1 electronic payment chapter 2 cim3561 internet security for e-commerce
TRANSCRIPT
11
Electronic PaymentElectronic Payment
Chapter 2Chapter 2
CIM3561 CIM3561 Internet Security for e-CommerceInternet Security for e-Commerce
22
Payment systemPayment system
BarterBarter Precious metalPrecious metal Government promised to payGovernment promised to pay Financial institutions promised to payFinancial institutions promised to pay
• Credit cardCredit card• Debit cardDebit card
33
Electronic PaymentElectronic Payment
Pay with bits rather than atomsPay with bits rather than atoms Pay without being physically therePay without being physically there
44
Payment System in the InternetPayment System in the Internet
55
What is used in the digital worldWhat is used in the digital world
Cash, for small and anonymous Cash, for small and anonymous paymentpayment
Cheques, credit cardsCheques, credit cards Money transfer ordersMoney transfer orders Payment-like systems, vouchers, Payment-like systems, vouchers,
couponscoupons
Same as the paper worldSame as the paper world
66
Fundamental of payment systemsFundamental of payment systems
TrustTrust• The buyer to trust the seller to actually The buyer to trust the seller to actually
deliver the goodsdeliver the goods• The seller to trust the buyer payment be The seller to trust the buyer payment be
realizedrealized SecuritySecurity
• Transaction done in a safe way and not Transaction done in a safe way and not payment not stolen in transitpayment not stolen in transit
77
Secure payment on the internetSecure payment on the internet
RequirementRequirement• AuthenticatedAuthenticated• Resistant to forgingResistant to forging• ConfidentialConfidential
88
Secure payment data captureSecure payment data capture
Merchant to securely capture Merchant to securely capture payment information from customer payment information from customer thro the internet, usually done with thro the internet, usually done with SSLSSL
Further process the payment thro Further process the payment thro non-internet payment methodnon-internet payment method
99
Payment integrityPayment integrity
Nothing happened without Nothing happened without authorizationauthorization
Nothing happens without generating Nothing happens without generating sufficient pieces of evidencesufficient pieces of evidence
Procedures to handle disputeProcedures to handle dispute
1010
Payment privacyPayment privacy
Payment confidentialityPayment confidentiality• Payment details must not be known to Payment details must not be known to
outsidersoutsiders Payment anonymityPayment anonymity
• Payer anonymityPayer anonymity• Payer inlinkabilityPayer inlinkability• Payer untraceabilityPayer untraceability
1111
Payment systemsPayment systems
1212
SSL: Secure Socket LayerSSL: Secure Socket Layer
Developed by Netscape to secure Developed by Netscape to secure HTTP sessionsHTTP sessions
ProvidesProvides• Data encryptionData encryption• Server authenticationServer authentication• Message integrityMessage integrity• Optional client authenticationOptional client authentication
NOT a payment system in itselfNOT a payment system in itself
1313
SSL: Secure Socket LayerSSL: Secure Socket Layer
Authentication of server by use of digital Authentication of server by use of digital certificatecertificate
Use public key technology to exchange a Use public key technology to exchange a session key (symmetric) between server session key (symmetric) between server and client used only for that sessionand client used only for that session
After the buyer sends information thro After the buyer sends information thro the secure channel, the merchant the secure channel, the merchant processes the transaction in the usual processes the transaction in the usual mannermanner
1414
Disadvantages in using SSLDisadvantages in using SSL
Do not provide authentication to card Do not provide authentication to card holderholder
Merchant to pay for the fraud if Merchant to pay for the fraud if credit card is reported stolencredit card is reported stolen
Do not provide any means to counter Do not provide any means to counter client repudiationclient repudiation
Credit card number is passed to Credit card number is passed to merchantmerchant
1515
Example in using SSL:VerisignExample in using SSL:Verisign Customer Confidence in the Green Address BarCustomer Confidence in the Green Address Bar
Extended Validation SSL (128 bits) tries to Extended Validation SSL (128 bits) tries to give Web site visitors an easy and reliable give Web site visitors an easy and reliable way to extend their trust online. In way to extend their trust online. In Microsoft Internet Explorer 7, the address Microsoft Internet Explorer 7, the address bar turns green and displays the name of bar turns green and displays the name of the Extended Validation certificate owner. the Extended Validation certificate owner. The security status bar shows that the The security status bar shows that the transaction is encrypted and the transaction is encrypted and the organization has been authenticated organization has been authenticated according to a rigorous industry standard.according to a rigorous industry standard.
1616
Payment authorizationPayment authorization
Customer make purchase on the Customer make purchase on the merchantmerchant’’s website, proceed to s website, proceed to checkout and inputs credit card checkout and inputs credit card informationinformation
MerchantMerchant’’s web site receives the s web site receives the customercustomer’’s information and send the s information and send the transaction information to the payment transaction information to the payment gatewaygateway
Payment gateway route information to Payment gateway route information to processorprocessor
1717
The Internet Payment Processing SystemThe Internet Payment Processing System
Acquiring bankAcquiring bank Credit card associationCredit card association Customer issuing bankCustomer issuing bank Internet merchant accountsInternet merchant accounts Payment gatewayPayment gateway ProcessorProcessor
1818
Payment authorizationPayment authorization
Processor send information to the Processor send information to the merchantmerchant’’s acquiring banks acquiring bank
Acquiring bank sends transaction Acquiring bank sends transaction information to the credit card holderinformation to the credit card holder’’s s issuing bankissuing bank
Issuing bank sends transaction result Issuing bank sends transaction result (authorization or decline) to acquiring (authorization or decline) to acquiring bankbank
Acquiring bank send transaction result Acquiring bank send transaction result to processorto processor
1919
Payment authorizationPayment authorization
Processor routes information to the Processor routes information to the payment gatewaypayment gateway
Payment gateway passes result to Payment gateway passes result to the merchantthe merchant
Merchant accepts and ships goods or Merchant accepts and ships goods or rejects transaction rejects transaction
2020
Payment settlementPayment settlement
Merchant requests payment gateway Merchant requests payment gateway to settle a paymentto settle a payment
Payment gateway sends all Payment gateway sends all transactions to be settled to the transactions to be settled to the processorprocessor
Processor send settlement payment Processor send settlement payment details to customerdetails to customer’’s credit card s credit card issuing bank , and to the merchantissuing bank , and to the merchant ’’s s acquiring bankacquiring bank
2121
Payment settlementPayment settlement
Issuing bank includes the merchantIssuing bank includes the merchant ’’s s charge on the customercharge on the customer’’s credit card s credit card statement while acquiring bank statement while acquiring bank credits the merchantcredits the merchant’’s accounts account
2222
SET: SET: Secure ElectronicSecure Electronic TransactionTransaction
Legal entity formed by MasterCard. Legal entity formed by MasterCard. Visa, American Express and JCB in Visa, American Express and JCB in 12/9712/97
A protocol designed for electronic A protocol designed for electronic payment with credit cardpayment with credit card
Key ideaKey idea• Merchant does not need to know payment Merchant does not need to know payment
detailsdetails• Bank does not need to know order detailsBank does not need to know order details
2323
SET: SET: Secure ElectronicSecure Electronic TransactionTransaction
ExtensionsExtensions• SET debit cardSET debit card• SET with smartcardsSET with smartcards
StatusStatus• Need special client side programNeed special client side program• Seem to be deadSeem to be dead
2424
2525
SET: SET: Secure ElectronicSecure Electronic TransactionTransaction
2626
SETSET
Accepted and well Accepted and well known methodknown method
Agreed standardAgreed standard Signature basedSignature based Exploits existing Exploits existing
banking banking infrastructureinfrastructure
Online serviceOnline service• Gateway potential Gateway potential
bottleneckbottleneck Too large for Too large for
current smart current smart cardscards
CostlyCostly• Expensive cryptoExpensive crypto• Too many Too many
messagesmessages
2727
Disadvantages ofDisadvantages of traditional credit card traditional credit card
Security tied to a single number Security tied to a single number which is given out repeatedlywhich is given out repeatedly
No privacyNo privacy
2828
PaypalPaypal
Company historyCompany history• Originally intended for money transfer by Originally intended for money transfer by
PDAPDA• Bought by eBayBought by eBay
So what is it?So what is it?• Primarily a credit card payment processor Primarily a credit card payment processor
without requiring the complexity of setting without requiring the complexity of setting up a merchant accountup a merchant account
• Not considered a bankNot considered a bank• Charges slightly higher than credit card Charges slightly higher than credit card
companies companies
2929
Digital CashDigital Cash
Electronic money to mimic coins and Electronic money to mimic coins and notes used for small payments in the notes used for small payments in the internet without the overhead internet without the overhead required for authorization and fund required for authorization and fund capture.capture.
Untraceable as to the payerUntraceable as to the payer
3030
Digital Cash examplesDigital Cash examples
Digicash: use blind signature scheme Digicash: use blind signature scheme to protect the anonymity of the to protect the anonymity of the buyerbuyer
Netbill: money holds and paid by a Netbill: money holds and paid by a Netbill serverNetbill server
Minipay: buyer has a daily limited Minipay: buyer has a daily limited spending limit and transaction do not spending limit and transaction do not need to go through the serverneed to go through the server
3131
IBM MinipayIBM Minipay
3232
Smart card/ RFIDSmart card/ RFID
Cash balance maintained in the card Cash balance maintained in the card and transaction is done with a and transaction is done with a special card readerspecial card reader
Usually make use of public keys for Usually make use of public keys for authenticationauthentication
3333
Digital WalletDigital Wallet
A digital wallet, functions much like a A digital wallet, functions much like a physical wallet. The digital wallet was physical wallet. The digital wallet was first conceived as a method of storing first conceived as a method of storing various forms of various forms of electronic money (e- (e-cash), but with little popularity of such e-cash), but with little popularity of such e-cash services, the digital wallet has cash services, the digital wallet has evolved into a service that provides evolved into a service that provides internet users with a convenient way to users with a convenient way to store and use online shopping store and use online shopping information.information.
3434
Secure EDI TransactionsSecure EDI Transactions
Interchange consists of a number of Interchange consists of a number of more functional groupsmore functional groups
Each group comprises a number of Each group comprises a number of transaction sets, each representing a transaction sets, each representing a business formbusiness form
Security segments can be inserted to Security segments can be inserted to the functional groups and transaction the functional groups and transaction sets as key identifiers, integrity check sets as key identifiers, integrity check values, digital signatures and time values, digital signatures and time stampsstamps