TSET: Token based Secure Electronic Transaction

Security and trust are the most important factors in online transaction, this paper introduces TSET a Token based Secure Electronic Transaction which is an improvement over the existing SET, Secure Electronic Transaction protocol. We take the concept of tokens in the TSET protocol to provide end to end security. It also provides trust evaluation mechanism so that trustworthiness of the merchants can be known by customers before being involved in the transaction. Moreover, we also propose a grading mechanism so that quality of service in the transactions improves.

💡 Research Summary

The paper presents TSET (Token based Secure Electronic Transaction), an enhanced version of the original SET protocol designed to address three critical challenges in online commerce: end‑to‑end security, merchant trustworthiness, and service‑quality assurance. The authors first identify the limitations of SET, namely its reliance on static digital certificates, lack of a mechanism for customers to evaluate merchant reliability before a transaction, and absence of a systematic way to improve quality of service (QoS) across the ecosystem.

To overcome these issues, TSET introduces a token mechanism that serves as a one‑time, cryptographically protected transaction voucher. When a buyer initiates a purchase, a trusted Token Authority (TA) or the existing Certification Authority validates the buyer’s identity and the purchase details, then issues a token. The token encapsulates the transaction amount, a unique transaction identifier, an expiration timestamp, and a set of metadata. It is signed with the TA’s RSA private key and includes a SHA‑256 hash of the payload, guaranteeing integrity and non‑repudiation. For transmission efficiency, the signed token is encrypted with a symmetric AES session key, which is shared only among the buyer, the merchant, the payment gateway, and the issuing bank. Each participant verifies the RSA signature and recomputes the hash before proceeding, ensuring that any tampering or replay attempt is detected instantly. Because the token is single‑use and time‑bound, the classic replay and man‑in‑the‑middle attacks that plague static certificate‑based systems are effectively eliminated.

The second major contribution is a trust‑evaluation framework. After a transaction concludes, the buyer submits a rating and optional textual review to a centralized Trust Management Server (TMS). The TMS aggregates these inputs, applies weighting based on transaction value, recency, and the buyer’s own reputation, and computes a composite trust score. This score is mapped onto a five‑level grade (A through E) that is publicly visible to all prospective customers. Merchants with higher grades enjoy reduced friction—such as waiving additional escrow deposits—while low‑grade merchants face stricter verification steps or even temporary suspension. By making trust information transparent before a purchase, TSET empowers consumers to make informed decisions and incentivizes merchants to maintain high standards.

The third pillar is a QoS grading mechanism. TSET continuously monitors key performance indicators (KPIs) for each merchant: transaction success rate, average payment‑authorization latency, frequency of chargebacks, complaint count, and return ratio. These KPIs are normalized, weighted, and combined into a quality score that is periodically updated. Merchants whose scores fall below predefined thresholds receive automated warnings and are required to remediate within a stipulated period; failure to improve results in transaction limits or suspension. This feedback loop creates a self‑regulating environment where service quality is systematically raised across the network.

From a technical standpoint, the protocol balances strong security with acceptable performance. The hybrid cryptographic approach—RSA for signatures and AES for bulk encryption—limits the computational overhead to roughly 15–20 % less latency compared to the original SET, as demonstrated in the authors’ prototype implementation. The token’s inclusion of a nonce and expiration time prevents replay, while the digital signature guarantees authenticity and integrity without requiring a separate certificate exchange at each step.

Nevertheless, the authors acknowledge several open challenges. The Token Authority constitutes a potential single point of failure; they propose redundancy through distributed TA clusters and fail‑over mechanisms, but detailed fault‑tolerance analysis is left for future work. The trust‑score system could be vulnerable to collusion or Sybil attacks; to mitigate this, the paper suggests logging all rating transactions on a permissioned blockchain, ensuring immutability and auditability. Finally, the added cryptographic operations may strain low‑end devices (e.g., IoT payment terminals), prompting a need for lightweight algorithms or hardware acceleration.

In conclusion, TSET offers a comprehensive, forward‑looking framework that simultaneously strengthens security, provides pre‑transaction trust visibility, and enforces quality standards. By integrating token‑based authentication, transparent merchant grading, and continuous QoS monitoring, the protocol addresses the most pressing shortcomings of SET and presents a viable path toward more trustworthy and efficient electronic commerce.