Submitted by:

Amit Tripathy
13MBA001

What Electronic Payment

System is?
Electronic Payment is a financial
exchange that takes place online between
buyers and sellers. The content of this
exchange is usually some form of digital
financial instrument (such as encrypted
credit card numbers, electronic cheques or
digital cash) that is backed by a bank or an
intermediary, or by a legal tender.

Why E-payments?
The various factors that have lead
the financial institutions to make
use of electronic payments are:
Decreasing technology cost:
Reduced operational and
processing cost:
Increasing online commerce:

Types of EPS
E- CASH

SMART CARDS

E- WALLETS

CREDIT CARDS

E-cash
Term that describes any value storage and
exchange system created by a private entity
that:
Does not use paper documents or coins

Can serve as a substitute for government-issued

physical currency
It

allows a person to pay for goods or

services by transmitting a number from
one computer to another

Like the serial

numbers on real
currency notes, the
E-cash numbers are
unique.
This is issued by a
bank and represents
a specified sum of
real money.
It is anonymous and
reusable.

E-Wallet
The E-wallet is another payment scheme
that operates like a carrier of e-cash and
other information.
The aim is to give shoppers a single, simple,
and secure way of carrying currency
electronically.
Trust is the basis of the e-wallet as a form of
electronic payment.
Ex: Microsoft .NET Passport, Yahoo! Wallet

Advantage

Hold credit card

numbers, electronic
cash, owner
identification, and
contact information

Give consumers the

benefit of entering their
information just once

Make shopping more

efficient

Smart Cards
A smart card, is any
pocket-sized card with
embedded integrated
circuits which can process
data
This implies that it can
receive input which is
processed and delivered as
an output

Stored-value cards that

Can hold private user

data, such as financial

facts

Can store about 100

times more
information than a
magnetic strip plastic
card

Safer than

conventional credit
cards

Credit Cards
It is a Plastic Card having a Magnetic
Number and code on it.
It has Some fixed amount to spend.
Customer has to repay the spend amount
after sometime.

Electronic Credit Card System

on the Internet
The Players
Cardholder
Merchant (seller)

Issuer (your bank)

Acquirer (merchants financial institution,

acquires the sales slips)

Brand (VISA, Master Card)

The process of using credit cards offline

A cardholder requests the issuance of a
card brand (like Visa and MasterCard) to
an issuer bank in which the cardholder
may have an account.
A plastic card is physically delivered
to the customers address by mail.
The cardholder shows the card to a
merchant to pay a requested amount.
Then the merchant asks for approval
from the brand company.
The acquirer bank requests the issuer
bank to pay for the credit amount.

The authorization of card issuance by

the issuer bank, or its designated brand
company, may require customers
physical visit to an office.
The card can be in effect as the
cardholder calls the bank for initiation
and signs on the back of the card.
Upon the approval, the merchant
requests payment to the merchants
acquirer bank, and pays fee for the
service. This process is called a
capturing process

Cardholder

credit
card

Merchant

Payment authorization,
payment data
Card Brand Company

payment data

account debit data

payment data
amount transfer
Issuer Bank
Cardholder
Account

Acquirer Bank
Merchant
Account

Security requirements

Authentication: A way to verify the buyers identity

before payments are made

Integrity: Ensuring that information will not be
accidentally or maliciously altered or destroyed, usually
during transmission
Encryption: A process of making messages
indecipherable except by those who have an authorized
decryption key
Non-repudiation: Merchants need protection against
the customers unjustifiable denial of placed orders, and
customers need protection against the merchants
unjustifiable denial of past payment

Security Schemes

Secret Key Cryptography (symmetric)

Keysender (= Keyreceiver)

Original
Message

Scrambled
Message

Sender
Encryption

Keyreceiver

Internet

Scrambled
Message
Decryption

Original
Message
Receiver

Public Key Cryptography

Public Keyreceiver

Message

Original
Message

Scrambled
Message

Private Keyreceiver

Internet

Scrambled
Message

Sender

Receiver

Private Keysender
Digital
Signature

Original
Message
Sender

Original
Message

Scrambled
Message

Public Keysender

Internet

Scrambled
Message

Original
Message
Receiver

Digital Signature
Analogous to handwritten signature
Sender encrypts a
message with her
private key

A digital signature is attached

by a sender to a message
encrypted in the receivers
public key

Any receiver with senders

public key can read it

The receiver is the only one that

can read the message and at the
same time he is assured that the
message was indeed sent by the
sender

Certificate
Identifying the holder of a public key (KeyExchange)
Issued by a trusted certificate authority (CA)
Name : Richard
key-Exchange Key :
Signature Key :
Serial # : 29483756
Other Data : 10236283025273
Expires : 6/18/96
Signed : CAs Signature

Certificate Authority - e.g. VeriSign

Public or private, comes in levels (hierarchy)

A trusted third party services
Issuer of digital certificates
Verifying that a public key indeed belongs to a
certain individual
RCA
BCA

GCA
CCA

MCA

PCA

RCA : Root Certificate Authority

BCA : Brand Certificate Authority
GCA : Geo-political Certificate Authority
CCA : Cardholder Certificate Authority
MCA : Merchant Certificate Authority
PCA : Payment Gateway
Certificate Authority

Hierarchy of Certificate Authorities

Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office)

Secure Electronic
Transaction (SET) Protocol
Jointly designed by MasterCard and Visa with backing

of Microsoft, Netscape, IBM, GTE, SAIC, and others

Designed to provide security for card payments as they
travel on the Internet
Contrasted with Secure Socket Layers (SSL) protocol, SET

validates consumers and merchants in addition to providing

secure transmission

SET specification
Uses public key cryptography and digital certificates for

validating both consumers and merchants

Provides privacy, data integrity, user
authentication, and consumer nonrepudiation

and

merchant

Senders Computer
1. The message is hashed to a prefixed length of message digest.
2. The message digest is encrypted with the senders private signature
key, and a digital signature is created.
3. The composition of message, digital signature, and Senders
certificate is encrypted with the symmetric key which is generated at
senders computer for every transaction. The result is an encrypted
message. SET protocol uses the DES algorithm instead of RSA for
encryption because DES can be executed much faster than RSA.
4. The Symmetric key itself is encrypted with the receivers public key
which was sent to the sender in advance. The result is a digital
envelope.

Receivers Computer
5. The encrypted message and digital envelope are transmitted to
receivers computer via the Internet.
6. The digital envelope is decrypted with receivers private exchange key.
7. Using the restored symmetric key, the encrypted message can be
restored to the message, digital signature, and senders certificate.
8. To confirm the integrity, the digital signature is decrypted by senders
public key, obtaining the message digest.
9. The delivered message is hashed to generate message digest.
10. The message digests obtained by steps 8 and 9 respectively, are
compared by the receiver to confirm whether there was any change
during the transmission. This step confirms the integrity.

A part of SSL (Secure Socket Layer) is available on

customers browsers
it is basically an encryption mechanism for order taking, queries and

other applications
it does not protect against all security hazards
it is mature, simple, and widely use

SET ( Secure Electronic Transaction) is a very

comprehensive security protocol
it provides for privacy, authenticity, integrity, and, or repudiation
it is used very infrequently due to its complexity and the need for a

special card reader by the user

it may be abandoned if it is not simplified/improved

SET Vs. SSL

Secure Electronic Transaction (SET)

Secure Socket Layer (SSL)

Complex

Simple

SET is tailored to the credit card

payment to the merchants.

SSL is a protocol for generalpurpose secure message

exchanges (encryption).
SSL protocol may use a
certificate, but there is no payment
gateway. So, the merchants need
to receive both the ordering
information and credit card
information, because the capturing
process should be initiated by the
merchants.

SET protocol hides the customers

credit card information from
merchants, and also hides the order
information to banks, to protect
privacy. This scheme is called dual
signature.

Managerial Issues

Security solution providers can cultivate the opportunity of providing

solutions for the secure electronic payment systems

Electronic payment system solution providers can offer various types

of electronic payment systems to electronic stores and banks

Electronic stores should select an appropriate set of electronic payment

systems

Banks need to develop cyberbank services to be compatible with the various

electronic payment system

Credit card brand companies need to develop an EC standard like SET,

and watch the acceptance by customers

Smart card brand should develop a business model in cooperation with

application sectors and banks

Certificate authority needs to identify the types of certificate to provide