Payment and Cash Standards

Content

1. Credit-Card Transactions2. Digital Currency, E-Wallets, Smart Cards3. Secure Electronic Transactions (SET)4. Online Banking

• The electronic transfer of funds is key to conducting e-business successfully

• Discussion includes:– How individuals and organizations perform monetary

transactions on the Internet

– Payments by credit card, cash, and check; payments to businesses; peer-to-peer payments; banking and bill paying

– Companies who are developing online payment technology

– Products, software, and services that these companies produce

Introduction

Introduction (cont.)

• Secure e-transactions crucial to e-commerce– Internet and wireless monetary transactions

• Credit-card transactions

• Digital cash

• Electronic wallets

• Smart cards

• Micropayments

– Payment transaction organizations and standards

• Standards: guidelines for technologies, formats or processes– Approved by standards committee

– Or widely adopted by an industry without formal process

• Online transaction standards– Security protocols to ensure safe transactions

• SSL which uses public-key cryptography

– Open Financial Exchange organization• Internet standard for exchanging financial information

Online Transaction Standards

Credit-Card Transactions • Customers fear credit-card fraud

– Credit cards have been developed to accommodate online and offline payments

• The Prodigy Internet Mastercard guarantees online fraud protection

• To accept credit-card payments, a merchant must have a merchant account with a bank– Specialized Internet merchant accounts have been

established to handle online credit-card transactions• Transactions are processed by banks or third-party services

• Traditional merchant accounts accept only POS (point-of-sale) transactions– Those that occur when you present your credit card at a

store

Credit-Card Transactions (cont.) • Companies enable merchants to accept credit-card

payments online. – These companies have established business

relationships with financial institutions that will accept online credit-card payments for merchant clients.

– CyberCash and iCat

• Merchant account with bank– Traditionally only accept point-of-sale transactions: presence of

credit-card at store

– Internet merchant accounts accept card-not-present transactions: information exchange without card presence

• An online credit-card transaction– Buyer submits credit-card, shipping and billing information

– Merchant submits information to acquiring bank (merchant’s bank)

– Buyer’s account verified by issuing bank (buyer’s bank)

– Merchant receives verification

– Product shipped and payment issued

Anatomy of an Online Credit-Card Transactions

Anatomy of an Online Credit-Card Transactions (cont.)

Merchant Acquiring Bank

Issuing Bank

Credit CardAssociation

Credit Card2

Information

Makes purchase at online store. Credit card information is received by the e-store.

Information4Verified

3

5

3

Basic steps in an online credit-card transaction.

1

Cardholder Merchantcredit card

Card Brand Company

Payment authorization, payment data

Issuer Bank

CardholderAccount

Acquirer Bank

MerchantAccount

account debit data payment data

Credit Card Procedure

9

payment data

amount transfer

• Digital cash – Stored electronically, used to make online electronic

payments

– Digital cash accounts are similar to traditional bank accounts

– Digital cash used with other payment technologies (digital wallets)

– Alleviates some security fears online credit-card transactions

– Digital cash allows those with no credit cards to shop online

– Merchants accepting digital-cash payments avoid credit-card transaction fees

– eCash Technologies, Inc. is a secure digital-cash provider that allows you to withdraw funds from your traditional bank account

Digital Currency (eCash)

Digital Currency (cont.)

• Gift cash, often sold as points, can be redeemed at leading shopping sites – An effective way of giving those without credit cards,

the ability to make purchases on the Web

• Points-based rewards – Points are acquired for completing specified tasks

including visiting Web sites, registering or buying products

– Points can then be redeemed

eCash Idea

• Electronic cash is token money in the form of bits, except unlike token money it can be copied.

• Bank issues character strings containing:– denomination– serial number– bank ID + encryption of the above

• First person to return string to bank gets the money

Withdrawal:

Spending:

PersonalTransfer:

ALICE BUYS DIGITALCOINS FROM A BANK

ALICE SEND UNSIGNEDBLINDED COINS TO THE BANK

BANK SIGNS COINS, SENDS THEM BACK. ALICE UNBLINDS THEM

ALICE PAYS BOBBOB VERIFIES COINSNOT SPENT

ALICE TRANSFERS COINS TO CINDYCINDY VERIFIES COINSNOT SPENT

BOB DEPOSITS

CINDY GETS COINS BACK

WALLETSOFTWARE

eCash Flow

E-Wallets

• Electronic wallets: – Keep track of billing and shipping information

– Hold e-checks, e-cash and credit-card information for multiple cards

– Visa, MBNA and Entrypoint.com offer e-wallets

• Standardization– Some vendors accept only specific e-wallets

– 1999, Electric Commerce Modeling Language (ECML)• Standardized payment presentation

• Many vendors adopted it

Smart Cards

• Smart card processors hold more information than credit card magnetic strips– Store credit-card numbers, contact information, etc.

– Contact smart cards• Placed in smart-card reader for information transfer

– Contactless smart cards• Antenna enables information transfer

• Faster than contact smart card

• Security– Password protection

– Security designations assigned to information

– Encryption

Smart Cards (cont.)

• Visa Cash smart card– Disposable and reloadable cards

– Internet purchases, expressway tolls and parking fees

• Smart Card Industry Association (SCIA) www.scia.org

Smart Card Example -- Mondex

• Smart-card-based, stored-value card (SVC)• Subsidiary of MasterCard• NatWest (National Westminister Bank, UK) et al.• Secret chip-to-chip transfer protocol• Value is not in strings alone; must be on Mondex card• Loaded through ATM

– ATM does not know transfer protocol; connects with secure device at bank

• Spending at merchants having a Mondex value transfer terminal

Other Examples

• Octopus – MTR, KCR, KMB, First Bus, Ferry, Minibus– PolyU Canteen– 7-11– Softdrink Vending Machine

• HK Identity Card (in near future)– Library Card– Driving Licence– Other Personal Information, e.g., Health Record

Micropayments

• Merchants pay fee for each credit-card transaction • Micropayments

– Payments that generally do not exceed $10, allows companies offering nominally priced products to profit

• To offer micropayments, some companies form strategic partnerships with utility companies – eCharge enables companies to offer this option to

customers• eCharge uses ANI (Automatic Number Identification) to verify

the identity of the customer and the purchases they make

Alternative Payment Options

• Outside US, many opt for prepaid cards instead of cash or credit cards– Wireless-payment cards enable transactions with POS

devices

– Convenience and grocery stores can add monetary value to some pre-paid accounts

– Examples include CashX (www.cashx.com) and Vodago

• Non-electronic payment methods– Cash-on-delivery (COD): payment upon item’s delivery

– Debit cards: deduct directly from checking account

– Automatic Teller Machine (ATM): withdraw cash

• Online payments without credit cards– AmeriNet (www.debit-it.com): allows checking account

number as form of payment

– Online currency: Cybergold (www.cybergold.com) and RocketCash (www.RocketCash.com)

Alternative Payment Options (cont.)

• SET is an open technical standard for the commerce industry developed by Visa and MasterCard as a way to facilitate secure payment card transactions over the Internet.

• Digital Certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity, a process unparalleled by other Internet security solutions.

• Introduced jointly by VISA, Mastercard, IBM, Microsoft, Netscape, RSA, SAIC, Terisa and Verisign in 1997.

Secure Electronic Transactions (SET)

Secure Electronic Transactions (cont.)

• Merchant doesn’t see card no.

• Uses Internet to reach acquirer

• High credit card transaction cost

Credit CardAcquirer

Secure“tunnel”through theInternet

Consumer

Internet

Credit CardIssuerIssuer bills Consumer

Secure Electronic Transactions (cont.) • Requires both consumer and merchant to have digital

certificates• Merchant never sees any payment information -- it is passed to

the acquirer• Bank never sees any order information, only payment

information

• Customer gets a credit card from an issuing bank• Customer obtains a digital certificate (online)• Merchant gets certificate from acquiring bank with merchant's

public key and the bank's public key• Customer places an order over the Web (now we need a payment

protocol). SET is invoked• Customer's browser confirms from the merchant's certificate that

the merchant is valid• Browser sends:

– order information encrypted with the merchant's public key

– payment information encrypted with the bank's public key

– information to prevent the payment from being used with another order.

SET Overview

• Merchant verifies customer’s certificate• Merchant sends a payment message to acquiring bank,

encrypted with bank’s public key, containing:– customer's payment information (which merchant can’t read)

– merchant's certificate

• Bank verifies the merchant and the message using merchant’s digital signature on its certificate and verifies the payment info

• Banks sends authorization to the merchant (with bank’s digital signature). Merchant can now fill the order.

SET Overview (cont.)

Customer asks Merchantfor digital certificates

Customer makespurchase request

Merchant asks Acquirerfor authorization

[Merchant asks Acquirerto reverse authorization]

Merchant asks Acquirerto capture payment

Customer asks Merchantfor transaction status

SET messages come in pairs: Request followed by

Response

Appropriate cryptographyis applied to messagewrappers

SET Message Flow

Online Banking

• Internet-only banks – Offer convenience and lower rates to their customers– Establishing a physical presence

• The hybrid bank model – Going online has become important for the survival and

growth of small local banks– Smaller banks will usually partner with third-party

service providers to make the transition to the Internet 

Example: Hang Seng e-Banking

• Try main.hangseng.com – Account Information– Transfer– Foreign Currency– Remittance– Pay Bill– Time Deposit– Stock Purchase

Main References

• e-Business & e-Commerce: How to Program, 1/e, by H.M. Deitel, P.J. Deitel and T.R, Nieto, Prentice Hall, 2000

• Cryptography and Network Security, 2/e, by William Stallings, Prentice Hall, 2000

• Electronic Commerce: A Managerial Perspective, 1/e, by Efraim Turban, Jae Lee, David King and H.Michael Chung, Prentice Hall, 2000