Gire la jeringa 1/4 de vuelta hacia la derecha hasta que

Authenticates all parties involved in the transaction using digital certificates
Provides confidentiality at all stages of the transaction

Ensures integrity of the data

The protocol also prescribes how payment data should be handled so that, for example, merchants never see a consumer’s credit card details.

4.1.1 The key entities in an e-commerce transaction

In any electronic payment transaction buyers use their credit cards to buy goods from merchants, who in turn supply goods to the buyers in return for a payment promise.

The usual method of transferring the value across the Internet in today’s

e-commerce transactions is via credit or debit card. The merchant usually passes the buyer’s card details on to an acquirer organization. The acquirer provides the merchant with the capability of accepting and authorizing multiple credit card brands in return for a percentage fee on all transactions dealt with by the acquirer. This avoids the merchant having to deal directly with the credit card issuers. The processing of the financial transaction is then the acquirer’s responsibility. The financial transaction is then submitted to the card issuer for authorization, who uses validation rules to authorize or deny the payment. Figure 4-1 outlines the key players in an e-commerce payment transaction flow and also shows the use of certificates for authentication.

Figure 4-1 The players in an e-commerce SET payment transaction

Ultimately it is the financial institution (the card issuer) that is responsible for collecting the card holder’s debt. However certain credit card issuers are beginning to shift the liability from card issuer to acquirer for non-SET secure transactions.

So parties involved in an SET transaction are:

1. Credit card holders (who buy goods and services across the Internet) 2. Merchants (who sell goods and services)

3. Acquirers (who act as intermediaries between the merchants and card issuers

4. Card issuers (financial institutions that issue credit cards to consumers) With SET, all the above require a secure method of authentication. SET mandates that all parties (with the exception of the card issuer) use digital certificates in order to securely identify each party involved in a financial transaction.

IBM provides a solution for SET certificate issuing authorities (known as CAs) in the form of IBM Payment Registrysoftware. The high-level function of this software is to handle certification management, routing, decrypting and

encrypting as well as other validation activities. The certificate issuing authority is a critical component of the SET architecture.

Certificate Authority Payment Promise Payment Authorization Payment Network VISA MasterCard Diners Club etc.

Credit Card Bill Consumer

th is day of , 199 , by

CERTIFICATE

Type name here

CREDIT CARD

1234 5678 9012

1234 5678 9012

VALI D FROM G OOD THRU

XX/XX/XX XX/XX/XX PAUL FISCHER XX/XX/XX XX/XX/XX PAUL FISCHER Merchant thi s day of , 199 , by CERTIFICATE

Type name here

Card Issuer Acquirer th is day of , 199 , by CERTIFICATE Type na me here Transaction Fee

The Payment Registry is capable of handling all levels in the SET certificate hierarchy such as:

Root CA (private label)
Brand CA

Cardholder CA
Merchant CA
Acquirer CA

The mechanism it uses for certificate request is either manual or through a custom user exit, making the approval mechanism flexible. The AIX V4 Payment Registry software is also fully certified by Visa and MasterCard.

For more information on the IBM Payment Registry see:

http://ibm.com/software/webservers/commerce/paymentregistry/features.ht ml

4.1.2 Consumer certificates

Consumers request SET certificates from the SET issuing authority. On

successful validation of the consumer, the issuing authority responds with a valid and unique electronic certificate containing encryption and signature certificates. The challenge of where consumers keep their certificates is a subject of much debate. Today IBM provides a solution to this problem using a client-based consumer wallet. The IBM Consumer Wallet is a software product that is installed locally on a buyer’s computer. The electronic (software) wallet emulates the wallet shoppers use to carry credit cards. Details of credit card numbers, expiration dates and so on are kept in the electronic wallet along with the consumer’s own certificate, which is used to uniquely identify the consumer. The wallet is launched manually by the consumer or automatically via the merchant software when the consumer is ready to pay for the goods.

At the time of writing this book IBM is to withdraw the current client-based IBM Consumer Wallet software from marketing. A possible replacement product is a server-based wallet. This allows for portability of the wallet so that consumers are able to activate the credit card details when not using their regular

workstation. For more information on this product see:

4.1.3 Merchant certificates

The merchant uses a payment server to store certificates. The payment server accepts all e-commerce financial transactions directly from the consumer’s electronic wallet, stores and passes the financial information for the transaction directly on to the financial institutions for authorization. All transactions going through the payment server are logged for audit purposes. IBM’s solution for the payment server in this scenario is WebSphere Payment Manager using the Cassette for SET.

4.1.4 Acquirer certificates

Acquirers use the concept of a payment gateway in order to fulfill their role with the SET architecture. When the merchant requires authorization for a credit card payment, acquirer services are used to avoid the technical challenges brought about by the merchant dealing directly with various card issuers (for example each card issuer deals with various different protocols internally). The merchant requests authorization through the payment gateway and receives responses through the same route.

IBM’s solution for acquirers is the IBM Payment Gateway product. For more information on this product see:

http://ibm.com/software/webservers/commerce/payment/paymentgateway/featur es.html

Figure 4-2 outlines the various IBM products that support the SET protocol.

Figure 4-2 IBM products supporting the SET protocol IBM Consumer Wallet Commerce Suite Merchant Store Acquirer Software Credit Card Details IBM WebSphere Payment Manager SET Cassettes OTHERS Financial Payment Network IBM Payment Gateway Consumer Software Merchant Software