SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. It uses digital certificates to ensure the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet.

SET is exempt from the US cryptography export restrictions and unlike SSL can therefore use strong, 128 bit encryption for credit card numbers world-wide. In order to gain this exemption, the use of strong encryption has to be limited to the financial information only and does not include other elements of the transaction, for example details of the goods being bought and the delivery address.

Like SSL, SET allows for the merchant's identity to be authenticated via digital certificates. However, SET also allows for the merchant to request users authenticate themselves through digital certificates. This makes it much more difficult for someone to use a stolen credit card

A further advantage of SET is that the merchant has no access to credit card numbers and thus another source of fraud is eliminated.

There are many pilot schemes running using the SET protocol but mainstream adoption has been slower than predicted. The main reasons behind this are the growing acceptance of SSL for secure credit card transactions and the complexity and cost of the SET system.

Encryption Process

In a typical SET transaction, there is information that is private between the customer and the merchant (such as the items being ordered) and other information that is private between the customer and the bank (such as the customer's credit card number). SET allows both kinds of private information to be included in a single, digitally signed transaction.

Information intended for the bank is encrypted using the bank's public key whilst information for the merchant is encrypted with the merchant's public key. This means that the merchant has no access to the credit card details and thus a source of fraud is eliminated.

In addition to this encryption, both sets of information are digitally signed. Finally these two signatures are combined to produce one signature that covers the whole transaction.