You are in: ECommerce-Guide > News > Trends

ECommerce-Guide Essentials eBiz FAQ Everything you need to know to start your own successful e-business. Selling on eBay How to make money in the online marketplace. PayPal Payments and More What's new in secure payments for your online store. Shopping Cart Software Solutions to close, process and track your online sales.

Building SET Applications For Secure Transactions


Chapter Ten

By Mark Merkow, CCP, CISSP
September 2, 1998

Chapter 10: Merchant SET POS Software and Merchant Digital Certificates

In Chapter 9 we looked at E-wallet software for certificate storage and payment selection and Cardholder Digital Certificates. In Chapter 10 we shift the focus to Merchant Digital Certificates and SET-compliant Point-of-Sale (POS) software that works within Merchant Server software. Because these digital certificates stand in for the storefront payment card brand decals and are needed to carry out the work otherwise performed by traditional POS terminals, an understanding of how these components interact is essential. Topics we''ll cover in this chapter include:

• Distinctions between Merchant certificate types
• Certificate issuance and maintenance processing
• Merchant Server POS software for SET

Merchant Digital Certificates

For each payment card brand that Merchants accept, they''ll also need distinct pairs of digital certificates for processing by both the Cardholder E-wallet and Acquirer''s Payment Gateway.

The Merchant can be thought of as the central figure in a payment card transaction, since she serves as the bridge between the Cardholder and Payment Gateway. Key-Exchange or Encryption Certificates are used for encrypting messages intended for return to the Merchant that only she may read. Signing Certificates are used for signing messages from the Merchant, unquestionably identifying the Merchant as the source of those messages.

These pairs of certificates are generated by the Merchant Certificate Authority (MCA) concurrently using the protocol described in the next chapter. Merchants may need additional sets (copies) of these certificates because of physical system requirements, concern for security, or Acquirer policies. The total number of certificates required is a function of the number of key-pairs a Merchant needs, the number of Acquirer Payment Gateways with which the Merchant interfaces, and the number of different payment card brands the Merchant accepts. For practical purposes, it may be necessary to split Internet traffic across several Merchant Web Servers, and each one of those will require a copy of all certificates. In addition, when the private keys tied to these certificates or the certificates themselves expire (most likely at different times), they''ll require renewal processing and redistribution to wherever they''re used. The same is true in the event of a private key compromise.

Chapter 6 discusses some ways to store the keys using hardware-assisted cryptographic devices that also aid in keeping their maintenance processing requirements low. Chapter 8 discusses the risks of private key compromises and offers Merchants some tips on maintaining a safe operating environment.

Tools:

Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed