6.1. Introduction

The use of authentication protocols, such as TLS and SSL, to support, payments over the Web takes care of mutual authentication between customer and merchant and guarantees that both order and payment information (e.g., credit card number) will be protected when transmitted over the Internet. However, authentication protocols do not guarantee that payment information will be protected while stored in the merchant's computer systems. Also, authentication protocols do not protect customers from misuse of their credit card information by merchants. Merchants are not sure whether customers are legitimate holders of the credit card and customers are not sure if merchants are authorized to receive payments with specified credit cards.

Payment protocols, such as Secure Electronic Transactions (SET), aim at solving these problems. In this chapter, we first provide an overview of what happens when one uses a credit card for payment in the physical world. Then, we discuss how SET allows for credit card payments to take place over the Internet. This chapter is not intended to be a thorough description of SET, but it describes SET at a high enough level of detail to provide the reader with an overall picture of the protocol as well as its performance implications. SET provides a much higher level of security than SSL or TLS. There is, however, a performance penalty as we discuss in this chapter. It should be pointed out that SET is a very complex protocol. Interested readers are referred to Merkow [5], Sherif [8], and SET [7] for more detailed information on SET and to Lu [4] for a formal verification of SET properties. We discuss in this chapter the cryptographic processes used by SET as well as the flow of messages involved in SET transactions. The performance of SET transactions is then discussed through various numerical examples. The chapter concludes with a brief discussion of other payment services.