STT stands for Secure Transaction Technology, a secure payment protocol developed by Microsoft and Visa International. It is a companion to the PCT protocol (see Question 136), but need not be layered on top of the PCT protocol; it can run on insecure but reliable data transports such as TCP.
STT is intended for ordering products over networks, including the Internet, where payment is by bank card. STT includes messages for ordering goods and services electronically, requesting authorization of payment, and requesting "credentials" (i.e., certificates) binding public keys to identities, among other services. All parties have a public/private key pair; authentication of all parties, based on their credentials and a digital signature, is a requirement of the protocol. This includes merchants, payment servers, and - notably in contrast to other protocols - cardholders.
DES (see Question 64) and RC4 (see Question 87) are supported for bulk data encryption; RSA (see Question 8) is the supported algorithm for signatures and public-key encryption of data encryption keys and bank card numbers. The RSA public-key encryption employs Optimal Asymmetric Encryption Padding [BR94]. The credential format is particular to STT; it is not the same as X.509 certificates (see Question 165).
SEPP (see Question 140) and STT were being merged into a joint Visa-MasterCard protocol called SET, Secure Electronic Transactions, as of this writing.
| Question 143 |