Electronic Payment Systems

Intro
 Electronic payments deals with the
strategies for the payment of goods and
services by online customers.
 Various instruments used are
 Electronic Cash
 Electronic Checks

 Credit/ Debit cards

 Smart cards
Types of Electronic Payment
systems
 Token based payment systems
 Electronic Tokens in the form of Electronic cash/
checks
 Electronic tokens can be classified as
 Cash or real time
 Debit or prepaid
 Credit or postpaid
 Credit card based payment systems
 Using plain credit card details
 Using encrypted credit card details
 Using third party verification
Electronic Payments: An Overview (cont.)

 Four parts involved in  Key issue of trust

e-payments must be addressed
 Issuer  Privacy
 Customer/payer/buy
 Authentication and
er
authorization
 Merchant/payee/sell
 Integrity
er
 Regulator  Nonrepudiation
Security for E-Payments

 Public key infrastructure

 Plaintext Encryption algorithm
 Ciphertext Key
 Types of encryption systems
 Symmetric (private key)
 Used to encrypt and decrypt plain text
 Shared by sender and receiver of text
 Asymmetric (public key)
 Uses a pair of keys
 Public key to encrypt the message
 Private key to decrypt the message
Private Key Encryption
Public Key Encryption

 Size of key  Speed of Key

 RSA algorithm  Rijndael algorithm
Security for E-Payments (cont.)

 Digital Signatures: authenticity and

nondenial
 Analogous to handwritten signature
 Based on public keys

 Used to:
 Authenticate the identity of the sender of a message or
document
 Ensure the original content of the electronic message or
document is unchanged
Security for E-Payments (cont.)

 Digital Signatures: authenticity and

nondenial (cont.)
 Benefits:
 Portable
 Cannot be easily repudiated or imitated

 Can be time stamped

Digital Signatures
 Security for E-Payments (cont.)

 Digital certificates
 Identifying the Name : “Richard”
key-Exchange Key :
holder of a public Signature Key :
key (Key- Serial # : 29483756
Other Data : 10236283025273
Exchange) Expires : 6/18/04
 Issued by a trusted Signed : CA’s Signature

certificate authority
(CA)
 Digicash Model
Merchant 1- Consumer asks Bank for Digicash
2- Bank sends Digicash bits to consumer
3- Consumer sends Digicash to merchant
in payment
5
4 3 4- Merchant checks that Digicash has not
been double spent
Bank 5- Bank verifies that Digicash is valid
 Advantages
2  Privacy, Scalability

 Disadvantages
1
 Complexity
 Detecting double spending
 Robustness against failure
 Accountability
Consumer
Security for E-Payments (cont.)

 Secure socket layer/transport layer security

 Secure socket layer (SLL)—handle on Web
browser, utilizing CAs and data encryption
 Encryption
 Digital certificates

 Digital signatures

 In 1996 SSL was standardized and named

transport layer security (TSL)
 Operates at TCP/IP layer (base layer for Internet)

 IPSec—secure version of IP protocol

 SET Vs. SSL

Secure Electronic Transaction Secure Socket Layer (SSL)

(SET)
Complex
SET—tailored to credit card
payment to merchants
SET protocol hides customer’s
credit card information from
merchants and order
information to banks, to
protect privacy (dual
signature)
Simple
SSL—protocol for general-
purpose secure message
exchanges (encryption)
SSL protocol may use a
certificate, but there is no
payment gateway.
Merchants need to receive
ordering information and
credit card information
(capturing process
initiated by merchants)
InformIT.com Online Bookstore

Source: informit.com.
InformIT.com SSL Encryption

Source: informit.com.
 E-Cards

 Three common types of payment cards

 Credit cards—provides holder with credit to
make purchases up to a limit fixed by the card
issuer
 Charge cards—balance on a charge card is
supposed to be paid in full upon receipt of
monthly statement
 Debit card—cost of a purchase drawn directly
from holder’s checking account (demand-
deposit account)
 E-Cards

 The Players
 Cardholder

 Merchant (seller)
 Issuer (your bank)

 Acquirer (merchant’s financial institution,

acquires the sales slips)
 Card association (VISA, MasterCard)

 Third-party processors (outsourcers performing

same duties formerly provided by issuers, etc.)
Online Credit Card Processing
 E-Cards

 E-wallets
 One-click shopping—saving your order
information on retailer’s Web server
 Name
 Shipping address

 Billing address

 Credit card information

 E-wallet—software downloaded to cardholder’s

desktop that stores same information and allows
one-click-like shopping
 E-Cards

 Other security risks with credit cards

 Stolen cards
 Reneging by the customer—authorizes a
payment and later denies it
 Theft of card details stored on merchant’s
computer—isolate computer storing
information so it cannot be accessed directly
from the Web
 Overcoming risks with virtual credit cards
 E-Cards

 Purchase cards
 Instrument of choice for B2B purchasing
 Special-purpose, non-revolving payment cards
issued to employees solely for purchasing and
paying for nonstrategic materials and services
 E-Cards

 Purchase cards—operate like other credit cards

 Cardholder of corporation places an order for goods or
services
 Supplier processes transaction with authorization of

card issuer
 Issuer verifies purchase authorization
 E-Cards

 Purchase cards—operate like other credit cards

(cont.)
 All cardholders’ transactions processed centrally—
one payment for all purchases
 Each cardholder reviews monthly statement

 Card issuer analyzes transactions—standard and ad

hoc reports are made

 Card issuer creates electronic file to upload to

corporation’s ledger system

 E-Cards

 Benefits of purchasing cards

 Cost savings
 Productivity gains
 Bill consolidation
 Payment reconciliation
 Preferred pricing
 Management reports
 E-Cards

Smart Cards
Integrated circuit (IC) microprocessor cards—
includes IC chips with programmable functions that
make cards “smart”
Integrated circuit (IC) memory cards—no processor
Suitable for uses where card performs fixed
operation
Disposable, prepaid (phone cards)
 E-Cards

 Optical memory cards

 Stores 4MB of data; once written, data cannot be
changed or removed
 Ideal for keeping records (medical files)

 Require expensive card readers

 Categorize smart cards by how they store data

 Contact card—insert in smart card reader
 Contactless card—embedded antenna read by

another antenna (mass-transit applications)

Contactless IC Cards

 Proximity Card
 Used to access buildings and pay for buses and
other transportation systems
 Bus, subway and toll card in many cities

 Amplified Remote Sensing Card

 Good for a range of up to 100 feet, and can be
used for tolling moving vehicles at gates
 Pay toll without stopping (e.g. Highway 91 in
California)
Smart Card Image

Embedded
chip

Source: Visa.
 E-Cards

 Smart cards are computer devices and

require:
 Chip with an operating system to run applications
 Programming language to write applications

 Multipurpose cards use new operating systems

 MultOS
 JavaCard
 Microsoft windows for smart cards
 E-Cards

 Important applications of smart card use:

 Loyalty

 Financial

 Information technology
 Health and social welfare

 Transportation

 Identification
E-Cash and
Payment Card Alternatives
 E-cash and credit card alternatives (for
micropayments—under $10)
 E-cash (eCoin.net)
 Identity of user hidden from merchant
 Easier to use than earlier e-cash systems

 Requires specialized software

 Qpass (Qpass.com)
 Set up Qpass account
 User name and password

 What credit card to charge

E-Cash and
Payment Card Alternatives

 PrivateBuy
 User establishes account
 User assigned 16-digit user number (anonymous

address)
 Hides user name and card number from

merchant site
 Relies on credit card system already in place
PrivateBuy Anonymous Shopping

Source: privatebuys.com
E-Cash and
Payment Card Alternatives

 Echarge enables users to:

 Establish accounts
 Receive user ID and password

 Use instead of credit card numbers

 Purchases billed to user’s credit card

 Merchants must establish payment option

 E-Cash and
Payment Card Alternatives
 Stores cash downloaded from bank or credit
card account
 Common uses
 Disposablevs. reloadable cards
 Sample cards
 Visa cash
 Mondex

 Electronic purses
 Lack of interoperable equipment and standards
 Common Electronic Purse Specification (CEPS)
E-Cash and
Payment Card Alternatives
 E-loyalty and rewards programs
 Loyalty programs online
 Beenz.com
• Consumer earns beenz by visiting, registering, or
purchasing at 300 participating sites
• Beenz are stored and used for later purchases
• Partnered with MasterCard to offer rewardzcard—
stored-value card used in U.S. and Canada for
purchases where MasterCard is accepted
• Transfer beenz into money to spend on Web, by phone,
mail order, physical stores
E-Cash and
Payment Card Alternatives
 MyPoints-CyberGold
• Customers earn cash
• Cash used for later purchases or applied to credit card
account
 RocketCash
• Combines online cash account with rewards program
• User opens account and adds funds
• Used to make purchases at participating merchants
E-Cash and
Payment Card Alternatives

 Person-to-person (P2P) payments and

gifts
 Enable transfer of funds between two
individuals
 Repaying money borrowed
 Paying for an item purchased at online auction

 Sending money to students at college

 Sending a gift to a family member

Sending money with PayPal

Source: paypal.com.
E-Checking

 Electronic checkbook
 Counterpart of electronic wallet
 To be integrated with the accounting
information system of business buyers and with
the payment server of sellers
 To save the electronic invoice and receipt of
payment in the buyers and sellers computers
for future retrieval
 Example : SafeCheck
 Used mainly in B2B
 E-Checking

 Current checking system

 Role of clearinghouses in the check-clearing
process
 Magnetic ink characters (MICR)

 Costs of the current system

MICR Check Characters
 E-Checking

 Electronic version of paper check

 Leverage check payment systems
 Fit within current business practices,
eliminate need for process reengineering
 Work like paper check with fewer manual
steps
 E-Checking

 Designed to meet needs of businesses and

consumers (state of the art security systems)
 Used by all bank customers with checking
accounts
 Enhance existing bank accounts with new EC
features
 E-Checking

 Benefits of e-checking for industry-wide

savings
 Online check collection process
 Online notices of check returns

 Truncating paper checks at bank of first deposit

 Creating new cash management product

opportunities
 E-Checking

 eCheck Secure
 Third party vendor with software for e-check
purchases
 Aimed at B2C sites
 E-Checking

 Truncating paper checks at bank of first

deposit
 Creating new cash management product
opportunities
 Checkfree (checkfree.com) leading third-
party e-billing vendor
E-Check Processing by eCheck Secure

Source: echecksecure.com
Digital of Signatures in E-Check Processing
 E-Checking

 Treasury Department expects e-checks to:

 Enhance security through use of public key
cryptography
 “Push” a payment to the payee and not “pull”
funds from general account of the U.S.
 Leverage Internet for its strength as ubiquitous
communication vehicle
 Increase payment choices for U.S. Treasury
payees
 E-Billing

 Customers are either individuals or

companies
 Two common models of e-billing
 Billerdirect—customer receives bill from a
single merchant
 Third-party consolidators—presents bills from
multiple merchants
Figure 14-15
E-Bill Presentment

Source: echecksecure.com
E-Billing Process for Single Biller
E-Billing Processes for Bill Consolidator
Managerial Issues

 In the B2C world, understand your customers

and products
 In the B2B world, keep an open mind about
online alternatives
 In-house or outsource
 Security continues to be a major issue
Electronic Cash
 Bit strings as tokens representing value
(amount, serial #)
 Issued by banks
 Digital signature to protect integrity
 Anonymous
 Can be easily duplicated. Must prevent
double spending by monitoring serial
number reuse
Cash Transaction
-2. CENTRAL BANK ISSUES CENTRAL
FIDUCIARY MONEY 4. SELLER’S BANK
(ANTI-FORGERY) + BANK SENDS CASH TO
(SERIAL NUMBERS) CENTRAL BANK 3. SELLER’S BANK
CREDITS SELLER’S
BANK ACCOUNT

-1. CENTRAL BANK SELLS BUYER’S SELLER’S

CASH TO BUYER’S BANK
BANK BANK
2. SELLER DEPOSITS
CASH IN SELLER’S
BANK ACCOUNT
THE VISIBLE TRANSACTION
0. BUYER’S BANK ALLOWS
BUYER TO DRAW CASH BUYER SELLER
FROM BUYER’S ACCOUNT
1. BUYER PHYSICALLY
GIVES CASH TO SELLER
 Digital Checks
 Consumers issue signed drafts on online
bank accounts
 Merchants may do online or delayed
clearing
 ClearConsumer
through existing bank systems,Merchant
e.g.ACH Electronic Check
1
 May attach remittance information 2
3

4
Consumer’s Bank Merchant’s Bank
 ACH: Automated clearing house

Much like paper-based check clearing, except that

the information is in electronic form.
Today telecommunication channels can be used
for real-time clearance processing.

direct fund transfer (direct debit: your phone bill

is reduced monthly from your account
 direct credit: your salary is transferred every
month automatically into your account)
 The check-clearing process

Check
A B
1. A presents check to B.
2. B lodges
it.
A’s Bank B’s Bank
(Paying Bank) (Collecting Bank)
5. Verify funds 3. Credit B’s
availability and account and
debit A’s account. forward check
Clearing Clearing for clearing
Department Department

Clearing
House
4. Checks Exchanged.
Electronic Check Concept
Payer Order
Payee
Form Accounts
Signature Receivable
“Card”
E-Mail
Order &
WWW
Pay Info
Signature Order
Card Workstation
Check Deposit Slip
Signature
Check
Certificate E-Mail
Certificate Signature
Certificate
Secure Envelope
Certificate
Mail statement FTP Indorsement
E-Check line item
Certificate
Certificate

Secure Envelope

ACH
Deposit check

ECP
Payer’s Bank Clear check Payee’s Bank
Debit account Credit account
Electronic Check
 Electronic Checkbook:
 PCMCIA, Smart Card, PIN protected
 Key storage
 Signature and transaction logging

 Digital signatures: signing and endorsing

 Digital certificates: authenticate payor,
payor bank and bank account
Credit Card Info Sent Direct to
Merchant
Merchant
Private Line
Credit Card
Acquirer
Encrypted
“tunnel”
through the  Consumer sends
Internet card # direct to
merchant
 Similar to today’s
Internet phone order
 Must trust
merchant with
card info
 High transaction
costs
Consumer
 Third Party Intermediary Model
(CyberCash)
Merchant
 Protects consumer’s card info
Encrypted  Use Internet for reaching
“tunnel” Cybercash gateway to acquirers
through the
Internet  Adds to credit card card cost

Credit Card
Acquirer

Internet

CyberCash

Consumer
 Smart Cards

 Magnetic stripe
 Memory cards
 Optical memory cards
 Microprocessor cards
What makes the card smart?
 CPU (8-bit, 16/23 bit)
 Memory (RAM, ROM, EEPROM/Flash)
 I/O channel (Contact/Contact less)
 Cryptographic co-processor
 On card devices (Fingerprint, display)
 Standards (ISO 7816, GSM, EMV, VOP,
CEPS)
A variety of terminals
 Embedded system
 Standards (ISO
7816, PC/SC,
OCF)
Applications
 Bank card
 GSM SIM card
 Health card
 Pay-TV
 ID card
 Transport
 Campus card
Mondex

 Smart-card-based, stored-value card (SVC)

 Subsidiary of MasterCard
 Secret chip-to-chip transfer protocol
 Value is not in strings alone; must be on
Mondex card
 Loaded through ATM
 Spending at merchants having a Mondex
value transfer terminal
Mondex Components (Hitachi)

Cashless ATM PCMCIA Reader/Writer

Electronic
Wallet
 SONY RC-S833
SMART CARD

I/O SPEED: 211 Kbps

             
          
PayPal

 Pay anyone, anywhere via email

 16 million users
 Accounts insured up to $100,000
 Based on automated clearinghouse
 Withdraw funds anytime, or send to
someone else
 Mobile payments (WAP)
Security Requirements
 Integrity (data should be protected against
modification by unauthorised parties)
 Authenticity (parties should have certainty about
each other's identity)
 Confidentiality (data should not be visible to
unauthorised parties)
 Availability (data should be accessible by
authorised parties) 
 Non-repudiation (parties should not be able to
deny the actions that they performed)
 Secure Sockets Layer (SSL)

if it has one

SOURCE: WEB SECURITY

SET Protocol
Consumer Merchant
1. Request Transaction
2. Acknowledge request
3. Purchase Order
4. Purchase Order VErification
7. Status query
8. Purchase status information

5. Customer payment data

6. Verify customer data
9. Request Payment
10. Verify Payment
Merchant Acquirer Bank