8el.paymt
TRANSCRIPT
-
7/31/2019 8El.Paymt
1/36
Prentice Hall, 2000
Chapter 8
Electronic Payment Systems
and Security
1
-
7/31/2019 8El.Paymt
2/36
2 Prentice Hall, 2000
Learning Objectives
Describe typical electronic payment systems for EC
Identify the security requirements for safe electronicpayments
Describe the typical security schemes used to meetthe security requirements
Identify the players and procedures of the electronic
credit card system on the Internet Discuss the relationship between SSL and SET
protocols
-
7/31/2019 8El.Paymt
3/36
3 Prentice Hall, 2000
Discuss the relationship between electronic fundtransfer and debit card
Describe the characteristics of a stored value
card Classify and describe the types of IC cards used
for payments
Discuss the characteristics of electronic checksystems
Learning Objectives (cont.)
-
7/31/2019 8El.Paymt
4/36
4 Prentice Hall, 2000
SSL Vs. SET: Who Will Win?
A part of SSL (Secure Socket Layer) is availableon customers browsers it is basically an encryption mechanism for order taking,
queries and other applications
it does not protect against all security hazards
it is mature, simple, and widely use
SET ( Secure Electronic Transaction) is a verycomprehensive security protocol
it provides for privacy, authenticity, integrity, and, orrepudiation
it is used very infrequently due to its complexity and theneed for a special card reader by the user
it may be abandoned if it is not simplified/improved
-
7/31/2019 8El.Paymt
5/36
5 Prentice Hall, 2000
Payments, Protocols and Related Issues
SET Protocol is for Credit Card Payments
Electronic Cash and Micropayments
Electronic Fund Transfer on the Internet
Stored Value Cards and Electronic Cash
Electronic Check Systems
-
7/31/2019 8El.Paymt
6/36
6 Prentice Hall, 2000
Security requirements
Payments, Protocols and Related Issues (cont.)
Authentication:A way to verify the buyers identitybefore payments are made
Integrity: Ensuring that information will not be
accidentally or maliciously altered or destroyed,usually during transmission
Encryption:A process of making messagesindecipherable except by those who have an
authorized decryption key Non-repudiation: Merchants need protection
against the customers unjustifiable denial of placedorders, and customers need protection against the
merchants unjustifiable denial of past payment
-
7/31/2019 8El.Paymt
7/36
7 Prentice Hall, 2000
Security Schemes
Secret Key Cryptography (symmetric)
Scrambled
Message
Original
Message
Sender
InternetScrambled
Message
Keysender (= Keyreceiver)
Encryption
Original
Message
Receiver
Keyreceiver
Decryption
-
7/31/2019 8El.Paymt
8/36
8 Prentice Hall, 2000
Public Key Cryptography
Sender
OriginalMessage ScrambledMessageScrambledMessage
Public Keyreceiver
OriginalMessage
Receiver
Private Keyreceiver
Internet
Security Schemes (cont.)
Message
Sender
Original
Message
Scrambled
Message
Scrambled
Message
Private Keysender
Original
Message
Receiver
Public Keysender
InternetDigital
Signature
-
7/31/2019 8El.Paymt
9/36
9 Prentice Hall, 2000
Digital Signature
A digital signature is
attached by a sender
to a message
encrypted in the
receivers public key
The receiver is the only
one that can read themessage and at the same
time he is assured that
the message was indeed
sent by the sender
Sender encrypts
a message with
her private key
Any receiver with
senders public key
can read it
Security Schemes (cont.)
Analogous to handwritten signature
-
7/31/2019 8El.Paymt
10/36
10 Prentice Hall, 2000
Certificate
Name : Richard
key-Exchange Key :
Signature Key :
Serial # : 29483756Other Data : 10236283025273
Expires : 6/18/96
Signed : CAs Signature
Security Schemes (cont.)
Identifying the holder of a public key (Key-Exchange)
Issued by a trusted certificate authority (CA)
-
7/31/2019 8El.Paymt
11/36
11 Prentice Hall, 2000
Certificate Authority - e.g. VeriSign
RCA
BCA
GCA
CCA MCA PCA
RCA : Root Certificate Authority
BCA : Brand Certificate Authority
GCA : Geo-political Certificate Authority
CCA : Cardholder Certificate AuthorityMCA : Merchant Certificate Authority
PCA : Payment Gateway
Certificate Authority
Hierarchy of Certificate AuthoritiesCertificate authority needs to be verified by a government or well trusted entity ( e.g., post office)
Security Schemes (cont.)
Public or private, comes in levels (hierarchy)
A trusted third party services
Issuer of digital certificates
Verifying that a public key indeed belongs to a certainindividual
-
7/31/2019 8El.Paymt
12/36
12 Prentice Hall, 2000
Electronic Credit Card System
on the Internet
The Players
Cardholder
Merchant (seller)
Issuer (your bank)
Acquirer (merchants financial institution, acquires
the sales slips)
Brand (VISA, Master Card)
El t i C dit C d S t
-
7/31/2019 8El.Paymt
13/36
13 Prentice Hall, 2000
The process of using credit cards offlineA cardholder requests the issuance of acard brand (like Visa and MasterCard)to an issuer bank in which thecardholder may have an account.
Electronic Credit Card System
on the Internet (cont.)
The authorization of card issuanceby the issuer bank, or its designatedbrand company, may require
customers physical visit to an office.A plastic card is physically deliveredto the customers address by mail. The card can be in effect as the
cardholder calls the bank forinitiation and signs on the back ofthe card.
The cardholder shows the card to amerchant to pay a requested
amount. Then the merchant asksfor approval from the brandcompany.
Upon the approval, the merchantrequests payment to the merchantsacquirer bank, and pays fee for theservice. This process is called acapturing process
The acquirer bank requests theissuer bank to pay for the credit
amount.
-
7/31/2019 8El.Paymt
14/36
Cardholder Merchantcredit
card
Card Brand Company
Payment authorization,
payment data
Issuer Bank
CardholderAccount
Acquirer Bank
MerchantAccount
account debit data payment data
Credit Card Procedure (offline and online)14
payment data
amount transfer
Prentice Hall, 2000
-
7/31/2019 8El.Paymt
15/36
Secure Electronic Transaction (SET)
Protocol
1. The message is hashed to a prefixed length of message digest.
2. The message digest is encrypted with the senders privatesignature key, and a digital signature is created.
3. The composition of message, digital signature, and Senderscertificate is encrypted with the symmetric key which isgenerated at senders computer for every transaction. The resultis an encrypted message. SET protocol uses the DES algorithm
instead of RSA for encryption because DES can be executedmuch faster than RSA.
4. The Symmetric key itself is encrypted with the receivers publickey which was sent to the sender in advance. The result is adigital envelope.
15
Senders Computer
Prentice Hall, 2000
-
7/31/2019 8El.Paymt
16/36
Senders ComputerSenders Private
Signature Key
Senders
Certificate
+
+
Message
+
Digital Signature
Receivers
Certificate
Encrypt
Symmetric
Key
Encrypted
Message
Receivers
Key-Exchange Key
Encrypt
Digital
Envelope
Message
Message Digest
16 Prentice Hall, 2000
-
7/31/2019 8El.Paymt
17/36
5. The encrypted message and digital envelope are transmitted toreceivers computer via the Internet.
6. The digital envelope is decrypted with receivers private exchange
key.7. Using the restored symmetric key, the encrypted message can be
restored to the message, digital signature, and senders certificate.
8. To confirm the integrity, the digital signature is decrypted bysenders public key, obtaining the message digest.
9. The delivered message is hashed to generate message digest.
10. The message digests obtained by steps 8 and 9 respectively, arecompared by the receiver to confirm whether there was anychange during the transmission. This step confirms the integrity.
Receivers Computer
Secure Electronic Transaction (SET)
Protocol (cont.)
17 Prentice Hall, 2000
-
7/31/2019 8El.Paymt
18/36
Receivers Computer
DecryptSymmetric
Key
Encrypted
MessageSenders
Certificate
+
+
Message
compare
DigitalEnvelope
Receivers Private
Key-Exchange Key
Decrypt
Message DigestDigital SignatureSenders Public
Signature Key
Decrypt
Message Digest
18 Prentice Hall, 2000
-
7/31/2019 8El.Paymt
19/36
Entities of SET Protocol in Cyber Shopping
IC Card
Reader Customer x Customer y
With Digital WalletsCertificate
Authority
Electronic Shopping Mall
Merchant A Merchant B
Credit Card
Brand
Protocol
X.25
Payment Gateway
19 Prentice Hall, 2000
-
7/31/2019 8El.Paymt
20/36
20 Prentice Hall, 2000
SET Vs. SSL
Secure Electronic Transaction (SET) Secure Socket Layer (SSL)
Complex Simple
SET is tailored to the credit card
payment to the merchants.
SSL is a protocol for general-
purpose secure message
exchanges (encryption).
SET protocol hides the customers
credit card information from
merchants, and also hides the
order information to banks, to
protect privacy. This scheme is
called dual signature.
SSL protocol may use a
certificate, but there is no
payment gateway. So, the
merchants need to receive both
the ordering information and
credit card information, because
the capturing process should be
initiated by the merchants.
El t i F d T f (EFT)
-
7/31/2019 8El.Paymt
21/36
21 Prentice Hall, 2000
Electronic Fund Transfer (EFT)
on the Internet
An Architecture of Electronic Fund Transfer on the Internet
Internet
Payer
Cyber Bank
Bank
Cyber Bank
Payee
Automated
Clearinghouse
VANBank
VAN
Payment
Gateway
Payment
Gateway
-
7/31/2019 8El.Paymt
22/36
22 Prentice Hall, 2000
Debit Cards
A delivery vehicle of cash in an electronicform
Mondex, VisaCash applied this approach Eitheranonymous oronymous
CyberCash has commercialized a debit cardnamed CyberCoin as a medium ofmicropayments on the Internet
-
7/31/2019 8El.Paymt
23/36
23 Prentice Hall, 2000
Financial EDI
It is an EDI used for financial transactions EDI is a standardized way of exchanging messages
between businesses
EFT can be implemented using a Financial EDI system
Safe Financial EDI needs to adopt a securityscheme used for the SSL protocol
Extranet encrypts the packets exchanged between
senders and receivers using the public keycryptography
-
7/31/2019 8El.Paymt
24/36
24 Prentice Hall, 2000
Electronic Cash and Micropayments
Smart Cards The concept of e-cash is used in the non-Internet
environment
Plastic cards with magnetic stripes (old technology)
Includes IC chips with programmable functions onthem which makes cards smart
One e-cash card for one application
Recharge the card only at designated locations, suchas bank office or a kiosk. Future: recharge at yourPC
e.g. Mondex & VisaCash
-
7/31/2019 8El.Paymt
25/36
25 Prentice Hall, 2000
Mondex Makes Shopping Easy
Shopping with Mondex
Adding money to the card
Payments in a new era of electronic
shopping
Paying on the Internet
-
7/31/2019 8El.Paymt
26/36
26 Prentice Hall, 2000
Electronic Money
DigiCash The analogy of paper money or coins
Expensive, as each payment transaction must bereported to the bank and recorded
Conflict with the role of central banks bill issuance
Legally, DigiCash is not supposed to issue morethan an electronic gift certificate even though it
may be accepted by a wide number of memberstores
-
7/31/2019 8El.Paymt
27/36
27 Prentice Hall, 2000
Stored Value Cards
Electronic Money (cont.)
No issuance of money
Debit card a delivering vehicle of cash in anelectronic form
Either anonymous or onymous
Advantage of an anonymous card
the card may be given from one person to another
Also implemented on the Internet withoutemployment of an IC card
-
7/31/2019 8El.Paymt
28/36
28 Prentice Hall, 2000
Smart card-based e-cash Can be recharged at home through the Internet
Can be used on the Internet as well as in a non-Internet environment
Ceiling of Stored Values To prevent the abuse of stored values in money
laundry
S$500 in Singapore; HK$3,000 in Hong Kong
Multiple Currencies Can be used for cross border payments
Electronic Money (cont.)
-
7/31/2019 8El.Paymt
29/36
29 Prentice Hall, 2000
Contactless IC Cards
Proximity Card Used to access buildings and for paying in buses
and other transportation systems
Bus, subway and toll card in many cities
Amplified Remote Sensing Card Good for a range of up to 100 feet, and can be
used for tolling moving vehicles at gates
Pay toll without stopping (e.g. Highway 91 inCalifornia)
-
7/31/2019 8El.Paymt
30/36
30 Prentice Hall, 2000
Electronic Check Systems
Check
Signature
Remittance
Invoice
Secure Envelope
Remittance
Check
Signature
Certificate
Certificate
Remittance
Secure Envelope
Certificate
Certificate
Endorsement
CertificateCertificate
Signature CardSignature
CardWorkstation
Mall statement
E-Check line item
Payers Bank
Debit account
Payees Bank
Credit account
E- Mail
WWW
ACH
ECP
Clear CheckDeposit check
Payer Payee
E-mail
Account
Receivable
Procedure of Financial Service Technology Consortium Prototype
-
7/31/2019 8El.Paymt
31/36
31 Prentice Hall, 2000
Electronic Checkbook
Electronic Check Systems (cont.)
Counterpart of electronic wallet
To be integrated with the accounting informationsystem of business buyers and with the paymentserver of sellers
To save the electronic invoice and receipt ofpayment in the buyers and sellers computers for
future retrieval Example : SafeCheck
Used mainly in B2B
-
7/31/2019 8El.Paymt
32/36
Payers
checkbook
agent
Payees
check-receipt
agent
Payer Payee
Issue a check
Receipt
A/C
DBA/C
DB
control
agent of
payers
bank
control
agent of
payees
bank
clearing
Checkbook,
screened resultRequest of
screening checkissuance present
report
payers bank payees bank
Internet
The Architecture of SafeCheck 32 Prentice Hall, 2000
-
7/31/2019 8El.Paymt
33/36
33 Prentice Hall, 2000
Integrating Payment Methods
Two potential consolidations: The on-line electronic check is merging with EFT The electronic check with a designated settlement
date is merging with electronic credit cards
Security First Network Bank (SFNB) First cyberbank
Lower service charges to challenge the servicefees of traditional banks
Visa VisaCash is a debit card
ePay is an EFT service
-
7/31/2019 8El.Paymt
34/36
34 Prentice Hall, 2000
How Many Cards are Appropriate?
An onymous card
is necessary to
keep the certificates for
credit cards, EFT, and
electronic checkbooks
The stored value in
IC card can be delivered
in an anonymous mode
Malaysias Multimedia Supper Corridor projectpursues a One-Card system
Relationship Card by Visa is also attempting
a one card system
-
7/31/2019 8El.Paymt
35/36
35 Prentice Hall, 2000
Five Security Tips
Dont reveal your online Passcode to anyone. If you think
your online Passcode has been compromised, change itimmediately.
Dont walk away from your computer if you are in themiddle of a session.
Once you have finished conducting your banking on theInternet, always sign off before visiting other Internetsites.
If anyone else is likely to use your computer, clear yourcache or turn off and re-initiate your browser in order to
eliminate copies of Web pages that have been stored inyour hard drive.
Bank of America strongly recommends that you use abrowser with 128-bit encryption to conduct secure
financial transactions over the Internet.
M i l I
-
7/31/2019 8El.Paymt
36/36
Managerial Issues
Security solution providers can cultivate the opportunity of
providing solutions for the secure electronic payment systems Electronic payment system solution providers can offer
various types of electronic payment systems to electronic storesand banks
Electronic stores should select an appropriate set of electronicpayment systems
Banks need to develop cyberbank services to be compatible withthe various electronic payment system
Credit card brand companies need to develop an EC
standard like SET, and watch the acceptance by customers Smart card brand should develop a business model in
cooperation with application sectors and banks
Certificate authority needs to identify the types of certificate to
id