Electronic Payment Systems

DILEEP V K 4NM10SCS08 MTECH II NMAMIT

Presentation Outline

- Introduction to electronic payment systems - Requirements of electronic payment - Classification of electronic payment and protocols - Account-Based Payment and Example - Electronic Check Payment and Example - Micro-Payment and Example systems

Introduction to Electronic Payment and Systems

What is a payment system? E-commerce application systems must provide payment processing and transaction service to buyers and sellers. A payment system, as a part of E-commerce application system, is a such system which support secured payment processes by providing reliable, secured, and efficient transaction services between sellers and buyers. The basic requirements of a payment system:

Provide secured and confidential transaction processes. Conduct authentication and authorization for all involved parties. Ensure the integrity of payment instructions for goods and services. Availability, cost-effective, efficiency and reliability. Global access and international useful

Introduction to Electronic Payment Systems

Electronic payment is implemented by a flow of money from the payer via the issuer and acquirer to the payee. Advantages: Fast transaction processing Flexible of use (24 hours available) Low cost transactions Global accessible to customers and businesses

Disadvantages: High risks and security challenges due to: - Unlike paper, digital documents can be copied perfectly and arbitrarily often. - Digital signatures can be produced by anybody who knows the secret cryptographic key. - A buyers name can be associated with every payment.

Introduction to Electronic Payment Systems

Electronic Payment Models:

Direct-payment systems:--> require an interaction between payer and payee.

- Cash-like payment systems - A certain amount of money is taken away from the payer before purchases are made. Example: Smart card-based electronic purses, electronic cash, and bank checks - Check-like payment systems - pay-now systems (like credit card-based payment systems) - pay-later systems (like ATM card-based payment systems) Indirect payment systems:--> the payer or the payee initiates payment without the other party involved online. (Example, electronic funds transfer)

Introduction to Electronic Payment Systems

Classification of electronic payment systems: - Card-based payment systems: Examples: CyberCash, First Virtual (FV), VISA and MasterCard, CARI - Electronic checking systems: Examples: FSTC, NetBill - Electronic cash payment systems: Examples: Ecash (DgiCash), NetCash, CyberCoin, Mondex - Micro-payment systems: Examples: Millicent, SubScrip, PayWord, MicroMint, IKP micropayment.

Classification of Electronic Payment Protocols E-Commerce Payment Protocols Macro-Payment Protocols

SET Electronic Check Payment Protocols CyberCash iKP Digital Cash Payment Protocols FV SEPP NetBill Micro-Payment Protocols DigiCash FSTC NetCash Millicent Mondax PayWord CyberCoin SubScrip Cafe

Overview of Account-Based Payment

Different types of payment card schemes: (A) Credit cards, where payments are set against a special-purpose account associated with some form of installment-based repayment scheme or a revolving line of credit. - pay later with limit and interest rate. (B) Debit cards (paperless checks) are linked to a checking/saving account. - pay now with balance checking. (C)Charge cards: work in a similar way to credit cards in that payments are set against a special-purpose account. - payment must be made at the end of billing period without limit. (D) Travel and entertainment cards are charge cards whose usage is linked to airlines, hotels, restaurants, car rental companies, or particular retail outlets.

Overview of Credit Card-Based Payment

Payment Model:

Card Association

Card Issuers Bank

Card Acquirers Bank

CardHolder

Merchant

Special Features of Account-Based Electronic Payment

- Online Transaction. - Anonymity: This ensure that no detailed cash transactions for customer are traceable. Even sellers do not know the identity of customers involved in the purchases High security and low risk due to the use of traditional banking system and user accounts. Use of the existing standardized payment model consumers can have multiple cards used in different countries and concurrency

- Security: - Standardization: - Flexibility:

- All transactions can be easily traced by banking system and merchants.

Special Features of Account-Based Electronic Payment

Limitations: - Dependency: dependent on existing banking systems.

- Transaction cost: high transaction cost compared with other approaches - Performance: slower performance due to the authentication and account validation using the existing banking systems - Privacy: consumer loss of the privacy of their transactions

Credit Card-Based Electronic Payment System: CyberCash

About CyberCash: - CyberCash is a secure Internet payment system developed by CyberCash, Inc., which is located at Reston, VA, USA, and it was found in August 1994 to provide software and service solutions for secure financial transactions over the Internet. - CyberCash uses special wallet software, enable consumers to make secure purchases using major credit cards from CyberCash-affiliated merchants. - the CyberCash payment system was launched in April 1995. It had over half a million copies in circulation. - CyberCash has other payment systems, such as CyberCoin (electronic cash system) and PayNow (electronic check system).

Credit Card-Based Electronic Payment System: CyberCash

Features of CyberCash:
- Use the existing credit card infrastructure for settlement payments. - Use cryptographic techniques to protect the transaction data during a purchase.

- Authenticate the identifies of both parties to the transaction.

- Provide online transaction and online authentication. - Broker the transaction between merchants bank and cardholders bank.

Credit Card-Based Electronic Payment System: CyberCash

CyberCash Server Registration Card binding Customer Wallet Web Browser CyberCash Payment Model Purchase Shopping

Banking Network Internet Purchase messages Merchant Software Web Server

Credit Card-Based Electronic Payment System: CyberCash

Consumer Finish shopping Choose CC, addr Click PAY Payment-req Cybercash Server (CS)

Merchant order form

Credit-card pay forward details issue recei Charge-card-res pt

auth-capture authorize charge-action-res + clear with bank

log transaction

Payment Steps in a CyberCash Purchase

Credit Card-Based Electronic Payment System: CyberCash

CyberCash Messages: Header Transport Opaque Trailer

Header:

It indicates the start of a CyberCash message.

Transport: It contains the order information in a purchase, transaction ID, date, and the key ID to the encrypt the opaque part. Opaque: The encrypted part of a message. Trailer: the end of a CyberCash message.

Payment Acceptance and Processing

Merchants must set up merchant accounts to accept payment cards Law prohibits charging payment card until merchandise is shipped Payment card transaction requires:

Merchant to authenticate payment card Merchant must check with card issuer to ensure funds are available and to put hold on funds needed to make current charge Settlement occurs in a few days when funds travel through banking system into merchants account
17

10/22/2012

Processing a Payment Card Order

10/22/2012

18

Open and Closed Loop Systems

Closed loop systems

Banks and other financial institutions serve as brokers between card users and merchants -- no other institution is involved American Express and Discover are examples Transaction is processed by third party Visa and MasterCard are examples

Open loop systems

10/22/2012

19

Credit Card Processing

SOURCE: PAYMENT PROCESSING INC.

10/22/2012

20

Secure Electronic Transaction (SET) Protocol

Jointly designed by MasterCard and Visa with backing of Microsoft, Netscape, IBM, GTE, SAIC, and others Designed to provide security for card payments as they travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol, SET validates consumers and merchants in addition to providing secure transmission SET specification Uses public key cryptography and digital certificates for validating both consumers and merchants Provides privacy, data integrity, user and merchant authentication, and consumer nonrepudiation

10/22/2012

21

The SET protocol

The SET protocol coordinates the activities of the customer, merchant, merchants bank, and card issuer. [Source: Stein] 10/22/2012 22

SET Payment Transactions

SET-protected payments work like this:

Consumer makes purchase by sending encrypted financial information along with digital certificate Merchants website transfers the information to a payment card processing center while a Certification Authority certifies digital certificate belongs to sender Payment card-processing center routes transaction to credit card issuer for approval Merchant receives approval and credit card is charged Merchant ships merchandise and adds 10/22/2012 23 transaction amount for deposit into merchants

SET uses a hierarchy of trust

All parties hold certificates signed directly or indirectly by a certifying authority. [Source: Stein] 10/22/2012 24

SET Protocol

Extremely secure

Fraud reduced since all parties are authenticated Requires all parties to have certificates

So far has received lukewarm reception 80 percent of SET activities are in Europe and Asian countries Problems with SET

Not easy to implement Not as inexpensive as expected Expensive to integrated with legacy applications Not tried and tested, and often not needed Scalability is still in question

10/22/2012

25

Payment Cards

Online Credit Card Transaction

Payment Acceptance and Processing

Open and closed loop systems will accept and process payment cards. A merchant bank or acquiring bank is a bank that does business with merchants who want to accept payment cards. Software packaged with your electronic commerce software can handle payment card processing automatically.

Payment Acceptance and Processing

Using Payments Cards Online

Key participants in processing credit card payments online include the following: Acquiring bank

Credit card association Customer Issuing bank Merchant Payment processing service Processor
30

10/22/2012

Using Payments Cards Online

Fraudulent Credit Card Transactions

Address Verification System (AVS) Detects fraud by comparing the address entered on a Web page with the address information on file with cardholders issuing bank

10/22/2012

31

Using Payments Cards Online

card verification number (CVN) Detects fraud by comparing the verification number printed on the signature strip on the back of the card with the information on file with the cardholders issuing bank

10/22/2012

32

Using Payments Cards Online

Fraudulent Credit Card Transactions

Additional tools used to combat fraud include: Manual review

Fraud screens and decision models Negative files Card association payer authentication services

10/22/2012

33

Using Payments Cards Online

virtual credit card An e-payment system in which a credit card issuer gives a special transaction number that can be used online in place of regular credit card numbers

10/22/2012

34

Stored-Value Cards

A stored-value card can be an elaborate smart card or a simple plastic card with a magnetic strip that records the currency balance.

A smart card is better suited for Internet payment transactions because it has limited processing capability.

Smart Cards

Plastic card containing an embedded microchip Available for over 10 years So far not successful in U.S., but popular in Europe, Australia, and Japan Smart cards gradually reappearing in U.S.; success depends on:

Critical mass of smart cards that support applications Compatibility between smart cards, card-reader devices, and applications
36

10/22/2012

Smart Card Applications

Ticketless travel

Seoul bus system: 4M cards, 1B transactions since 1996 Planned the SF Bay Area system

Authentication, ID Medical records Ecash Store loyalty programs Personal profiles Government

Licenses

Mall parking ...

37

10/22/2012

Advantages and Disadvantages of Smart Cards

Advantages:
1. 2. 3. 4. 5.

Atomic, debt-free transactions Feasible for very small transactions (information commerce) (Potentially) anonymous Security of physical storage (Potentially) currency-neutral Low maximum transaction limit (not suitable for B2B or most B2C) High Infrastructure costs (not suitable for C2C) Single physical point of failure (the card) Not (yet) widely used

Disadvantages:
1. 2. 3. 4.

10/22/2012

38

Mondex Smart Card

Holds and dispenses electronic cash (Smart-card based, stored-value card) Developed by MasterCard International Requires specific card reader, called Mondex terminal, for merchant or customer to use card over Internet Supports micropayments as small as 3c and works both online and off-line at stores or over the telephone Secret chip-to-chip transfer protocol Value is not in strings alone; must be on Mondex card Loaded through ATM

ATM does not know transfer protocol; connects with secure device at bank

10/22/2012

39

Mondex Smart Card Processing

10/22/2012

40

Mondex transaction

Here's what happens "behind the scenes" during a Mondex transaction between a consumer and merchant. Placing the card in a Mondex terminal starts the transaction process:
1.

2.

3.

Information from the customer's chip is validated by the merchant's chip. Similarly, the merchant's card is validated by the customer's card. The merchant's card requests payment and transmits a "digital signature" with the request. Both cards check the authenticity of each other's message. The customer's card checks the digital signature and, if satisfied, sends acknowledgement, again with a digital signature. Only after the purchase amount has been deducted from the customer's card is the value added to the merchant's card. The digital signature from this card is checked by the customer's card and if confirmed, the transaction is complete.

10/22/2012

41

Mondex Smart Card

Disadvantages

Card carries real cash in electronic form, creating the possibility of theft No deferred payment as with credit cards -cash is dispensed immediately Active and dormant security software Security methods constantly changing ITSEC E6 level (military) VTP (Value Transfer Protocol) Globally unique card numbers Globally unique transaction numbers Challenge-response user identification Digital signatures MULTOS operating system firewalls on the chip 42

Security

10/22/2012

Smart Cards

smart card An electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card

Smart Cards

Types of Smart Cards

contact card A smart card containing a small gold plate on the face that when inserted in a smart card reader makes contact and passes data to and from the embedded microchip contactless (proximity) card A smart card with an embedded antenna, by means of which data and applications are passed to and from a card reader unit or other device without contact between the card and the card reader

Smart Cards

smart card reader Activates and reads the contents of the chip on a smart card, usually passing the information on to a host system smart card operating system Special system that handles file management, security, input/output (I/O), and command execution and provides an application programming interface (API) for a smart card

Smart Cards

Securing Smart Cards

Smart cards store or provide access to either valuable assets or to sensitive information Because of this, they must be secured against theft, fraud, or misuse The possibility of hacking into a smart card is classified as a class 3 attack, which means that the cost of compromising the card far exceeds the benefits

E-Cards (cont.)

Optical memory cards

Stores 4MB of data; once written, data cannot be changed or removed Ideal for keeping records (medical files) Require expensive card readers Contact cardinsert in smart card reader Contactless cardembedded antenna read by another antenna (mass-transit applications)

Categorize smart cards by how they store data

E-Cards (cont.)

Smart cards are computer devices and require:

Chip with an operating system to run applications Programming language to write applications Multipurpose cards use new operating systems

MultOS JavaCard Microsoft windows for smart cards

Figure 14-8 Smart Card Image

Embedded chip

Source: Visa.

Smart Cards

Applications of Smart Cards

Retail Purchases e-purse Smart card application that loads money from a card holders bank account onto the smart cards chip Common Electronic Purse Specification (CEPS) Standards governing the operation and interoperability of e-purse offerings Transit Fares E-Identification

Smart Cards

Applications of Smart Cards

Transit Fares
To eliminate the inconvenience of multiple types of tickets used in public transportation, most major transit operators in the United States are implementing smart card fare-ticketing systems

E-Identification
Because they have the capability to store personal information, including pictures, biometric identifiers, digital signatures, and private security keys, smart cards are being used in a variety of identification, access control, and authentication applications

Electronic Cheques

Leverages the check payments system, a core competency of the banking industry. Fits within current business practices Works like a paper check does but in pure electronic form, with fewer manual steps. Can be used by all bank customers who have checking accounts Different from Electronic fund transfers

How does echeck work?

Exactly same way as paper Check writer "writes" the echeck using one of many types of electronic devices Gives" the echeck to the payee electronically. Payee "deposits" echeck, receives credit, Payee's bank "clears" the echeck to the paying bank. Paying bank validates the echeck and "charges" the check writer's account for the check.

E-Checking

Electronic checkbook

Counterpart of electronic wallet To be integrated with the accounting information system of business buyers and with the payment server of sellers To save the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval Example : SafeCheck Used mainly in B2B

Figure 14-14 Digital of Signatures in E-Check Processing

Source: Anderson (1998).

E-Checking (cont.)

Treasury Department expects e-checks to:

Enhance security through use of public key cryptography Push a payment to the payee and not pull funds from general account of the U.S. Leverage Internet for its strength as ubiquitous communication vehicle Increase payment choices for U.S. Treasury payees

E-Checking

Benefits of e-check processing:

It reduces the merchants administrative costs by providing faster and less paper-intensive collection of funds It improves the efficiency of the deposit process for merchants and financial institutions It speeds the checkout process for consumers It provides consumers with more information about their purchases on their account statements It reduces the float period and the number of checks that bounce because of insufficient funds (NSFs)

Exhibit 12.3 Processing E-Checks with Authorize. Net

Electronic Check Payment System: NetBill

Overview of NetBill: - NetBill is a dependable, secure and economical payment method for purchasing digital goods and services through the Internet. - NetBill protocol is developed by Carnegie Mellon University. - In partnership with Visa International and Mellon Bank, the first trial of the system was installed in early 1996. Major goals of NetBill: - Support high transaction volumes at low cost - Provide authentication, privacy, and security for transactions

- Provide account management and administration for consumers and merchants

Electronic Check Payment Process: NetBill

Merchant Customer

Network

Bank

NetBill Server

Electronic Check Payment System: NetBill

Merchant

1 2 3 4 5 8

Customer

NetBill Server

6
7

1. Consumers application send a price quote request to the merchants application through a checkbook library. 2. Merchants application sends back the price quote the consumers application. 3. Consumer accepts the price quote, and then sends a purchase request through the Checkbook library. 4. Merchants application sends to the consumers Checkbook encrypted in a one-time key. 5.Consumer sends a electronic payment order (EPO) to merchants application. 6. The merchants application sends the endorsed EPO to the NetBill server. 7. NetBill server verifies that the consumer and merchant signatures are valid. Then, return the merchant a digitally signed receipt with a decryption key. 8. The merchants application forward the NetBill servers receipt to the Check book.

Electronic Check Payment System: NetBill

NetBill Archecture: (Source: NetBill 1994 Prototype) Consumer Application Checkbook Merchant Application Till

Security Server

Transaction Server

User Admin. Server

Payment & Collection Server

DB

System Admin. Server

Electronic Check Payment System: NetBill

Major features of NetBill: - Certified delivery: delivering encrypted information goods and then charging against the consumers NetBill account. Then, decryption key registration are used at both the merchants application and the NetBill server. - Scalability: the bottleneck in the NetBill model is the NetBill Server which supports many different merchants. - Support for flexible pricing: by including the steps of offer and acceptance. The merchant can calculate a customized quote for individual consumer. - Protection of consumer accounts against unscrupulous merchants in a conventional credit card transaction.

Electronic Check Payment System: NetBill

Security Mechanisms of NetBill:

- Create a NetBill account for each consumer by using a unique user ID and the RSA public key. - the key pair is certified by NetBill and is used for signatures and authentication in the system. -These signatures are used to check the elements of NetBill transactions (the price quote, the acceptance, etc) really came from the right parties. - NetBill uses symmetric cryptogrphy method for message authentication and encryption and decryption.

Micro-Payment Systems
- Objectives: ---> Micro-payment situations: Although micro-payment systems share the similar requirements of other payment systems, they focus on special markets, where: - Low-value transactions involved less than the value of smallest coin. - Non-tangible and network-deliverable merchandise examples: archived magazines, journals, CD, software, - Special requirements:

Fast and low cost payment transactions. Very small amount of value Reduced the number of involved parties High scalable

The issues of other payment systems: - Account-based systems have high transaction costs. - Transaction speed in electronic checking systems is slow. - Electronic money systems involve more parties, have low transaction speed, and cause poor scalability.

Micro-Payment Protocols
- Objectives: ---> Micro-payment situations: Although micro-payment systems share the similar requirements of other payment systems, they focus on special markets, where: - Low-value transactions involved less than the value of smallest coin. - Non-tangible and network-deliverable merchandise examples: archived magazines, journals, CD, software, - Special requirements: Fast and low cost payment transactions. Very small amount of value Reduced the number of involved parties High scalable

The issues of other payment systems: - Account-based systems have high transaction costs. - Transaction speed in electronic checking systems is slow. - Electronic money systems involve more parties, have low transaction speed, and cause poor scalability.

Micro-Payment Protocols and Systems

Micro-payment Protocols:
- Millicent, developed by Digital Equipment Corp. in 1995. - SubScrip, developed at the University of Newcastle, - PayWord, developed by Ron Rivest (MIT) and Adi Shamir. - MicroMint, developed by Ron Rivest and Adi Shamir. - iKP micropayment protocol

Australia.

Micro-payment systems do not available in conventional commerce. They open many new areas of business. Examples: - Millicent payment system - Micro Payment Transfer Protocol (MPTP) based on PayWord.

Micro-Payment Systems

- Important features of Micro-payment protocols and systems:

Simplified verification Simple security mechanisms Very low cost transactions Very fast speed Simplified architecture

- Major factors on transaction costs: Payment methods Complexity of security mechanisms The number of involved parties Transaction model (on-line/off-line)

Micro-Payment Protocol: Millicent

Overview of Millicent: Millicent payment protocol is designed for low-amount transactions over the Internet. It is developed by Digital Support low-cost, secured transactions (less than one cent) Use non-expensive symmetric crytographic algorithms Use scrip as digital cash for customers to make purchases from vendors Provide decentralized validation of electronic cash at the vendors server Provide no additional communications, off-line processing.

Business market: electronic publishing, software and game industries. Performance: 14,000 pieces of Scrip can be produced per second. 8,000 payments can be validated per second, with change Scrip being produced. A public trial of the Millicent system was scheduled for the summer of 1997.

Micro-Payment Protocol: MilliCent

MilliCent model: MilliCent protocols use a form of electronic currency called Scrip to connect three involved parties: - vendors, customers, and brokers. Scrip is vendor specific. A Millicent broker: --> medicate between vendors and customers to simplify the tasks they perform. --> aggregate micro-payments --> sell vendor Scrip to customers --> handle the real money in the Millicent system. --> maintain customer accounts and vendors (subScription services) --> buy and produce large chunks of vendor Scrips (for licensed vendors) Vendors: --> are merchants selling low-value services or information to customers Customers: --> buy broker Scrip with real money from selected brokers. --> use the vendor Scrips to make purchases.

Micro-Payment Protocol: MilliCent

Customer Dealer

3
Internet

1. Customer sends brokerscripts.

2. Customer gets dealerscript.

3. Customer send dealerscripts.

Broker

Electronic Cash

Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that government-issued currency operates in the physical world.

Concerns about electronic payment methods include:

Privacy Security Independence Portability Convenience

How Electronic Cash Works

To establish electronic cash, a consumer goes in person to open an account with a bank. The consumer uses a digital certificate to access the bank through the Internet to make a purchase. Consumers can spend their electronic cash at sites that accept electronic cash for payment.

The electronic cash must be protected from both theft and alteration.

Providing Security for Electronic Cash

To prevent double spending, the main security feature is the threat of prosecution. A complicated two-part lock provides anonymous security that also signals when someone is attempting to double spend cash. One way to trace electronic cash is to attach a serial number to each electronic cash transaction.

Providing Security for Electronic Cash

Electronic Cash -- Idea 1

Bank issues character strings containing:

denomination serial number bank ID + encryption of the above

First person to return string to bank gets the money PROBLEMS: Cant use offline. Must verify money not yet spent. Not anonymous. Bank can record serial number. Sophisticated transaction processing system required with locking to prevent double spending.

10/22/2012

eCash (Formerly DigiCash)

ALICE SEND UNSIGNED BLINDED COINS TO THE BANK

Withdrawal (Minting):
ALICE BUYS DIGITAL COINS FROM A BANK

WALLET SOFTWARE

BANK SIGNS COINS, SENDS THEM BACK. ALICE UNBLINDS THEM

BOB VERIFIES COINS NOT SPENT

ALICE PAYS BOB

Spending:
BOB DEPOSITS

Personal Transfer:

CINDY VERIFIES COINS NOT SPENT

ALICE TRANSFERS COINS TO CINDY

CINDY GETS COINS BACK

10/22/2012

Minting eCash

Alice requests coins from the bank where she has an account Alice sends the bank { { blinded coins, denominations }SigAlice }PKBank Bank knows they came from Alice and have not been altered (digital signature) The message is secret (only Bank can decode it) Bank knows Alices account number Bank deducts the total amount from Alices account

10/22/2012

Minting eCash, cont.

Bank now must produce signed coins for Alice Each of Alices blinded coins has a serial# Banks public key for $5 coins is (e5, m5) (exponent and modulus). Private key is d5. Alice selects blinding factor r Alice blinds serial# by multiplying by r e5 (mod m5) (serial# r e5) (mod m5) e5 d5 = 1 (mod m5) Banks signs the coin with its private d5 key: (serial# r e5)d5 (mod m5) = (serial#)d5 r (mod m5) Alice divides out the blinding factor r. Whats left is (serial#)d5 (mod m5) = { serial# } SKBank5
Just as if bank signed serial#. But Bank doesnt know serial#.
10/22/2012

Spending eCash

Alice orders goods from Bob Bobs server requests coins from Alices wallet: payreq = { currency, amount, timestamp, merchant_bankID, merchant_accID, description }

Alice approves the request. Her wallet sends: payment = { payment_info, {coins, H(payment_info)}PKmerchant_bank } payment_info = { Alices_bank_ID, amount, currency, ncoins, timestamp, merchant_ID, H(description), H(payer_code) }
10/22/2012

Depositing eCash

Bob receives the payment message, forwards it to the bank for deposit by sending deposit = { { payment }SigBob }PKBank
Bank decrypts the message using SKBank. Bank examines payment info to obtain serial# and verify that the coin has not been spent Bank credits Bobs account and sends Bob a deposit receipt: deposit_ack = { deposit_data, amount }SigBank
10/22/2012

Proving an eCash Payment

Alice generates payer-code before paying Bob A hash of the payer_code is included in payment_info
Bob cannot tamper with H(payer_code) since payment_info is encrypted with the banks public key The merchants bank records H(payer_code) along with the deposit If Bob denies being paid, Alice can reveal her payer_code to the bank Otherwise, Alice is anonymous; Bob is not.

10/22/2012

Lost eCash

Ecash can be lost. Disk crashes, passwords forgotten, numbers written on paper are lost. Alice sends a message to the bank that coins have been lost Banks re-sends Alice her last n batches of blinded coins (n = 16) If Alice still has the blinding factor, she can unblind Alice deposits all the coins bank in the bank. (The ones that were spent will be rejected.) Alice now withdraws new coins eCash demo
10/22/2012

E-cash Concept
Merchant

5 4 Bank 3

2 1

1. Consumer buys e-cash from Bank 2. Bank sends e-cash bits to consumer (after charging that amount plus fee) 3. Consumer sends e-cash to merchant 4. Merchant checks with Bank that e-cash is valid (check for forgery or fraud) 5. Bank verifies that e-cash is valid 6. Parties complete transaction: e.g., merchant present e-cash to issuing back for deposit once goods or services are delivered Consumer still has (invalid) e-cash

Consumer 10/22/2012 84

Electronic Cash Security

Complex cryptographic algorithms prevent double spending

Anonymity is preserved unless double spending is attempted

Serial numbers can allow tracing to prevent money laundering

Does not prevent double spending, since the merchant or consumer could be at fault

10/22/2012

85

Anonymous payments
5. Deposit token at bank. If double spent reveal identity and notify police

1. Withdraw money: cyrpographically encoded tokens

customer

merchant 3. Send token after adding merchants identity 4. Check validity and send goods

2. Transform so merchant can check validity but identity hidden

Problems with the protocol

Not money atomic: if crash after 3, money lost

if money actually sent to merchant: returning to bank will alert police if money not sent: not sending will lead to loss

High cost of cryptographic transformations: not suitable for micropayments Examples: Digicash

Electronic Cash

Primary advantage is with purchase of items less than $10

Credit card transaction fees make small purchases unprofitable Micropayments

Payments for items costing less than $1

10/22/2012

88

Past and Present E-cash Systems

CyberCash

Combines features from cash and checks Offers credit card, micropayment, and check payment services Connects merchants directly with credit card processors to provide authorizations for transactions in real time No delays in processing prevent insufficient e-cash to pay for the transaction Stored in CyberCash wallet, a software storage mechanism located on customers computer Used to make purchases between .25c and $10 PayNow -- payments made directly from checking accounts

CyberCoins

10/22/2012

89

Past and Present E-cash Systems

DigiCash

Trailblazer in e-cash Allowed customers to purchase goods and services using anonymous electronic cash Recently entered Chapter 11 reorganization

Coin.Net

Electronic tokens stored on a customers computer is used to make purchases Works by installing special plug-in to a customers web browser Merchants do not need special software to accept eCoins. eCoin server prevents double-spending and traces transactions, but consumer is anonymous to merchant

10/22/2012

90

Advantages of Electronic Cash

Electronic cash transactions are more efficient and less costly than other methods. The distance that an electronic transaction must travel does not affect cost. The fixed cost of hardware to handle electronic cash is nearly zero. Electronic cash does not require that one party have any special authorization.

Disadvantages of Electronic Cash

Electronic cash provides no audit trail. Because true electronic cash is not traceable, money laundering is a problem. Electronic cash is susceptible to forgery. So far, electronic cash is a commercial flop.

Electronic Wallets

An electronic wallet serves a function similar to a physical wallet; it

holds credit cards, electronic cash, owner identification, and owner contact information provides owner contact information at an electronic commerce sites checkout counter

Some electronic wallets contain an address book.

Electronic Wallets (cont.)

Electronic wallets make shopping more efficient. Electronic wallets fall into two categories based on where they are stored:

Server-side electronic wallet Client-side electronic wallet

Electronic Wallets (cont.)

Electronic wallets store shipping and billing information, including a consumers first and last names, street address, city, state, country, and zip or postal code.

Electronic wallets automatically enter required information into checkout forms.

An Electronic Checkout Counter Form

10/22/2012

96

Electronic Wallets

Agile Wallet

Developed by CyberCash Allows customers to enter credit card and identifying information once, stored on a central server Information pops up in supported merchants payment pages, allowing one-click payment Does not support smart cards or CyberCash, but company expects to soon Developed by Launchpad Technologies Free wallet software that stores credit card and personal information on users computer, not on a central server; info is dragged into payment form from eWallet Information is encrypted and password protected Works with Netscape and Internet Explorer 97

eWallet

10/22/2012

Electronic Wallets

Microsoft Wallet

Comes pre-installed in Internet Explorer 4.0, but not in Netscape All information is encrypted and password protected Microsoft Wallet Merchant directory shows merchants setup to accept Microsoft Wallet

10/22/2012

98

Entering Information Into Microsoft Wallet

10/22/2012

99

W3C Proposed Standard for Electronic Wallets

World Wide Web Consortium (W3C) is attempting to create an extensible and interoperable method of embedding micropayment information on a web page

Extensible systems allow improvement of the system without eliminating previous work

Merchants must accept several payment options to insure the widest possible Internet audience

Merchants must embed in their Web page payment information specific to each payment system This redundancy spurred W3C to develop common standards for Web page markup for all payment systems Must move quickly to prevent current methods from becoming entrenched

10/22/2012

100

The ECML Standard

Electronic Commerce Modeling Language (ECML) proposed standards for electronic wallets

Companies forming the consortium are America Online, IBM, Microsoft, Visa, and MasterCard Ultimate goal is for all commerce sites to accept ECML Unclear how this standard will incorporate privacy standards W3C set forth Electronic Commerce Modeling Language (ECML) Wallet/Merchant Standards Initiative, July 1999

10/22/2012

101

ECML - Wallet/Merchant Standard

Creating a standard approach for the exchange of information will enhance the ability for digital wallets to be used at all merchant sites and therefore facilitate the growth of e-commerce ECML is a universal, open standard for digital wallets and online merchants that facilitates the seamless exchange of payment and order information to support online purchase transactions

Uniform field names only to start; will evolve over time

The ECML Alliance today:

America Online, American Express, Brodia (formerly Transactor Networks), Compaq, CyberCash, Discover, Financial Services Technology Consortium (FSTC), IBM, MasterCard, Microsoft, Novell, SETCo, Sun Microsystems, Trintech, and Visa

ECML is designed to be security protocol independent, support global implementations, and support any payment instrument

ECML does not change the look and feel of a merchants site 10/22/2012 102

Microsoft .NET Passport

Microsoft Passport Wallet comes preinstalled in Internet Explorer 4.0 and higher versions. All the personal data you enter into your Microsoft Passport, including; your name, address, and credit card information, are encrypted and password-protected. Passport consists of four integrated services: Passport single sign-in service, Passport Wallet Service, Kids Passport service, and public profiles.

The W3C Proposed Standard

The W3C Electronic Commerce Interest Group (ECIG) developed a set of standards called the the Common Markup for Micropayment Per-Fee-Links.

This standard identifies existing system micropayment types of online connections, stored-value systems, and combined online-offline systems.

Q&A
Thank You.
10/22/2012 105