The Working of SET

1. The cardholder's software sends a message to the merchant, indicating the credit card to be used and requesting a copy of the certified public key for the payment gateway.

2.When the merchant's software receives the request, it assigns a unique transaction identifier to the message. It then transmits to the cardholder the identifier with the merchant's certified public key and the certified public key for the payment gateway.

3.The cardholder software verifies the merchant and gateway certificates and holds them to use during the ordering process. The cardholder software creates the order information (01) and payment instruction (PI). The software places the transaction identifier assigned by the merchant in the 01 and the FI; this identifier will be used by the payment gateway to link the 01 and the PI when the merchant requests payment authorization.

4. The cardholder software generates a digital signature for the 01 and the PI. The software then encrypts the digitally signed PI and the cardholder's account number using the payment certified public key. Finally, the software transmits a message to the merchant consisting of the signed and encrypted 01 and PI.

5. The, merchant's. software receives the order and verifies the digital certificate on the cardholder's public key. Next, it uses that public key to check the digital signature on the 01 to ensure that order really came from the cardholder and the message has not been changed in transit (the merchant would not be able to decrypt the PI because it was encrypted using the payment gateways public key).

6. The merchant software then begins processing the order, including requesting payment authorization (see step 9 below).

7. After the 01 has been processed, the merchant software generates and digitally signs a purchase response message (which includes the merchant's certified public key). The response then is transmitted to the cardholder to indicate that the cardholder's order has been received and processed by a merchant.

8.When the cardholder software receives the purchase response message from the merchant, it verifies the digital certificate and uses that key to check the merchant's digital signature. It then uses that message to display a confirmation message to the cardholder or to update the status of the order.

9.During the processing of an Order form from a cardholder, the merchant software generates and digitally signs a payment authorization request, which includes the amount to be authorized, the transaction identifier from the 01, and other information about the transaction. The request then is encrypted using the public key of the payment gateway. The merchant's payment authorization request and the cardholders encrypted PI are transmitted to the payment gateway.

10. When the payment gateway receives the authorization request, it decrypts the merchant's authorization request using its private key. It then verifies the digital certificate on the merchant's public key and confirms that the certificate has not expired.

11. The payment gateway decrypts the cardholder's PI (which has been sent by the merchant along with its authorization request). It then verifies the digital certificate on the cardholder's public key and confirms that the certificate has not expired. Next it uses that public key to check the cardholder's digital signature on the PI, thus ensuring that the PI was signed by the cardholder and has not been tampered with in transit.

12. The. payment gateway verifies the transaction identifier received for the merchant matches the one in the cardholder PI. The payment gateway then formats and sends an authorization request to the card issuing bank via a nonInternet based payment system.

13. The issue then processes the authorization request and sends a response back to the Gateway via the secure payment system. .

14. On receiving an authorization response, the payment gateway generates and digitally signs an authorization response message, which includes the issuer's response and a copy of it's own certified public key. The response is encrypted using the merchant's public key and transmitted to the merchant.

15. When the merchant software receives the authorization response message from the payment gateway, it decrypts it, using its own private key. It then verifies the digital certificate on the payment gateway's public key and uses that public key to check the payment gateways digital signature on the authorization response message. The merchant software stores the authorization response for use when requesting the payment (through a capture request) after the order has been completely filled.

16. The 'merchant then completes processing of the cardholder's order by shipping the required goods or performing the services.

17. After fulfilling the order, the merchant requests payment. (Delays in completing the order may result in significant time lapse between the message requesting authorization and message requesting payment.)

18. To request payment, the merchant software generates and digitally signs a capture request, which includes the final amount of transaction, the transaction identifier from the 01, and other information about the transaction. The request then is encrypted using the public key of the payment gateway and transmitted to the payment gateway.

19. When the payment gateway receives the capture request, it decrypts the request using its own private key. It then uses the merchant's public key to verify the digital signature on the capture request. It matches the merchants capture request to the previously processed authorization request and creates a clearing request, which it sends to the issuer via a secure payment network

20. The payment gateway then generates and. digitally signs a capture response message which includes a copy of its. own certified public key. The response is then encrypted using the merchant's own public key and transmitted to the merchant. This acknowledges to the merchant that the capture request has been received and processed by the payment gateway.

21. When the merchant software receives the capture response message from the payment gateway, it decrypts it using own private key. It then verifies the digital certificate on the payment gateways public key to check the payment gateways digital signature. The merchant software then stores the capture response for later reconciliation of capture requests submitted to payments received.

Domain Name Search