By manipulating transactional information, digital certificates authenticate the customer’s and the merchant’s identities to reduce the risk of fraud. Generally, the Certificate Authority (CA) assigns digital certificates to the card issuer or other associated financial institution, so both the acquirer and the issuer are involved in implementing digital certificates.

SET uses digital signatures to achieve card authentication. Each time a customer initiates a transaction electronically, an encrypted digital signature generates for the merchant, customer, and associated financial institutions.

The SET protocol encrypts a customer’s payment and order information in separate public keys. The system encrypts a customer’s payment information with the acquiring bank’s public keys, while the customer’s order information is encrypted with the merchant’s.

When a password is entered that activates a customer’s digital wallet, SET issues self-authentication, which takes place before the payment. After self-authentication, the customer’s device—mobile phone, tablet, or computer—sends the purchase and payment details to the merchant. After the cardholder is authenticated and the merchant is notified, the issuer communicates payment authorization to the acquirer.

SET Business Requirements

To process debit and credit cards over the internet and other networks, the SET protocol lists the following requirements businesses must provide:

1. Privacy of Customer Payment and Order Information: Confidentiality reduces the risk of fraud by malicious third parties. SET uses encryption and highly secure algorithms to provide a layer of privacy.
2. Integrity of All Customer Data: SET ensures digital signatures are not changed by merchants during transmission.
3. Cardholder Authentication: This ensures the person using the card is the actual cardholder. SET links the cardholder to the account number to reduce credit card fraud and the cost of payment processing. 
4. Merchant Authentication: This measure confirms the merchant can accept and process credit card transactions via a bank or another financial institution.
5. Security Best Practices: Finally, this ensures systems are well-tested and highly secure to protect all parties associated with the transaction.

Secure Electronic Transaction Participants

The SET protocol takes into consideration many participants, including:

• Consumer or Cardholder: The person authorized to use a specific debit or credit card.
• eCommerce Merchant: The operator of the eCommerce business.
• Issuer: The financial institution that issues the debit or credit card.
• Acquirer: The financial institution that processes the payment and transfers the funds to the merchant account.
• Payment Gateway: A sophisticated interface, a payment gateway connects secured electronic transactions to card payment networks.
• Certificate Authority: An entrusted organization that provides public key digital certificates.

Secure Electronic Transaction (SET) Protocol Features

To meet the requirements for secure electronic transactions, the SET protocol maintains several key features:

• Cardholder Confidentiality: Sensitive financial information is secured while it travels across the network. SET does not share cardholder account numbers with the merchant; it only provides them to the issuing bank.
• Data Integrity: SET mandates all order information, payment instructions, and cardholder data remain unaltered in transit.
• Account Verification: SET reassures the merchant by verifying the cardholder is the legitimate user of the card.
• Merchant Verification: SET permits the cardholder to verify that the merchant has a relationship(s) with the financial institution(s) accepting cards.

What Are the Benefits of SET Protocol?

In 2021, online retail sales totaled 4.9 trillion (in U.S. dollars) worldwide. That number is set to grow by over 50% within the next four years.^[1]Statista. “Retail e-commerce sales worldwide from 2014 to 2026“. Accessed December 28, 2022. With this anticipated increase in online sales, keeping customers’ account information safe is of the utmost importance. Fraud, data breaches, and hacked accounts have had far-reaching fiscal and reputational impacts on financial institutions and businesses. However, implementing the SET protocol can significantly help to alleviate these issues.

Originally launched as the standard for securing credit card transactions over networks, the SET protocol utilizes various encryption and algorithm systems to secure payments. With SET, users are issued a digital certificate when a transaction is made. It is then verified using a combination of digital signatures and certificates among all parties—merchant, cardholder, and associated financial parties—ensuring complete privacy and confidentiality.

Are There Any Drawbacks to the SET Protocol?

When SET was first introduced, it was expected to be primarily embraced by Mastercard and Visa, as their main facilitator in global eCommerce. However, the SET protocol presented a list of shortcomings. Although SET’s security properties and its ability to prevent eCommerce fraud are superior to TLS and SSL, its complexity slows down the processing time of transactions. Specifically, the requirement that both customers and merchants must receive digital certificates results in more tasks needed to complete each transaction.

This specific drawback has delayed the broad acceptance of the SET protocol. Compatibility among SET products is also a major issue, which has only been amplified by the vulnerability of PKI and the poor usability of the protocol.

Closing Remarks

To make a long, very technical story short: The SET protocol is an electronic security system aimed at protecting eCommerce transactions. Due to the uptick in credit card fraud as of late, interest in this protocol has become increasingly prevalent. Although fraud seemingly poses the most risk to customers, it is also risky for merchants—resulting in the loss of time, money, brand reputation, and—perhaps most important—consumer trust. Since online shopping has become more popular, protecting your business from its potential associated risks is especially important. But not to worry—our advanced online payment gateway options can start protecting your business today!

Protect your eCommerce business from tomorrow’s fraud today!

Secure My Transactions