14-1 e-commerce support systems electronic payments –electronic checks –electronic credit cards...
TRANSCRIPT
14-1
E-commerce Support Systems
• Electronic payments– Electronic checks– Electronic credit cards– Virtual credit cards– Purchasing cards– Electronic cash
o Stored value money cardso Smart cards with microprocessorso Person-to-person payments
– Payment of bills online
14-2
Security in Electronic Payments
Authentication of all partiesProtection of data from alteration
or destruction during transmissionProtection from buyer’s unjustified
repudiationPrivacyCustomer safetyProtection of information at seller’s
end
14-3
Order Fulfillment in Electronic Commerce
Provide customers with ordered goodsGoods must be quickly packaged,
shipped, and deliveredPayment collection system must be in
forceHandle the return of unwanted or
defective merchandiseCustomer relations
4
E-payment systems
• To transfer money over the Internet• Methods of traditional payment
– Check, credit card, or cash• Methods of electronic payment
– Electronic cash, software wallets, smart cards, and credit/debit cards
– Scrip is digital cash minted by third-party organizations
5
Requirements for e-payments
• Atomicity– Money is not lost or created during a transfer
• Good atomicity– Money and good are exchanged atomically
• Non-repudiation– No party can deny its role in the transaction– Digital signatures
6
Desirable Properties of Digital Money
• Universally accepted• Transferable electronically• Divisible• Non-forgeable, non-stealable• Private (no one except parties know the
amount)• Anonymous (no one can identify the payer)• Work off-line (no on-line verification needed)
No known system satisfies all.
8
Smart Cards
A smart card:• can store data (e.g. profiles, balances,
personal data) • provides cryptographic services (e.g.
authentication, confidentiality, integrity)• is a microcomputer• is small and personal• is a secure device
9
Smart Card Applications
• Communication
• Retail• Transportation• Health care
• Government• E-commerce• E-banking• Education• Office
10
• Retail– Sale of goods
using Electronic Purses, Credit / Debit
– Vending machines– Loyalty programs– Tags & smart labels
• E-commerce– sale of information– sale of products– sale of tickets,
reservations
• E-banking– access to accounts– to do transactions– shares
11
What’s inside a smart card ?
CPU
RAM
test logic
ROM
EEPROMserial I/Ointerface
security logic
Databus databus:
connection between elements of the chip
8 or 16 bits wide
12
Advantages and Disadvantages of Smart Cards
• Advantages:1. Atomic, debt-free transactions2. Feasible for very small transactions (information
commerce)3. (Potentially) anonymous4. Security of physical storage5. (Potentially) currency-neutral
• Disadvantages:1. Low maximum transaction limit (not suitable for B2B or
most B2C)2. High Infrastructure costs (not suitable for C2C)3. Single physical point of failure (the card)4. Not (yet) widely used
14
Open and Closed Loop Systems
Closed loop systems– Banks and other financial institutions serve as
brokers between card users and merchants -- no other institution is involved
– American Express and Discover are examples Open loop systems
– Transaction is processed by third party– Visa and MasterCard are examples
15
Payment Acceptance and Processing
Merchants must set up merchant accounts to accept payment cards
Law prohibits charging payment card until merchandise is shipped
Payment card transaction requires:– Merchant to authenticate payment card– Merchant must check with card issuer to ensure
funds are available and to put hold on funds needed to make current charge
– Settlement occurs in a few days when funds travel through banking system into merchant’s account
16
Setting Up Merchant Account
Merchant bank– Also called acquiring bank– Does business with merchants that want to accept
payment cards– Merchant receives account where they deposit card
sales totals– Value of sales slips is credited to merchant’s account
17
Processing Payment Cards Online
Can be done automatically by software packaged with electronic commerce software
Can contract with third party to handle payment card processing– Can also pick, pack, and ship products to the
customer– Allows merchant to focus on web presence and
supply availability
18
Payment Processing Services
Internetsecure– Provides secure credit card payment services– Supports payments with Visa and MasterCard– Provides risk management and fraud detection, and
ensures all proper security for credit card transactions is maintained
– Ensures all transactions are properly credited to merchant’s account
Other services are: Tellan, IC Verify, Authorize.Net
19
Credit Cards
Credit card– Used for the majority of Internet purchases– Has a preset spending limit– Currently most convenient method – Most expensive e-payment mechanism
o MasterCard: $0.29 + 2% of transaction value– Disadvantages
o Does not work for small amount (too expensive)o Does not work for large amount (too expensive)
Charge card– No spending limit– Entire amount charged due at end of billing period
21
PPI-Payment Processing Inc.
Outsource the installation of all payment modules without any expense to you and receive complimentary approved transaction software.
Provide a complete suite of electronic payment solutions including payment cards (debit, credit, stored value), ACH and check guarantee services – customized for your merchant’s needs.
Support your existing payment solution and work with you to integrate new customized payment solutions.
PPI works with over 400 software partners to provide integrated transaction processing for face-to-face and remote merchants in industries as diverse as grocery, utilities, storage facilities, retail and healthcare among many others.You can use PPI to
22
Secure Electronic Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing of Microsoft, Netscape, IBM, GTE, SAIC, and others
Designed to provide security for card payments as they travel on the Internet– Contrasted with Secure Socket Layers (SSL) protocol, SET
validates consumers and merchants in addition to providing secure transmission
SET specification– to protect Internet credit card transactions– open encryption & security specification– Uses public key cryptography and digital certificates for
validating both consumers and merchants– Provides privacy, data integrity, user and merchant
authentication, and consumer nonrepudiation
23
The SET protocol
The SET protocol coordinates the activities of the customer, merchant, merchant’s bank, and card issuer. [Source: Stein]
24
SET Payment Transactions
1. customer opens account2. customer receives a certificate - Consumer makes purchase
by sending encrypted financial information along with digital certificate
3. merchants have their own certificates - Merchant’s website transfers the information to a payment card processing center while a Certification Authority certifies digital certificate belongs to sender
4. customer places an order5. merchant is verified6. order and payment are sent - Payment card-processing
center routes transaction to credit card issuer for approval7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service - Merchant receives
approval and credit card is charged10. merchant requests payment-Merchant ships merchandise
and adds transaction amount for deposit into merchant’s account
SET-protected payments work like this:
26
SET uses a hierarchy of trust
All parties hold certificates signed directly or indirectly by a certifying authority
27
SET Protocol Extremely secure
– Fraud reduced since all parties are authenticated– Requires all parties to have certificates
80 percent of SET activities are in Europe and Asian countries
not a payment system, rather a set of security protocols & formats
Problems with SET– Not easy to implement– Not as inexpensive as expected– Expensive to integrated with legacy applications– Not tried and tested, and often not needed– Scalability is still in question
28
What is Secure Socket Layer ?
Secure Socket Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet.
The SSL Security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.
SSL is built into all major browsers and web servers.
Allows an SSL-enabled server to authenticate itself to an SSL-enabled client;
Allows to the server; the client to authenticate itself
Allows both machines to establish an encrypted connection.
An encrypted SSL connection or Confidentiality. This protects against electronic eavesdropper.
Integrity. This protects against hackers.
What is Secure Socket Layer ?
30
What is SSL? (cont’d)
Both Netscape Navigator and Internet Explorer support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers.
The primary goal of SSL is to provide privacy and reliability between two communicating applications.
The exchange of messages facilitates the following actions:
Authenticate the server to the client; Allows the client and server to select
a cipher that they both support; Optionally authenticate the client to
the server; Use public-key encryption techniques
to generate share secrets; Establish an encrypted SSL connection
What Does SSL Concern?
32
Payment Gateway Authorization
1. verifies all certificates2. decrypts digital envelope of authorization
block to obtain symmetric key & then decrypts authorization block
3. verifies merchant's signature on authorization block
4. decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block
5. verifies dual signature on payment block6. verifies that transaction ID received from
merchant matches that in PI received (indirectly) from customer
7. requests & receives an authorization from issuer
8. sends authorization response back to merchant