The present invention is directed to a system and method for conducting secure electronic commerce (e-commerce) transactions and, more particularly, to a system and method for conducting e-commerce transactions utilizing a payment gateway that is able to communicate with a payment network for the authorization of the transactions.
By way of further background, many methods of conducting secure electronic commerce transactions are known in the art. One of these methods includes the SET™ protocol, which is managed by SET Secure Electronic Transaction LLC (“SETCo”), and which is part of an open technical standard for the commerce industry developed by Visa International Service Association and MasterCard International Incorporated as a way to facilitate secure payment card transactions over the Internet. Using the SET protocol (or specification), cryptography is utilized to ensure confidential and secure transmissions of data and digital certificates to create a trust chain throughout the transaction, verifying cardholder and merchant validity. There have been numerous extensions and additions to the SET specification, all of which are presently available on SETCo's website, setco.org. The SET protocol (“SET”) is typically invoked after a consumer has completed the payment and other information on an order form and is ready to return the order form to the merchant.
SET changes the way that participants in a payment system interact. In a face-to-face retail transaction or a mail order transaction, electronic processing begins with the merchant or the acquirer. However, in a SET transaction, the electronic processing begins with the cardholder.
In the electronic commerce environment, consumers and corporate purchasers generally interact with merchants from personal computers. A cardholder (or account holder—a physical card is not necessary) uses a payment account number or card that has been issued by an issuer. SET ensures that the cardholder's interactions with the merchant, and specifically the payment card account information, remains confidential. The typical participants, entities or components (in addition to the account holder) involved in a SET transaction are the issuer, the merchant, the acquirer and payment gateway, each of which can be described as follows:
An issuer is a financial institution that establishes an account for a cardholder and most often issues the payment card. The issuer guarantees payment for authorized transactions using the payment card in accordance with payment card brand regulations and local legislation.
A merchant offers goods for sale or provides services in exchange for payment. With SET, the merchant can offer its cardholders secure electronic interactions. A merchant that accepts payment cards must have a relationship with an acquirer, which is the financial institution that establishes an account with a merchant and processes payment card authorizations and payments.
Lastly, a payment gateway is a device operated by an acquirer or a designated third party that processes merchant payment messages, including payment instructions from cardholders.
As mentioned above, SET is an Internet transaction protocol which provides security through authentication. It enforces a series of checks and counterchecks between the participants' computers to ensure details are processed correctly, safely and securely. In this way, SET creates a trust framework around the electronic commerce transaction process, ensuring confidentiality, data integrity and authentication of each party:
Confidentiality
SET protects the privacy of the payment information that consumers transmit over the Internet by keeping all details encoded throughout a payment transaction. This contrasts with other Internet shopping systems, where payment card details are often sent over open networks with few, if any, security precautions, and are stored by the retailer in open databases, making payment information susceptible to unauthorized access. As consumers' account details provide data which hackers could use to create counterfeit cards and fraudulent transactions, this lack of security is a major concern. By using SET, consumers and merchants are protected—its design ensures that payment information is safe and can only be accessed by the intended recipient.
Data Integrity
With SET, the merchant can be assured that the order it receives is what the cardholder entered. SET combats the risk of transaction information being altered in transit by keeping information securely encrypted at all times and by using digital certificates to verify the identity of those accessing payment details.
Authentication
The anonymity of Internet shopping means that cardholders cannot know for sure which merchant they are dealing with or whether that merchant is properly authorized to handle payment card transactions. Similarly, merchants have no way of verifying whether the cardholder is in possession of a valid payment card or has the authority to be using that card. SET addresses these concerns by using digital signatures and digital certificates to authenticate the banking relationships of cardholders and merchants. This creates an authentication system similar to a consumer signing a payment card slip in a face-to-face transaction. With SET, no matter what the location of a consumer or a merchant, both parties can be confident of each other's legitimacy.
As described, SET uses encryption technology and digital certificates as the basis for electronic commerce transactions. There are several components required for SET to work:
1. Digital Certificates
Digital certificates are an important element in securing SET transactions. They are authenticated by digital signatures, validating the identities of the participants. Each transaction participant's certificate holds information that is unique to them and is verified by the trusted source:                To become SET enabled, a financial institution must first establish a Certificate Authority, which allows it to issue certificates to its cardholders and merchant customers.        Merchants obtain SET digital certificates from their acquirer bank. The merchant's certificate authenticates its identity.        Consumers are provided with digital certificates by their payment card issuers, just as they are provided with plastic cards for face to face transactions. Consumer certificates are an electronic representation of their payment card and are stored in a secure electronic wallet on their personal computer or on the issuer's secure server.        
SET certificates safeguard transactions through a number of security measures. They are digitally signed and issued by financial institutions, prohibiting alteration by a third party and ensuring generation by an authorized party. In addition, the information they hold is encoded and cannot be seen or decoded by anyone except the entity that issued the certificate. If every participant in a transaction has a SET certificate, the process will be fully secure. However, even if only the merchant and its acquirer bank are SET-compliant, the transaction will still be more secure than one conducted using other payment protocols, including for example, Secure Socket Layer or SSL.
2. Certificate Authorities
Each payment brand has both a Certificate Authority that issues certificates to the payment card issuers and the merchant's acquirer bank, and a Certificate Authority for signing individual payment gateway certificates. Issuers are then able to issue certificates to their cardholders, and acquirers can issue certificates to their merchants. This ‘hierarchy of trust’ reflects the relationships that exist in traditional ‘physical world’ payment systems.
For instance, the root Certificate Authority—in this case SETCo—sits at the top of the hierarchy and is responsible for issuing digital certificates to the payment brands. By obtaining SET certificates from SETCo, the payment brands become Certificate Authorities and are entitled to issue SET certificates to their member banks. The member banks in turn become Certificate Authorities that can sign and issue SET certificates to their cardholders or merchants. They are responsible for ensuring the authenticity of the certificates and must confirm the identity of a certificate requester before issuing a certificate.
3. Cardholder Wallet and Encryption
To request and use digital certificates, consumers need an Internet connection and a browser, plus a SET enabled electronic wallet. The wallet is a software application, which is either held on a cardholder's computer or is managed on their behalf on the issuer's secure server. It stores key information required for the transaction such as the payment brand account number and expiration date and their SET certificate. Consumers can obtain an electronic wallet from a range of authorized parties, including their financial institution.
By encoding information before it is transmitted over the Internet, the SET-enabled wallet ensures that the payment information remains confidential as it transverses the Web. Payment information remains encrypted until received by the merchant's acquirer bank, where it is decrypted so that the transaction can be authorized by the cardholder's issuer bank. The information is then re-encrypted so that the cardholder and merchant can be notified of the transaction's successful completion.
4. Merchant SET Software Requirements
To become SET-compliant, merchants simply need to integrate a SET software component into their virtual storefront system. This SET software then facilitates the actual authorization and settlement process of the payment transaction. The SET module is software developed from the SET specifications.
5. Payment Gateways
As mentioned above, the payment gateway acts as the interface between a SET-compliant merchant and the merchant's bank (the acquirer). It performs three main functions, as follows:                1. Decrypts the SET-encoded message        2. Authenticates all participants in a transaction        3. Reformats the SET message into a format compliant with the merchant's point of sale system and forwards the payment authorization request into the payment network.The SET Transaction Process        
Once a consumer has selected items for purchase from an Internet retailer's website and has been presented with an order form, the SET transaction process begins as follows:                1. The cardholder (or account holder) selects the ‘Payment with SET’ option and then chooses their form of payment e.g. Visa, MasterCard etc.        2. The merchant ‘wakes up’ the cardholder's SET wallet, which sends a message to the merchant indicating which payment card the consumer is using.        3. An exchange takes place between the merchant and cardholder, authenticating each party and encrypting the payment information. This encrypted data is then forwarded to the merchant, which sends it, still encrypted, to the SET payment gateway.        4. The SET payment gateway authenticates all the parties in the transaction and forwards the authorization request into the payment network and processes the transaction with its normal authorization process.        5. If approved, the merchant ships the requested goods or provides the requested service and, in return, receives payment from its financial institution.        