Electronic payment Electronic payment systemsystem

E-commerce Transactions In E-commerce Transactions In Several StepsSeveral Steps

• The consumer places an order and transmits the payment card account number to the merchant.

• The merchant stores the order and the account holder information in a database for future reference.

E-commerce Transactions In E-commerce Transactions In Several StepsSeveral Steps

• The merchant transmits the amount of the purchase and the account holder information to a financial institution in order to obtain an authorization, indicating the reservation of funds that allows settling the transaction later.

• Finally, after the delivery of goods to the consumer, the merchant asks the financial institution to settle the transaction and credit the merchant account.

The Hacker’s WaysThe Hacker’s Ways

• The hacker can impersonate the merchant or make a bogus Web site. The consumer does not notice this and sends the order and credit information directly to the hacker.

• Another scenario exists where the hacker installs a key-logger on the device of the consumer, logging all information typed on the keyboard, including account holder information including the payment card number.

The Hacker’s WaysThe Hacker’s Ways

• The hacker observes the communication between the cardholder and the merchant. Transmitting credit card information on the network without encryption, allows the hacker to read this information.

• The hacker can penetrate the merchant’s c-commerce environment and steal information in the database.

Protecting Internet CommunicationProtecting Internet Communication

• Encryption: Process of transforming plain text or data into cipher text that can not be read by anyone outside of sender and the receiver. Purpose of encryption:– To secure stored information– To secure information transmission.

EncryptionEncryption

• The technique of modifying a known bit stream so that it appears to be random to an unauthorized observer. It often is done automatically before data is transmitted.

Cipher TextCipher Text

• Text that has been encrypted and thus can not be read by any one besides the sender and the receiver.

• Key (Cipher): Any method for transforming plain text into cipher text.

• Substitution Cipher: Every occurrence of a given letter is replaced systematically by another letter. Say letter plus 2 Substitution will make HELLO as JGNNQ

Characteristics of Digital PaymentCharacteristics of Digital Payment

• Acceptability: Robust, available and accessible to a vide range of consumers, and sellers of good and services

• Convertibility: The electronic currency should be interoperable and interchangeable with other form of electronic cash, paper, currency and deposits in bank account.

Characteristics of Digital PaymentCharacteristics of Digital Payment

• Flexibility: Payment system should be in a position to accept several form of payment rather than limiting the user a single form of currency

• Reliability: Payment system should ensure and infuse confidence in users The users should be completely shielded from systematic or one point failure

Characteristics of Digital PaymentCharacteristics of Digital Payment

• Efficiency: Cost of overhead involved in operation of digital payments. The cost per transaction should be close to zero.

• Security: Digital currency should be stored in a form that is resistant to double spending, replication and tampering. It should offer protection from intruders trying to tap it and put it to unauthorized use when transmitting over internet.

Characteristics of Digital PaymentCharacteristics of Digital Payment

• Usability: The user of the payment mechanism should be able to use it as easily as real currency. It should be well integrated with the existing applications and processes.

• Scalability: Should offer scalable solutions. Should range from micro payments to business payments.

Transaction Characteristics Transaction Characteristics

• Atomicity: Transaction should occur completely or it should not occur at all

• Transfer of Funds: There should not be any currency loss. Full transfer by debiting the payer and crediting the payee.

• Complete Transfer: A complete exchange of currency with corresponding digital goods should take place.

Transaction CharacteristicsTransaction Characteristics

• Consistency: All parties concerned must agree on relevant facts i.e. amount and reason of transfer, transaction.

• Isolation: Transactions must be independent of each other.

• Durability: In case of system failure, it should recover to a state where transaction and status information is consistant.

Types of Payment SystemTypes of Payment System

• Cash: Legal tender defined by national authority– Instantly convertible– No intermediation of any institution– Popularity because portable– Requires no authentication– Instant purchasing power– Anonymous and difficult to trace– Limited to smaller transactions

FloatFloat

• The period of time between a purchase and actual payment for the purchase

• Cash does not provide any float.

• Cash purchase are final and irreversible unless otherwise agreed by the seller

Cheque TransferCheque Transfer

• Funds transferred directly via bank draft or cheque from consumer’s account

• Used for both small and large transactions, not used for micro payments

• Provide some float (can take up to 10 days), Unspent amount can earn interest

• Can be forged easily than cash• They can be cancelled before encashment• May bounce if inadequate money in account

Credit CardsCredit Cards

• Represents an account that extends credit to consumers

• Permits consumers to purchase items while deferring payment

• Allows consumers to make payments to multiple vendors at one time.

Credit cards AssociationsCredit cards Associations

• VISA and MasterCard are non profit associations

• Set standards for issuing banks- that actually issue the cards and process transactions

• Third Parties, processing centres and clearinghouse, usually handle verification of accounts and balances

• Offers considerable float

Stored Value Payment SystemStored Value Payment System

• Accounts credited by depositing funds into an account and from which funds are paid out or withdrawn as needed

Debit CardsDebit Cards

• Immediately debit a checking or demand-deposit account.

• Eliminates writing of a cheque.

• Dependant on funds being available in the consumer’s bank account

• Do not provide any float

Accumulating BalanceAccumulating Balance

• Accounts that accumulate expenditures and to which consumers make periodic payments.

• Traditional examples include electricity, phone bills which gets accumulated for a specific period and then paid in full

Consumer's Preference of Payment Consumer's Preference of Payment SystemSystem

• Low risk• Low cost• Convenient• Reliable payment mechanism• Will not use new mechanism unless they are

more beneficial than the existing system

MerchantMerchant

• Low risk

• Low cost

• Secure

• Reliable payment mechanism

• Cash, debit cards, Demand drafts

Current Online Payment SystemsCurrent Online Payment Systems

Consumer Purchases

MerchantClearing house

Card Issuing Bank

Merchant Bank

Monthly statement

Merchant software contacts clearinghouse

CH verifies account and balance from issuing bank

Issuing bank credits merchant account

SSL provide secure

connection

SET ProtocolSET Protocol

• (Secure Electronic Transaction protocol)• An open standard for E-Commerce industry

developed and offered by VISA and MasterCard as a way to facilitate and encouraged improved security for credit card transactions

• SET uses a digital certificate that verify a sender’s identity, as one way of improving security.

How SET Transactions WorkHow SET Transactions WorkHow SET Transactions WorkHow SET Transactions Work

Consumer make purchases select

payment with SET

Merchant Clearing house

Card Issuing Bank

Merchant Bank

Monthly statement

Merchant software forwards encrypted messages

CH verifies account and balance from issuing bank

Issuing bank credits merchant account

Merchant and consumer computers verify each

other identity

Digital WalletsDigital Wallets

• Authenticates the consumers through the use of digital certificates or other encryption methods, stores and transfer values and secures the payment process from the consumer to the merchant

• A wallet in your pocket contains your ID, cash, Phone cards, credit /debit cards, old receipts and photos of those close to you etc.

Promised Functionality of Digital Promised Functionality of Digital

WalletsWallets Promised Functionality of Digital Promised Functionality of Digital

WalletsWallets • Authentication

• Payments• Privacy

• Bills Presentment

• Confirms identity via digital certificates

• Pay bills via alliances with credit cards associations and banks

• Helps customer control their environments, PIN, Card No

• Present and pay bills at a single location

Client Based Digital WalletsClient Based Digital Wallets

• Software applications that consumers install on their computers, and that offer consumers convenience by automatically filling out forms at online stores.

• Merchant install software on their servers to receive information from client based wallets

Server Based Digital WalletsServer Based Digital Wallets

• Software based authentication and payment services and products sold to financial institutions that market the system to merchants either directly or as a part of their financial service package

• Fastest growing server based digital wallets system is Microsoft Passport that offers a consumer Single Sign-In service (SSI)

• A user obtains a passport by opening a e-mail account at msn.com or hotmail.com

Passport Passport • A registered user clicks the passport logo

at a participating site; the site displays a passport sign-in page where the user enter his login name and password.

• The sign-in page redirects it to MS Passport server for authentication.

• Passport authenticates the user and writes a cookie to the user browser containing encrypted authentication and passport profile information

Passport ManagerPassport Manager

• Passport manager at the participating site decrypts the information

• Passport manager then caches the user authentication and profile information on the user’s browser and silently revies them as user moves from page to page at the site.

Digital Cash (e-cash)Digital Cash (e-cash)

• Digital forms of value storage and value exchange that have limited convertibility into other forms of value and require intermediary to convert

• To use DigiCash, a consumer first establish an account at a bank that is using DigiCash system.

• Load digital wallet software to his machine.• Then consumer requests transfer of digital cash

to his wallet

Digital Cash (e-cash)Digital Cash (e-cash)

• Consumer then could spend the cash at a merchant site who is willing to accept it

• The software would deduct the cash from the wallet and transfer it to merchant.

• Merchant then transfer the cash back to bank.

• Bank would cancel the e-coin and credit the amount to merchant

Online Stored Value SystemOnline Stored Value System

• Permit consumers to make instant, online payments to merchants and other individuals based on value stored in an online account

• It rely on the value stored in a consumer bank, checking or credit card account

• ECOUNT.COM runs a stored value system

ECOUNT.COMECOUNT.COM1.Establish account funded by credit or debit card

with ecount.2.Verify account and balances. Account information

is transferred via web using SSL3.Consumer can shop anywhere on the web where

MasterCard is accepted. Ecount is treated as if were MasterCard.

4.Ecount transfers funds to merchant or individuals5.Monthly statements issued to individuals showing

debit to ecount

Smart CardSmart Card• A credit or debit card containing a computer chip

with memory and interactive capabilities used to identify and store additional data about the cardholder, cardholder account, or both. Also called an integrated circuit card or a chip card.

• It can hold 100 times more data than a credit card including multiple credit card numbers and information regarding health, insurance, personal identification, bank accounts etc.

• Security: If the card is lost or stolen, the holder looses the real money. However you can lock it with a PIN no

Limitations of Online Credit Card Limitations of Online Credit Card Payment SystemsPayment Systems

• Security

• Merchant risk

• Cost

• Social equity

Public Key Cryptography Public Key Cryptography • Two mathematically related digital keys are

used: – Public key: is widely disseminated – Private Key: is kept secret by owner

• Both keys can be used to encrypt and decrypt the message. However, once the keys are used to encrypt the message, same key can not be used to decrypt the message.

• Mathematical algorithm used to produce the keys are one-way functions

• Keys are sufficiently long 128, 256 and 512 bit keys

The Digital Signature technology The Digital Signature technology involves:-involves:-

• Private key: A unique combination known only to signer. It is used to encrypt the message.

• Public key: A code is sent to the receiver separated to enable decryption of the message digest. It is also available on the web site of the Certification Authority.

Hash FunctionHash Function

• It can be complex to produce a 128 bit number that reflects the number of 1’s and 0’s in the message

• Result of applying the Hash function are sent by the sender to the recipient

• Recipient applies the same hash function to verify the same results are produced.

Digital SignatureDigital Signature• To ensure authenticity of message

• Sender encrypts the entire block of cipher text one more time using sender’s private key. This produces a Digital Signature or termed a e-signature

• A digital signature is a close parallel to handwritten signatures

Digital CertificateDigital Certificate• A digital document issued by the

certification authority contains:– The name of the subject or company– The subject’s public key– A digital certificate serial number– An expiration date– An issuance date– The digital signatures of the certification

authority– And other identifying information.