Escolar Documentos
Profissional Documentos
Cultura Documentos
the purpose of this document is to provide a brief background to the rapid emergence of methods
which use electronic means to transfer value, or to facilitate the transfer of value. some of these
are operational (e.g. eft/pos, f-edi and stored-value cards), whereas others are in trial or on the
drawing boards (e.g. electronic cash, especially of the 'milli-cent' variety).
receiving electronic payments incurs extra costs. when you pay for a good or service in a shop
using a credit or debit card the retailer must pay a commission to the financial institution
processing the card details; additionally there will be operating costs for the system used to
process the cards.
these systems are often costly, challenging to implement and sometimes technically difficult to
understand. these hurdles represent a ‘barrier to entry’ , which, if overcome, can give you the
competitive edge.
electronic business is real and continues to grow as a medium with over 44% of uk adults having
used the internet to order tickets, goods or services (office of national statistics, 2002). this
website and its diagnostic tool give you impartial and informed information to make the right
choices for your business and help push your revenues and the uk economy forward in the digital
age.
•cash
•notes, which were until this century issued in many cases by banks, but during this
century largely by national governments;
•coins; and
•unofficial tokens accepted as having value, e.g. sweets for small change in italy in
the 1960s and 1970s, when the intrinsic value of the metals in the coins exceeded
their face value;
•documents
•bills of exchange;
•letters of credit;
these mechanisms have various characteristics, such as the extent to which the parties are
identified, the traceability of the transaction, and the taxability of the transaction. the reason that
so many mechanisms exist is that there are many different circumstances in which value is
exchanged, and each of the mechanisms has niche-markets in which it is perceived by at least
some parties to have advantages.
•mail-order
•online payments
•acquiring banks
•payment bureaus
•bacs
fedi has become increasingly popular over the last number of years due to the widespread use of the
internet based shopping and banking.
there are dozens, if not hundreds, of electronic payment systems being developed to facilitate secure web
transactions.
electronic payment systems can be grouped into four basic categories, as follows:
• session level protocols for secure communications
• electronic cash
• financial cyber-mediaries
to be considered secure, an electronic financial transaction should satisfy the following four requirements:
1. ensuring communications are private
one of the earliest internet security protocols, the secure socket layer protocol (ssl) is currently the most
popular protocol for the secure transfer of information over the web.
ssl is a protocol-independent encryption scheme developed by netscape that provides channel security
between the application layer and the transport layer of a network packet. in plain english, this means that
encrypted transactions are handled "behind the scenes" by the server and are essentially transparent to
the html or cgi author.
ssl supports, but does not mandate the use of public key encryption and certification techniques.
it is important to note that ssl is not an electronic payment system. ssl is a secure transmission
protocol which can be used to provide security not just for payments over the internet but also for other
types of server-to-client communications.
ssl’s popularity as a secure transmission protocol has allowed it to become the most popular method of
conducting financial transactions are over the web.
currently there are over 65,000 ssl enabled hosts on the web. there are a number of other session layer
ssl also benefits from the fact that many other security protocols are still in testing stage or have yet to
gain wide acceptance. however, ssl’s dominance is being challenged by a host of new secure electronic
payment systems.
consumers are comfortable using credit cards to make purchases in the physical world. in 1996, over
$500 billion worth of goods and services were purchased worldwide using credit cards. currently the bulk
of purchases on the web are made using credit cards. not surprisingly, many companies, including
mastercard and visa, are rushing to develop secure credit card payment systems for the web.
one of the major reasons electronic commerce is expected to grow rapidly over the next few years is
because of the secure electronic transactions specification.
released to the public on may 31st, 1997, set was jointly developed by mastercard and visa with the
backing of microsoft, netscape, ibm, gte, saic, terisa systems, and verisign. the stated goal of this
consortium is "to develop a single method that consumers and merchants will use to conduct bankcard
transactions in cyberspace as securely and easily as they do in retail stores today".
mastercard and visa publicly state that they believe creating the set standard will speed the acceptance of
commerce on the internet. currently, the bulk of business-to-consumer electronic commerce is conducted
by transmitting a credit card number using ssl. set represents a bold attempt to make credit card payment
the choice for the future for online payment.
technically speaking, set is an open standard, multi-party protocol for conducting secure credit card
payments over the internet. the set specification is based on public key cryptography and digital
certificates. i
it is important to note that set’s development as an open standard, multi-party protocol will facilitate and
encourage the interoperability of set across various software and network providers.
the graphic below outlines the basic steps involved in a set transaction:
1. an online shopper wishes to make a credit card purchase from a web merchant that supports the
set specification. using a browser plug in called an electronic wallet, the customer transmits
2. the merchant’s server sends the set transaction to a payment gateway where it is decrypted,
processed, and verified by a certification authority.
3. the payment gateway then routes the transaction back to the financial institution that issued the
credit card for approval.
4. the merchant is advised electronically that the purchase is approved, and the cardholder is
debited. the merchant can then ship merchandise knowing that the customer transaction
has been approved.
the term "digital cash" defines a category of electronic payment systems that attempt to replicate the
benefits of cash in the off-line world. there are a number of electronic cash protocols. to a degree, all
digital cash schemes operate in the following manner:
1. a user installs a "cyberwallet" onto his or her computer. money can be put in the wallet by
deciding how much is needed and then sending an encrypted message to the bank asking for this
amount to be deducted from the user's account. the bank reads the message (by using its private
key to decode the message) and sees that it has been digitally signed (which requires a
certificate authority such as verisign) so it knows that the request comes from the individual who
authorizes account debits.
2. the bank then generates "serial numbers", encrypts the message, signs it with its digital signature
and then sends it back. the user can then take the message, often referred to as a coin or a
token, and spend it at merchant sites.
3. merchants receive ecash during a transaction and see that it has been authorized by a bank. they
then contact the bank to make sure the coins have not been spent somewhere else, and the
amount is credited to the merchant's account. (computer money: a systematic overview of
electronic payment systems, andreas furche and graham wrightson, dpunkt: heidelberg, 1996.)
• ‘swipe’ the customer’s card to collect their credit or debit card details.
• wait while the card details are passed to the acquiring bank <merchant_service.jsp>
for approval.
for electronic payment in a shop, the customer is present to sign the sales voucher. if the
transaction takes place via the phone or the internet, the customer is not present so there is an
increased fraud risk.
any merchant service (whether offline or online) is provided at the discretion of the financial
institution concerned. there are few set rules as to which businesses can and cannot be approved
for a merchant service. be prepared to negotiate the product at a price that suits your needs
mail order payments by phone, post or fax are more at risk of fraud. acquiring banks ask for
more commission to carry out these customer not present transactions.mail order payments
involve more risks for banks and financial institutions than transactions where the customer is
present at the point of sale.
consequently, acquiring banks usually ask for more commission per transaction (perhaps 3.1%
instead of 2.79%) and a more detailed agreement on the fraud checks you use.
with proper planning, your mail order operation should be able to get a customer not present
merchant service from your bank without difficulty. if you already have an offline service
negotiate with your bank to avoid paying another set up charge.
the bank will approve each application individually but there are other equally valid options
available if you cannot get a merchant service .
credit card and debit card fees charged by the issuing banks range from 1.5-3%, with a typical
minimum fee of 20 cents. thus, to preserve margins from being eroded by transaction fees, most
vendors in the off and online world require minimum credit card purchases of around $5.00. is
there an online market for information, products and services priced below $5.00? you bet your
cookie!
enter micropayment systems. micropayments are transactions that range from 1/10 of a cent to
$10.00 and up, with varying limits being set by the micropayment system developer. under this
concept, a consumer can buy one chapter from an online book for $1.00 versus having to pay
10.00 for the entire contents. single articles from the wall street journal online could be bought
for 10 cents, freeing the consumer from the obligation of a long term subscription.
the idea of selling inexpensive products and services opens a world of options for content
providers and new realm of flexibility and selection to consumers. however, small transactions
demand proportionately small transaction fees. the most promising micropayment systems are
designed to meet the goal of minimizing transactions fees first. to varying degrees, each
micropayment system addresses the need for transaction security and the anonymity of the
consumer.
cybank
cybank is an example of an online bank somewhat similar to first virtual but using alternatives to
credit card transactions. cybank offers free ccounts and software. users contact cybank merchants
and authorize debits to their accounts for merchandise (all with encryption). users can add credit
to their account by using a credit card, check, money order, or "phonecash"--which credits your
account a specified amount of money that is paid out via your phone bill.
a new type of payment method is emerging whereby vendors create their own forms of currency
using the model of frequent flyer points. this phenomenon of points conveying value both within
the issuer's system of products and for exchange in other vendors' systems is undoubtedly
occurring. companies such as netcentives have been created to capitalize on just this opportunity.
netcentives aggregates merchants affinity point programs on the net and allows users to use them
interchangeably for a variety of merchandise. however, we contend that these point systems are
at their heart, essentially loyalty programs. they are very effective at consumer retention and they
do use the model of creating a system of value outside of the world of cash, but their underlying
premise is that the points were a reward for the use of cash payments to the merchants.
virtualpin
virtualpin is an email based system that stores a user’s credit card information off-line. user’s
register with the service over the phone, so credit card information is never transmitted over the
internet. upon receiving the user’s account information, first virtual issues him/her a pin. when
making a purchase, a user gives the vendor the pin and the vendor then sends the transaction
information to first virtual for approval. first virtual then confirms the purchase with the user via
email and then charges the proper amount to the users credit card. this system is very flexible in
that it can handle purchases from $1.00 on up. however, the entire process can be slow and
transaction costs are relatively high (thus, the unusually high "micropayment" minimum).
cybercoin
users download the cybercoin wallet and register it with a cybercoin participating financial
institution (bank or credit card company). users buy the cybercoins in bulk using a credit card or
their existing checking account. the cybercoin enabled bank stores the account balance and
transfers all the real money within the established banking network. the wallet is simply a legal
record of who the owner is and what exists in his or her account. cybercoin acts as the
middleman, taking a transaction fee from both the merchant and the bank in order to facilitate the
exchange. cybercoin allows the user to remain anonymous to the vendor. financial information is
encrypted, but the actual message is not.
millicent
digital’s millicent system does not issue one standard "currency." instead, each vendor has their
own specific scrip, which it sells to a broker at a dicount. users register with one broker and buy
broker scrip in bulk. brokers will vary in the way they bill users (through credit cards, isp
accounts, or cybercash type wallets). when a user wishes to make a purchase, s/he converts
broker scrip into vendor-specific scrip, which is then stored in the users hard drive wallet. when
the user enacts the purchase from the vendor, their wallet pays the vendor with its specific
currency. the major feature of this system is its low transaction costs, which allow for purchases
of as little as 1/10 of a cent. while millicent transactions are not as well encrypted as other
micropayment systems, it does allow for some degree of user anonymity.
almost every electronic payment system developed or under development relies on some form of
encryption and/or the use of digital certificates. therefore, a brief discussion of the cryptography
and digital certificates is appropriate before launching into a discussion of the various electronic
payment systems.
cryptography is the science of keeping messages secret. the original text, or plaintext, is
converted into a coded equivalent called ciphertext via an encryption algorithm. the ciphertext is
decoded (decrypted) at the receiving end and turned back into plaintext. the encryption algorithm
uses a key, which is a binary number that is typically from 40 to 128 bits in length. the data is
"locked" for sending by combining the bits in the key mathematically with the data bits. at the
receiving end, another key is used to "unlock" the code, restoring it to its original binary form.
there are two cryptographic methods being used in electronic payment systems: secret key and
public key. the traditional secret key method uses the same key to encrypt and decrypt. this is the
fastest method, but transmitting the secret key to the recipient in the first place is not secure. the
second method, public-key cryptography, uses both a private and a public key. each recipient has
a private key that is kept secret and a public key that is published for everyone. the sender looks
up the recipient's public key and uses it to encrypt the message. the recipient uses the private key
to decrypt the message. key owners do not need to transmit their private keys to anyone in order
to have their messages decrypted and thus the private keys are not in transit and are not
vulnerable.
the security of a strong system resides with the secrecy of the key rather than with secrecy of the
algorithm. in theory, any cryptographic method with a key can be broken by trying all possible
keys in sequence. however, using brute force to try all keys requires computing power that
increases exponentially with the length of the key. a system with using a 40 bit keys take 2^40
steps. this kind of computing power is available in most universities. however, keys with 64 bits
would require computing power available only to major governments. keys with 80 bits and 128
bits will probably remain unbreakable by brute force for the foreseeable future.