The secure sockets layer (SSL) protocol was developed by Netscape Communications Company (now owned by America Online) and uses public key cryptography to secure communications on the Internet. With SSL, a secure session is established during which messages transmitted between two parties are protected via encryption. For example, before a consumer transmits a credit card number to a merchant, the merchant’s server establishes a secure session. The merchant decrypts the message, extracts the credit card number, and submits a charge to the consumer’s credit card company (i.e., credit card issuing bank) to clear the transaction using traditional means. SSL protects the consumer from interception and unauthorized use of the purchase and credit card information while it is on the Internet (i.e., from the consumer’s Web browser to the merchant’s Web server). Normally, the merchant cannot authenticate the transmission to determine from whom the message originated and the consumer has only moderate assurance that they have sent their credit card number to a legitimate merchant.
The secure electronic transaction (SET) protocol was developed by MasterCard and Visa to secure credit card transactions on the Internet involving three parties: the consumer, the merchant, and one or more credit card issuing banks. With SET, the consumer separately encrypts the purchase message and the credit card number. The merchant decrypts the purchase message to proceed with the sale and submits a charge to the consumer’s credit card company (i.e., credit card issuing bank) to clear the transaction using traditional means. However, unlike SSL, SET-based clearing will pass through the merchant and go directly to the consumer’s credit card issuing bank. The consumer and the merchant sign their messages with certificates obtained from financial institutions that certify that the consumer holds the credit card in question and that the merchant has a credit card clearing relationship with the issuing bank. SET protects merchants and credit card issuing banks from unauthorized purchases, and consumers from credit card fraud.