Secure Electronic Transaction (SET) Update

17 July 1998

A "How-To" Guide for Online Gaming Companies: How It Works and When It Will Be Available

Secure Electronic Transactions: Also known to electronic commerce industry insiders as simply SET. You've no doubt heard something about it by now. You may even think you know a little bit (maybe a lot) about it. It has been in development since early 1996 by both Visa and MasterCard, with significant participation from leading technology companies including Microsoft, IBM, Netscape, GTE, RSA and VeriSign.

And if you don't know about it yet, you will soon. SET is about to become an industry-wide, standard online transaction security protocol employing new technologies that call for both the online merchant and the would-be consumer to use digital certificates and electronic wallets to mutually verify each other's identities. SET also encrypts all online credit card transactions with advanced, airtight RSA Cryptography, a complicated and mathematically interrelated system of Private Key and Public Key pairings. When in place industry-wide, SET will provide the highest level of credit card transaction security for online merchants ever seen. After SET becomes the industry standard, past security measures like simple bank verification, negative database screening, Secure Socket Layers, Password Verifications, Address Lockouts, Hacker Alerts, Velocity Controls and Address Verification Systems will seem as primitive and limited as a rotary phone or a manual typewriter. So that's the general hype you may have already heard.

But right now, the more specific and immediate questions on the mind of anyone in the online gaming industry are probably "So how, exactly, does it work?" and "When will it be available to me?" Right?

First of all, how does it work?

SET uses a groundbreaking system of locks and keys along with certified account IDs for both consumers and merchants. Then, through a unique process of "encrypting" or scrambling the information exchanged between the shopper and the online store, SET ensures a payment process that is convenient, private and most of all secure. Two major new elements come into play to make SET so unique and so effective: digital certificates and digital signatures.

Digital Certificates

In many ways, digital certificates represent the heart of secure electronic transactions. They provide an easy and convenient way to ensure that the participants in an electronic transaction can trust each other. This trust is established through a common third party, usually a credit card company, that provides the digital certificates to the card-issuing financial institution, and the institution in turn provides a digital certificate to the cardholder. A similar process takes place for the merchant. These digital certificates ensure that two computers talking to each other can conduct legitimate electronic commerce.

The basis for this technology is secret codes. The procedure is simple. A message can be converted or encrypted into code using a "key", which is a means of translating the message's characters into other characters that make no sense to the uninvited interceptor. This is known as "encrypting" a message. A simple example of a key might be replacing each letter with the next letter in the alphabet. To decipher the message, or "decrypt" it, the recipient simply needs to know the key.

There are two main kinds of cryptography in common use today. The older and simpler one is called "secret key" or "private key" cryptography. Private key encryption is useful in many cases, although it has significant limitations. All parties must know and trust each other completely, and have in their possession a copy of the key - a copy that has been carefully protected from the eyes of others.

On its own, this kind of encryption isn't enough to realize the full potential of electronic commerce, which must bring together countless buyers and sellers from around the world. For one thing, it's impractical for an online merchant to exchange keys with thousands or even millions of customers - or, worse yet, potential customers they've never dealt with before.

The solution to the problem is a newer, more sophisticated form of codemaking first developed by mathematicians at MIT in the 1970s, known as "public key" cryptography. With this approach, each participant in an online transaction creates two unique keys - a "public key," which is published in a sort of directory available to all, and a "private key, "which is kept secret from everyone. The two keys work together as an intriguing kind of matched set. Whatever data one of the keys "locks," only the other can unlock.

In addition, banks, merchants, and other participants in online electronic commerce will be able to tailor the "look and feel" and other vital features of the SET technology to meet their customers' particular needs. Underlying this software will be a layer of code that conforms to the new industry standard. This layer employs public key encryption to ensure that messages containing credit card numbers and other information are strictly confidential. And this code enables another revolution in secure cyberspace transactions - digital signatures.

Digital Signature

Think of this. In cyberspace, when you receive a message, how do you know that it was sent by your friend Dan rather than by a malicious criminal who's pretending to be Dan? And how do you, as a merchant, know that an order is coming from a legitimate credit card holder rather than some hacker out to defraud you out of a lot of money?

The public key system can address this problem in a simple and highly reassuring way. Let's say that a consumer is talking to you - in cyberspace, that is - and wants to prove to you that they are who they claim to be. The consumer simply locks a message with a private key. Then, the merchant can unlock the text with the public key taken from the consumer's digital certificate, proving that they were the only person who could have locked up the message in the first place.

This process creates what cryptographers call a "digital signature". A digital signature provides a way to associate the message with the sender, and is the online equivalent of "signing" for purchases.

Pilot Programs

So now the really big question. When will it be available for use by you as an online gaming merchant?

Well. The short (and completely vague and unsatisfying) answer is "very soon." That helps, huh?

Actually, some companies have already completed multiple SET transactions over the Internet. And several SET pilot programs are underway around the world to further test and refine the process. So in the not-too-distant future, SET will be protecting online credit card transactions for consumers and merchants (including you) all over the Internet.

MasterCard is currently taking the lead in testing the SET standard with a number of these pilot test programs. The banks and other businesses involved include Chase Manhattan, Mellon Bank, the U.S. Department of the Treasury, Credit Union Electronic Transaction Services, SaskTel, Commerzbank, Karstadt, ChinaTrust Commercial Bank, Citibank, UC Card Japan, UC Cybermall, Amalgamated Banks of South Africa, South African Certification Agency and Danish Payment Systems. These organizations are working with a few cardholders and with selected merchants using early versions of SET software to test how it all works in the real world. The experiences these "pioneers" are currently having will make SET even better in the coming months and years.

SETCo, the organization set up to oversee the SET standard, has awarded its first wave of SET Mark seals. However, industry experts predict that it will take at least another year before SET becomes a part of the industry infrastructure and a uniform way of doing business for all online consumers, online merchants and issuing banks. The current conventional wisdom is that critical mass for SET will be reached sometime after the year 2000. Merchants can find more information about getting SET at

Remember, credit card fraud IS a problem in the online gaming industry. But today it is also preventable, controllable and reducible to near non-existent levels. In the future, SET will undoubtedly continue to make all online credit card transactions safer and more secure.

Christine Bednar is a partner at Signature Card Services, (213) 930-0050. Signature Card has assisted several online gaming clients obtain merchant accounts using Ecash and is available to answer questions regarding your online business.