BanestoEasy SET Project

Julián Inzajinza@banesto.es

Technological Strategy Director

http://www.banesto.es

6th of July, 2,000víspera de San Fermín

Agenda

Banesto: early involvement in SET Some criticism to SET SET trends SET flavours (Classic, MIA, Easy) Easy SET project: standard and alternate hierarchies Payment scenarios Banesto Virtual POS and SET in VPOS Wath EasySET working for you Action plan Fee arrangement proposal EasySET portal: www.easy-set.org

1997 19991998

First Spanish SET transaction (with

Banesto Virtual Cash Card)

2000 2001

Banesto & IBM initiate a SET Trial

with Banesto Virtual Cash Card

Banesto begin “SET Facil”- “Easy SET”

Project

1996

SET Facil adoption (500.000 cardholders, including other banks)2000+ virtual shops

1000 virtual shops50.000

cardholders

SET-Facil Release

Initial SET deployment

Early involvement in SET

SET Criticism

SET is complex Wallets usually weights 4-6 Mb Users need to install software in their PC Certificates are hard to get and take some time Versions are not easily maintained SET infrastructure is expensive Interoperability is not guaranteed Issuer banks don´t support SET

SET Trends

SET can be easy (in fact it is easier to use than SSL, once you have the certificate)

Light Wallets and Plug-ins for Server Wallets weight under 600Kb

Users still need to install software in their PC, but this include additional features

You should get your Certificate in a 1-step process Versions should be updated transparently SET infrastructure is expensive ( but for some projects

you can use Easy SET alternate root) Interoperability is not guaranteed Issuer banks don´t support SET

“Classic” SET

Merchant Server Payment Gateway

Payment Acquirer or Merchant’s Bank

Issuing Bank

Root CA Verification of SET Certificates through the chain of trust

Transaction Information

Digital Wallet

Digital Certificate

(2) (3)

(1)

Merchant Server

Payment Gateway

Payment Acquirer or Merchant’s Bank

Issuing Bank

Root CA

Verification of SET Certificates

through the chain of trust

Transaction Information

+Credit Card

Number

(2)(1)

SSL

Security Weak Point: End-User Id. + Auth.

Security Weak Point:CC Number Storage

Security Weak Point:CC Number Transfer

MIA SET

Payment Server Payment Gateway

Issuing Bank

Merchant Storefront

Safelayer Wallet (500k)

Catalog selection and shopping carrt

SET transaction

CA hosted by

SET Payment

Classic Authorisation and Settlement transaction

Card Clearing Network

Payment Server and Payment Gateway hosted by

Easy SET

Root CA (SET Co)

Geo-Political CA (optional)(only for VISA)

Brand CA(MasterCard, Visa)

Merchant CA(Banesto)

Cardholder CA (Banesto)

Cardholder

Payment Gateway CA(MasterCard, Banesto in VISA)

Merchant Payment Gateway

SET Hierarchy

Hosted by

Alternate Root CA (Eurociber with Safelayer SW)

Geo-Political CA (optional)

Brand CA(Private Cards)

Merchant CA(Brand X)

Cardholder CA (Brand X)

Cardholder

Payment Gateway CA(Brand X)

Merchant Payment Gateway

Alternate SET Hierarchy

Classic B2C payment scenario

Cards clearing system

Catalog browsing

Secure form

Auth request

Card # is stored in merchant DB

“Linear” B2C payment scenario

Spanish B2C payment scenario

Intern

al se

cure

commun

icatio

n

Gateway

“Triangular” B2C payment scenario

Catalog browsing

Secure form

Cards clearing system

Payment triangle

Spanish SET payment scenario

Intern

al se

cure

commun

icatio

n

SET Gateway

“Triangular” B2C payment scenario allows transparentSET deployment in the merchant side

Catalog browsing

Secure form

Cards clearing system

Payment Server

Wallet allows SET payment with or without certificates

Banesto SET payment scenario

Intern

al se

cure

commun

icatio

n

SET Gateway

“Easy SET” is a brand in the merchant side and a special RA-wallet communication enhacement to allow easy certificate download

Catalog browsing

Secure form

Cards clearing system

Payment Server

Easy SET Wallet allows easy certificate download

SET Facil - Easy SET

1,500 sites SET enabled by end Y2K (most of them at http://www.escaparate.com)

500 Kb Wallet (Alternate SET root available) Merchant can be unaware they are SET enabled 50,000 potential cardholders with SET access 1-step certificate download Easy SET Wallet allows remote transparent upgrade Easy SET Wallet will include ECML extensions to allow

automatic form filling (Name, address,...) Merchant benefits: lower fees, no chargebacks Cardholder benefit: better security perception

Banesto Easy SET Registration Scenario

Intern

al se

cure

commun

icatio

n with

card

data

The bank shows card list to the user in an authenticated internet banking system. User Click on one of then and get inmediatelly the certificate

Card selection in Banesto Internet banking service

Extended wake up message

Easy SET Wallet allows easy certificate download

Wake up message redirection

Extended wake-up message includes PAN card number,

expiration date and one-time password. The wallet doesn´t

need to ask known data to the user and proceeds according to

standard SET registration process

CA hosted by

SET Registration in the Internet Banking system

Choose the card, click and you are done

Several cards

Where to buy: www.escaparate.com

Choose the shop (www.bookonhand.com)

Standard SSL form at Banesto

You can choose either

SET payment,either

SSL payment

Download the wallet

Click to enterSET Portal(www.easy-set.org)- get info- download walet- get certificate

When you click on the button you wake up the Easy SET wallet

SET form at Banesto

Several users can share the wallet on the same computer

Wallet wakes up

Choose the card with which you want to pay

Whatch everything flowing

SET End of transaction

Action Plan

300 merchants by summer 2000 1,500 merchants by end 2000 50,000 potential cardholders by summer 2000 Easy SET downloadable wallet for everybody Banesto Merchants could allow SET initiated

transaction without cardholder certificate (Wallet mandatory)

SET Portal: www.easy-set.org (EasySET demo inside)

Fee arrangement proposal

SET enabled merchants should benefit from SET fees and no-chargeback even for SSL transactions

SSL transactions should not pay fee to issuer SSL-only merchants should pay the higher fees and

suffer chargebacks

More Info about Easy SET

You can get the wallet and try Easy SET in our EasySET Portal

The demo allows you to get the Tiger Card and purchase some goods (sorry, it is a demo and the goods will not be delivered)http://www.easy-set.org