Unit 3. ECommerce Payments and Security Issues

3.1. ECommerce Payment Systems

An e-payment system is a way of making transactions or paying for goods and services through an electronic medium, without the use of checks or cash. It’s also called an electronic payment system or online payment system.

The electronic payment system has grown increasingly over the last decades due to the growing spread of internet-based banking and shopping. As the world advances more with technology development, we can see the rise of electronic payment systems and payment processing devices. As these increases, improve, and provide ever more secure online payment transactions the percentage of check and cash transactions will decrease.

Pros and cons of using an e-payment system

E-payment systems are made to facilitate the acceptance of electronic payments for online transactions. With the growing popularity of online shopping, e-payment systems became a must for online consumers — to make shopping and banking more convenient. It comes with many benefits, such as:

Reaching more clients from all over the world, which results in more sales? More effective and efficient transactions — It’s because transactions are made in

seconds (with one click), without wasting customer’s time. It comes with speed and simplicity.

Convenience. Customers can pay for items on an e-commerce website at anytime and anywhere. They just need an internet connected device. As simple as that!

Lower transaction cost and decreased technology costs. Expenses control for customers, as they can always check their virtual account where

they can find the transaction history. Today it’s easy to add payments to a website, so even a non-technical person may

implement it in minutes and start processing online payments. Payment gateways and payment providers offer highly effective security and anti-

fraud tools to make transactions reliable.

Drawbacks:

E-commerce fraud is growing at 30% per year. If you follow the security rules, there shouldn’t be such problems, but when a merchant chooses a payment system which is not highly secure, there is a risk of sensitive data breach which may cause identity theft.

The lack of anonymity — For most, it’s not a problem at all, but you need to remember that some of your personal data is stored in the database of the payment system.

The need for internet access — As you may guess, if the internet connection fails, it’s impossible to complete a transaction, get to your online account, etc.

3.1.1. Debit Card Based

Debit card, like credit card, is a small plastic card with a unique number mapped with the bank account number. It is required to have a bank account before getting a debit card from the bank. The major difference between a debit card and a credit card is that in case of payment through debit card, the amount gets deducted from the card's bank account immediately and there should be sufficient balance in the bank account for the transaction to get completed; whereas in case of a credit card transaction, there is no such compulsion.

Debit cards free the customer to carry cash and cheques. Even merchants accept a debit card readily. Having a restriction on the amount that can be withdrawn in a day using a debit card helps the customer to keeps a check on his/her spending.

3.1.2. Credit Card Based

Payment using credit card is one of most common mode of electronic payment. Credit card is small plastic card with a unique number attached with an account. It has also a magnetic strip embedded in it which is used to read credit card via card readers. When a customer purchases a product via credit card, credit card issuer bank pays on behalf of the customer and customer has a certain time period after which he/she can pay the credit card bill. It is usually credit card monthly payment cycle.

Major Parties to Credit Card Transactions

To truly grasp how electronic payments work, you need to know who’s behind them. There are five key parties to a typical electronic card transaction:

1. The Buyer: This is you – the person who swipes, dips, or enters credit card information at the start of a transaction. If you have an electronic payment card, you’re a buyer.

2. The Merchant: This is the person or company that sells what you’re buying. When they receive your credit card information, they set in motion the chain of events that lead to your payment being processed. All merchants have a unique identification number that ensures accuracy throughout the rest of the process.

3. The Acquirer: The merchant pays the acquirer (often called the merchant acquirer, for clarity) to route payment card information to the correct parties, and to ensure that funds are deposited into merchants’ accounts once each transaction is complete. The acquirer has the ability to do this on a large scale and in near-instantaneous fashion. Acquirers are typically major banks or financial institutions. They often provide merchants with the software and hardware necessary to accept payment cards, and may provide day-to-day management for merchants’ business accounts, though some contract with third parties to manage this aspect of the relationship.

4. The Issuer: The issuer, also known as the issuing bank, manages credit or debit card accounts on behalf of buyers. They approve and extend lines of credit (for credit card accounts), distribute payment cards, and bill customers for purchases they make.

5. The Network or Association: The network, also known as the association, serves as a clearinghouse and backer for member institutions (acquirers and issuers) and their customers. Within the electronic payment world, the network’s relationship to acquirers and issuers is roughly analogous to McDonald’s relationship to its franchisees. The network supplies a recognizable brand, ensures that transactions are processed correctly, set guidelines and qualification requirements for member institutions, and mediate disputes between parties to transactions executed using their networks. They also set the interchange fees charged during payment processing. (Interchange fees compensate

the issuer and network for their respective roles in the electronic payment process. Without them, credit card transactions would be free, but the parties involved would have no incentive to execute them in the first place.)

The Credit Card Payment Process

1. Authorization

The authorization process confirms that the buyer has more than enough funds on hand, or enough breathing room before hitting their credit limit, to complete a transaction. This reduces the risk of the merchant handing over goods for which the buyer can’t actually pay. Authorization unfolds as follows:

1. The customer provides card information to the merchant, whether by swiping or dipping in person, or providing digits online or over the phone.

2. The merchant’s payment processing terminal electronically sends the card number, transaction amount, and merchant ID number to the acquirer.

3. The acquirer routes the information to the customer’s issuing bank. This serves as a request to authorize the transaction for the specified amount.

4. The issuing bank checks that the customer has adequate funds or credit. It also checks for red flags, such as near-simultaneous in-person transactions in distant locations, that may indicate the transaction is fraudulent.

5. If sufficient funds or credit are present, and the transaction does not appear to be fraudulent, the issuer sends an authorization code through the network to the acquirer.

6. The acquirer authorizes the transaction and informs the merchant.7. The merchant provides the requested product or service to the

customer.

Authorization merely confirms that the customer has enough funds or credit to purchase the requested product or service. Money doesn’t actually change hands during this process – and won’t until the funding step.

2. Batching

Once authorization is complete and the merchant hands over the requested goods or service, the customer has no further role to play in the process. But the transaction is far from finished – batching is the next step in the process:

1. Throughout the business day, the merchant electronically stores payment information for each authorized transaction. Each day’s set of stored transactions is known as a batch.

2. At the end of the business day, the merchant sends the batch to the acquirer. The acquirer temporarily holds the batch in its own secure, electronic system. Since acquirers typically have thousands of individual merchant clients, they may store multiple batches according to their own needs and schedules.

3. Clearing

Once the acquirer has the merchant’s batch in hand, the clearing process can begin. For the intermediaries, this is the fun part, because they finally get paid.

1. The acquirer sends the batch to the card network or association.2. The card network or association requests payment for the transaction

from the customer’s issuer.3. The issuer deducts a transaction fee from the total transaction amount.

According to Forbes, transaction fees are directly tied to the interchange fees published by card networks. Interchange fees, and thus transaction fees, typically amount to 1% to 3% of the transaction, depending on the card network. The issuer keeps the lion’s share of this fee and shares a small amount (effectively, a franchise fee) with the card network.

4. The issuer routes the net amount through the card network to the acquirer.

4. Funding

The fourth and final step in the transaction is funding. This is the part where the merchant receives funding for the transaction – or, in most cases, for all the transactions in the pertinent batch.

1. The acquirer subtracts its discount rate from the transaction amount. The discount rate serves as the acquirer’s payment for its part in the

transaction. Like transaction fees, discount fees are directly tied to interchange fees. They account for a smaller proportion of the transaction amount – typically less than 1%.

2. The acquirer sends the remainder to the merchant’s business account, and the transaction is complete from the merchant’s perspective.

3. The issuer sends the customer a bill for every transaction executed during the billing period, including the transaction in question. It’s the customer’s responsibility to honor the cardholder agreement and pay the bill.

Though the typical electronic card transaction is authorized and the customer out of the picture within seconds, the entire four-step process (up to merchant funding) can take several business days to complete. Of course, it can take a month or longer for the customer to actually pay the issuing bank.

Credit Card Payment Process

Step Description

Step 1 Bank issues and activates a credit card to the customer on his/her request.

Step 2 The customer presents the credit card information to the merchant site or to the merchant from whom he/she wants to purchase a product/service.

Step 3 Merchant validates the customer's identity by asking for approval from the card brand company.

Step 4 Card brand company authenticates the credit card and pays the transaction by credit. Merchant keeps the sales slip.

Step 5 Merchant submits the sales slip to acquirer banks and gets the service charges paid to him/her.

Step 6 Acquirer bank requests the card brand company to clear the credit amount and gets the payment.

Step 7 Now the card brand company asks to clear the amount from the issuer bank and the amount gets transferred to the card brand company.

3.1.4. eCash and eCheque

Electronic Cash-System

The electronic cash-system is intended to contribute to the consecutive replacement of money in the retail sector. One among its attractive assets from the merchant’s perspective is the payment guarantee given by the issuing bank after the effectual authorization. Due to its efficiency, electronic cash is ready to grow even in competition with different POS-systems. In fact for cardholders, electronic cash transactions are free of charge.

E-cash actually globalizes the economy, since the user will transfer cash into his cyber-wallet in any currency desired. A merchant will accept any currency and convert it to local currency once the cyber cash is uploaded to the bank account.

To the extent a user needs E-cash off-line, all that’s necessary is smart card technology. The cash is loaded onto the smartcard, and the special electronic wallets are used to offload the cash onto different smartcards or directly to an on-line system. Smartcards are used successful in different countries for such transactions as phone calls for a number of years. The cash might also be removed from a smartcard and returned to a bank account. Visa is also used as a related product, the stored value card and it comes in a kind of denominations, however functions more like a debit card than E-cash.

There are four major elements in an electronic cash system:

Issuers Customers Merchants Regulators

Furthermore Issuers are often banks, or non-bank institutions; customers are referred to users who pay E-Cash; merchants are vendors who receive E-Cash, and regulators are referred as related government agencies. For an E-Cash dealing to occur, we want to go through a minimum of three stages:

1. Account setup:

Customers will need to acquire E-Cash accounts through certain issuers. Merchants who would like to simply accept E-Cash will need to organize accounts from various E-Cash issuers. Issuers usually handle accounting for customers and merchants.

2. Purchase:

Customers purchase certain services or goods, and provides the merchants tokens that represent equivalent E-Cash. Purchase information is typically encrypted when sending in the networks.

3. Authentication:

Merchants will need to contact E-Cash issuers regarding the purchase and also the amount of E-Cash involved. E-Cash issuers can then authenticate the dealings and approve the amount E-Cash involved.

Advantages and disadvantages of electronic cash

Electronic Cash (E-Cash) or electronic money are playing more significant role in our daily life due to the rise of internet usage. Most of the money form today is in electronic. However with new invention of tool doesn’t mean that it will bring all positive results as nothing is perfect in this world.

ProsWe can transfer funds, purchase stocks, and offer a variety of other services without having to handle physical cash or checks as long as bank is providing such services online. The significant effect is we do not have to queue in lines, thus saving our time.

Debit cards and online bill payments allow immediate transfer of funds from an individual's personal account to a business's account regardless the

designated place (around the globe) by few clicks without any actual paper transfer of money. This bring convenience individual like us and businessmen.

Consumers will have greater privacy when shopping on the Internet using electronic money instead of ordinary credit cards.

ConsE-cash and E-Cash transaction security are the major concern. Frauds on E-Cash are on the catch recent years. Hackers with good skill able to hack into bank accounts and illegally retrieve of banking records has led to a widespread invasion of privacy and has promoted identity theft. There are many other tricks including through phishing website of certain banks and emails.

Money flow and criminal/terrorist activities are harder to be traced by government. With the continued growth of E-Cash, money flow in and out of countries at immediate speed without being traced will weaken the government's ability to monitor and income in tax. Money laundering and tax evasion could be uncontrollable in e-cash systems as criminals use untraceable internet transaction to hide assets offshore.

E-Cash is not for everyone. Low income groups without computer and internet access are unable to enjoy the usage of E-Cash. This issue shall be resolved so that E-Cash could be implemented widely.

There is also a pressing issue regarding the technology involved in electronic cash such power failures, internet connection failure, loss of records and undependable software. These often cause a major setback in promoting the technology.

How Electronic Cheque payment Processing Works

There was a time — not long ago, really — when a person wrote a personal check, the recipient delivered it to their bank for deposit and it was processed manually. The process could take days to complete, which meant the depositor had to wait for the funds to clear.

Today, new technology has eliminated much of the delay by turning a paper check into an electronic transfer (debit), also known as an electronic check or e-check. If you’re a merchant or service provider, this means funds are electronically transferred from a customer or client’s bank account directly into your bank account through the Federal Reserve Bank’s Automated Clearing House (ACH) system.

Electronic check payment processing is check cashing simplified, and a hassle-free and inexpensive way to get paid faster. It’s just one of many merchant services that TSYS® provides to help you meet all of your payment processing needs.

The e-Cheque ProcessThe process begins when your customer writes a paper check at the point of sale. As a merchant or service provider, you run the check through a reader or imager that captures the required information, including the check number, account number and the bank’s routing number and merchant-related information to complete the one-time electronic payment.

A receipt is generated and printed for the check writer to sign, the check is voided and returned to them. The transaction will then appear on the customer’s bank statement as a debit, not a check.

You then upload the captured check information for processing, and the proceeds are deposited into your merchant account within a day or two. The process is similar for a check that is mailed, except you retain the check after it is voided.

Benefits of Electronic Cheque ProcessingElectronic cheque processing offers numerous benefits. It eliminates the need to take checks to the bank, there are no deposit slips to complete, it reduces the chance of cheques being lost or stolen and you get paid faster.

If you’re working from more than one location, checks can be converted at each location and funds deposited into one main account. Guarantee programs expedite the collection process by discovering NSF (insufficient funds) checks and other returned items.

3.2. Security on Web

Security is an essential part of any transaction that takes place over the internet.

Customers will lose his/her faith in e-business if its security is compromised. Following

are the essential requirements for safe e-payments/transactions −

Confidentiality − Information should not be accessible to an

unauthorized person. It should not be intercepted during the

transmission.

Integrity − Information should not be altered during its transmission

over the network.

Availability − Information should be available wherever and whenever

required within a time limit specified.

Authenticity − There should be a mechanism to authenticate a user

before giving him/her an access to the required information.

Non-Reputability − It is the protection against the denial of order or

denial of payment. Once a sender sends a message, the sender should

not be able to deny sending the message. Similarly, the recipient of

message should not be able to deny the receipt.

Encryption − Information should be encrypted and decrypted only by

an authorized user.

Audit ability − Data should be recorded in such a way that it can be

audited for integrity requirements.

Measures to ensure SecurityMajor security measures are following −

Encryption − It is a very effective and practical way to safeguard the

data being transmitted over the network. Sender of the information

encrypts the data using a secret code and only the specified receiver

can decrypt the data using the same or a different secret code.

Digital Signature − Digital signature ensures the authenticity of the

information. A digital signature is an e-signature authenticated through

encryption and password.

Security Certificates − Security certificate is a unique digital id used to

verify the identity of an individual website or user.

Security Protocols in InternetWe will discuss here some of the popular protocols used over the internet to ensure

secured online transactions.

3.3 Secure Socket Layer (SSL)It is the most commonly used protocol and is widely used across the industry. It meets

following security requirements −

Authentication

Encryption

Integrity

Non-reputability

"https://" is to be used for HTTP urls with SSL, where as "http:/" is to be used

for HTTP urls without SSL.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is the

most widely deployed security protocol used today. It is essentially a protocol

that provides a secure channel between two machines operating over the

Internet or an internal network. In today’s Internet focused world, the SSL

protocol is typically used when a web browser needs to securely connect to a

web server over the inherently insecure Internet.

Technically, SSL is a transparent protocol which requires little interaction

from the end user when establishing a secure session. In the case of a browser

for instance, users are alerted to the presence of SSL when the browser

displays a padlock, or, in the case of Extended Validation SSL, when the

address bar displays both a padlock and a green bar. This is the key to the

success of SSL – it is an incredibly simple experience for end users.

To secure online credit card transactions.

To secure system logins and any sensitive information exchanged

online.

To secure webmail and applications like Outlook Web Access, Exchange

and Office Communications Server.

To secure workflow and virtualization applications like Citrix Delivery

Platforms or cloud-based computing platforms.

To secure the connection between an email client such as Microsoft

Outlook and an email server such as Microsoft Exchange.

To secure the transfer of files over https and FTP(s) services such as

website owners updating new pages to their websites or transferring large

files.

Secure Hypertext Transfer Protocol (SHTTP)

SHTTP extends the HTTP internet protocol with public key encryption, authentication, and

digital signature over the internet. Secure HTTP supports multiple security mechanism,

providing security to the end-users. SHTTP works by negotiating encryption scheme types

used between the client and the server.

Secure Electronic Transaction

What is the use of SET? Explain SET process in detail? Ans. The Secure Electronic

Transactions (SET) protocol relies on two different encryption mechanisms, as well as an

authentication mechanism. SET uses symmetric encryption, in the form of the aging Data

Encryption Standard (DES), as well as asymmetric, or public key encryption to transmit session

keys for DES transactions (IBM, 1998), Rather than offer the security and protection afforded

by public-key cryptography, SET simply uses session keys (56bits) which are transmitted

asymmetrically – the remainder of the transaction uses symmetric encryption in the form of

DES. This has disturbing connotations for a ―secure‖ electronic transaction protocol – because

public key cryptography is only used only to encrypt DES keys and for authentication, and not

for the main body of the transaction. SET Transactions The sequence of events required for a

transaction as follows. • The customer opens an account with a card issuer. • MasterCard, Visa,

etc. • The customer receives a X.509 V3 certificate signed by a bank. • X.509 V3

Importance of secure transactions Secure electronic transactions will be an important part of

electronic commerce in the future. Without such security, the interests of the merchant, the

consumer, and the credit or economic institution cannot be served, Privacy of transactions and

authentication of all parties, is important for achieving the level of trust that will allow such

transactions to flourish. However, it is important that the encryption algorithm and key-sizes

used, will be robust enough to prevent observation by hostile entities (either criminal or foreign

powers). The ideal of the secure electronic transaction protocol (set) is important for the success

of the electronic commerce. However it remains to be seen whether the protocol will be widely

used because of the weakness of the encryption that it uses.

It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it

is the best security protocol. It has the following components −

Card Holder's Digital Wallet Software − Digital Wallet allows the card

holder to make secure purchases online via point and click interface.

Merchant Software − This software helps merchants to communicate

with potential customers and financial institutions in a secure manner.

Payment Gateway Server Software − Payment gateway provides

automatic and standard payment process. It supports the process for

merchant's certificate request.

Certificate Authority Software − This software is used by financial

institutions to issue digital certificates to card holders and merchants,

and to enable them to register their account agreements for secure

electronic commerce.

E-Commerce - EDI

EDI stands for Electronic Data Exchange. EDI is an electronic way of

transferring business documents in an organization internally between its

various departments or externally with suppliers, customers or any

subsidiaries etc. In EDI, paper documents are replaced with electronic

documents like word documents, spreadsheets etc.

EDI Documents

Following are few important documents used in EDI −

Invoices

Purchase orders

Shipping Requests

Acknowledgement

Business Correspondence letters

Financial information letters

Steps in an EDI System

Following are the steps in an EDI System.

A program generates the file which contains the processed document.

The document is converted into an agreed standard format.

The file containing the document is send electronically on network.

The trading partner receives the file.

An acknowledgement document is generated and sent to the originating

organization.

Advantages of an EDI System

Following are the advantages of an EDI System.

Reduction in data entry errors. − Chances of errors are much less

being use of computer in data entry.

Shorter processing life cycle − As orders can be processed as soon as

they are entered into the system. This reduced the processing time of

the transfer documents.

Electronic form of data − It is quite easy to transfer or share data

being in electronic format.

Reduction in paperwork − As lot of paper documents are replaced

with electronic documents there is huge reduction in paperwork.

Cost Effective − As time is saved and orders are processed very

effectively, EDI proves to be highly cost effective.

Standard Means of communication − EDI enforces standards on the

content of data and its format which leads to clearer communication.