chapter 05- payment and security 1.ppt

7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt

1/36

1


2/36

Describe typical electronic payment systemsfor EC

Identify the security requirements for safe

electronic payments Describe the typical security schemes used to

meet the security requirements Identify the players and procedures of the

electronic credit card system on the Internet Discuss the relationship between SSL and SET

protocols


3/36

Discuss the relationship betweenelectronic fund transfer and debit card

Describe the characteristics of a stored

value card Classify and describe the types of IC cards

used for payments Discuss the characteristics of electronic

check systems


4/36

A part of SSL Secure Socket Layer! isavailable on customers" browsers# it is basically an encryption mechanism for order

takin$% queries and other applications# it does not protect a$ainst all security ha&ards

# it is mature% simple% and widely use SET Secure Electronic Transaction! is a

very comprehensive security protocol# it provides for privacy% authenticity% inte$rity% and%

or repudiation penolakan!# it is used very infrequently due to its comple'ity

and the need for a special card reader by the user# it may be abandoned if it is not simpli(ed)improved


5/36

SET *rotocol is for Credit Card *ayments

Electronic Cash and +icropayments

Electronic ,und Transfer on the Internet Stored -alue Cards and Electronic Cash

Electronic Check Systems


6/36

Security requirements Authentication:A way to verify the buyers identity

before payments are made

Integrity: Ensuring that information will not be

accidentally or maliciously altered or destroyed,usually during transmission

Encryption:A process of making messagesindecipherable except by those who have an

authorized decryption key Non-repudiation: erchants need protection

against the customers un!ustifiable denial of placed

orders, and customers need protection against the

merchants un!ustifiable denial of past payment


7/36

Secret .ey Crypto$raphy symmetric!

Scrambled

Message

Original

Message

Sender

InternetScrambled

Message

Keysender(= Keyreceiver)

Encryption

Original

Message

Receiver

Keyreceiver

Decryption


8/36

*ublic .ey Crypto$raphy

Sender

OriginalMessage ScrambledMessageScrambledMessage

Public Keyreceiver

OriginalMessage

Receiver

Private Keyreceiver

InternetMessage

Sender

Original

Message

Scrambled

Message

Scrambled

Message

Private Keysender

Original

Message

Receiver

Public Keysender

InternetDigital

Signature


9/36

Di$ital Si$nature

digital signature is

attac!ed by a sender

to a message

encrypted in t!e

receiver"s public #ey

$!e receiver is t!e only

one t!at can read t!emessage and at t!e same

time !e is assured t!at

t!e message %as indeed

sent by t!e sender

Sender encrypts

a message %it!

!er private #ey

ny receiver %it!

senders public #ey

can read it

Analogous to handwritten signature


10/36

Certi(cate

Name : Richard

key-Exchange Key :

Signature Key :

Serial # : 2948!"$ther %ata : &'228'2"2!

Ex(ire) : *&8*9

Signed : +,) Signature

"dentifying the holder of a public key #$ey%

Exchange&

"ssued by a trusted certificate authority #'A&


11/36

Certi(cate Authority / e0$0 -eriSi$n

R&

'&

&

&& M& P&

R& Root &erti*icate ut!ority

'& 'rand &erti*icate ut!ority

& eo+political &erti*icate ut!ority

&& &ard!older &erti*icate ut!orityM& Merc!ant &erti*icate ut!ority

P& Payment ate%ay

&erti*icate ut!ority

,ierarc!y o* &erti*icate ut!orities&erti*icate aut!ority needs to be veri*ied by a government or %ell trusted entity ( e-g-. post o**ice)

(ublic or private, comes in levels #hierarchy&

A trusted third party services

"ssuer of digital certificates

)erifying that a public key indeed belongs to acertain individual


12/36

The *layers

'ardholder

erchant #seller&

"ssuer #your bank&

Ac*uirer #merchants financial institution,

ac*uires the sales slips&

+rand #)"A, aster 'ard&


13/36

The process of usin$ credit cards o1ine

card!older re/uests t!e issuance o* acard brand (li#e 0isa and Master&ard)to an issuer ban# in %!ic! t!ecard!older may !ave an account-

$!e aut!ori1ation o* card issuanceby t!e issuer ban#. or its designatedbrand company. may re/uire

customer"s p!ysical visit to an o**ice-A plastic card is physically deliveredto the customers address by mail. $!e card can be in e**ect as t!e

card!older calls t!e ban# *orinitiation and signs on t!e bac# o*t!e card-

$!e card!older s!o%s t!e card to amerc!ant to pay a re/uested

amount- $!en t!e merc!ant as#s*or approval *rom t!e brandcompany-

2pon t!e approval. t!e merc!antre/uests payment to t!e merc!ant"sac/uirer ban#. and pays *ee *or t!eservice- $!is process is called a3capturing process4

$!e ac/uirer ban# re/uests t!eissuer ban# to pay *or t!e credit

amount-


14/36

&ard!older Merc!antcredit

card

&ard 'rand &ompany

Payment authorization,

payment data

Issuer 'an#

&ard!olderccount

c/uirer 'an#

Merc!antccount

account debit data payment data

&redit &ard Procedure (o**line and online)1-

payment data

amount transfer

Prentice Hall, 2000


15/36

20The messa$e is hashed to a pre('ed len$th of messa$edi$est0

30The messa$e di$est is encrypted with the sender"s

private si$nature key% and a di$ital si$nature is created040The composition of messa$e% di$ital si$nature% andSender"s certi(cate is encrypted with the symmetric keywhich is $enerated at sender"s computer for everytransaction0 The result is an encrypted messa$e0 SETprotocol uses the DES al$orithm instead of 5SA for

encryption because DES can be e'ecuted much fasterthan 5SA0

60The Symmetric key itself is encrypted with the receiver"spublic key which was sent to the sender in advance0 Theresult is a di$ital envelope0

1.

enders 'omputer

Prentice Hall, 2000


16/36

Sender"s &omputerSenders Private

Signature ey

Senders

!ertificate

5

"

Message

"

#igital Signature

$eceivers

!ertificate

%ncrypt

Symmetric

ey

%ncrypted

Message

$eceivers

ey&%'change ey

%ncrypt

#igital

%nvelope

Message

Message #igest

1/ Prentice Hall, 2000


17/36

70The encrypted messa$e and di$ital envelope aretransmitted to receiver"s computer via the Internet0

80The di$ital envelope is decrypted with receiver"s privatee'chan$e key0

90:sin$ the restored symmetric key% the encrypted messa$ecan be restored to the messa$e% di$ital si$nature% andsender"s certi(cate0

;0To con(rm the inte$rity% the di$ital si$nature is decrypted bysender"s public key% obtainin$ the messa$e di$est0


18/36

Receiver"s &omputer

#ecryptSymmetric

ey

%ncrypted

Message

Senders

!ertificate

5

"

Message

compare

#igital%nvelope

$eceivers Private

ey&%'change ey

#ecrypt

Message #igest#igital SignatureSenders Public

Signature ey

#ecrypt

Message #igest

12 Prentice Hall, 2000


19/36

Entities o* SE$ Protocol in &yber S!opping

I! !ard

$eader !ustomer ' !ustomer y

(ith #igital (allets!ertificate

Authority

%lectronic Shopping Mall

Merchant A Merchant )

!redit !ard

)rand

Protocol

*.+

Payment -ateay

13 Prentice Hall, 2000


20/36

Secure Electronic $ransaction (SE$) Secure Soc#et 6ayer (SS6)

&omple7 Simple

SE$ is tailored to t!e credit card

payment to t!e merc!ants-

SS6 is a protocol *or general+

purpose secure message

e7c!anges (encryption)-

SE$ protocol !ides t!e customer"s

credit card in*ormation *rom

merc!ants. and also !ides t!e

order in*ormation to ban#s. to

protect privacy- $!is sc!eme is

called dual signature.

SS6 protocol may use a

certi*icate. but t!ere is no

payment gate%ay- So. t!e

merc!ants need to receive bot!

t!e ordering in*ormation and

credit card in*ormation. because

t!e capturing process s!ould be

initiated by t!e merc!ants-


21/36

n rc!itecture o* Electronic 8und $rans*er on t!e Internet

Internet

Payer

!yber )an/

)an/

!yber )an/

Payee

Automated

!learinghouse

VAN)an/

VAN

Payment

-ateay

Payment

-ateay


22/36

A delivery vehicle of cash in anelectronic form

+onde'% -isaCash applied this approach Either anonymousor onymous CyberCash has commerciali&ed a debit

card named CyberCoin as a medium of

micropayments on the Internet


23/36

It is an EDI used for (nancial transactions# EDI is a standardi&ed way of e'chan$in$

messa$es between businesses

# E,T can be implemented usin$ a ,inancial EDI

system Safe ,inancial EDI needs to adopt a

security scheme used for the SSL protocol

E'tranet encrypts the packets e'chan$edbetween senders and receivers usin$ thepublic key crypto$raphy


24/36

Smart Cards 4he concept of e%cash is used in the non%"nternet

environment

(lastic cards with magnetic stripes #old technology&

"ncludes "' chips with programmable functions on

them which makes cards 5smart6

7ne e%cash card for one application

0echarge the card only at designated locations,such as bank office or a kiosk8 9uture: recharge at

your ('

e8g8 ondex )isa'ash


25/36

Shoppin$ with +onde'

Addin$ money to the card

*ayments in a new era ofelectronicshoppin$

*ayin$ on the Internet


26/36

Di$iCash 4he analogy of paper money or coins

Expensive, as each payment transaction must be

reported to the bank and recorded

'onflict with the role of central banks bill

issuance

;egally,


27/36

Stored -alue Cards =o issuance of money

a delivering vehicle of cash in an

electronic form

Either anonymous or onymous

Advantage of an anonymous card

the card may be given from one person to another

Also implemented on the "nternet withoutemployment of an "' card


28/36

Smart card/based e/cash# Can be rechar$ed at home throu$h the

Internet

# Can be used on the Internet as well as in a

non/Internet environment Ceilin$ of Stored -alues

#To prevent the abuse of stored values inmoney laundry

# S>7== in Sin$apore? @.>4%=== in @on$ .on$ +ultiple Currencies

# Can be used for cross border payments


29/36

*ro'imity Card# :sed to access buildin$s and for payin$ in

buses and other transportation systems

# us% subway and toll card in many cities Ampli(ed 5emote Sensin$ Card

# Bood for a ran$e of up to 2== feet% and canbe used for tollin$ movin$ vehicles at $ates

# *ay toll without stoppin$ e0$0 @i$hway


30/36

!hec/

Signature

$emittance

Invoice

Secure %nvelope

$emittance

!hec/

Signature

!ertificate

!ertificate

$emittance

Secure %nvelope

!ertificate

!ertificate

%ndorsement

!ertificate!ertificate

Signature 0!ard1Signature

0!ard1(or/station

Mall statement

%&!hec/ line item

Payers )an/

#ebit account

Payees )an/

!redit account

%& Mail

(((

&,

E&P

!lear !hec/#eposit chec/

Payer Payee

%&mail

Account

$eceivable

Procedure o* 8inancial Service $ec!nology &onsortium Prototype


31/36

Electronic Checkbook 'ounterpart of electronic wallet

4o be integrated with the accounting information

system of business buyers and with the payment

server of sellers

4o save the electronic invoice and receipt of

payment in the buyers and sellers computers for

future retrieval Example : afe'heck

?sed mainly in +@+


32/36

Payer"s

c!ec#boo#

agent

Payee"s

c!ec#+receipt

agent

Payer Payee

Issue a chec/

$eceipt

9&

D'9&

D'

control

agent of

payers

ban/

control

agent of

payees

ban/

clearing

!hec/boo/,

screened result$e2uest of

screening chec/issuance present

report

payer"s ban# payee"s ban#

Internet

$!e rc!itecture o* Sa*e&!ec# @ Prentice Hall, 2000


33/36

Two potential consolidations#The on/line electronic check is mer$in$ with E,T#The electronic check with a desi$nated settlement

date is mer$in$ with electronic credit cards Security ,irst etwork ank S,!

# ,irst cyberbank# Lower service char$es to challen$e the servicefees of traditional banks

-isa# -isaCash is a debit card

# e*ay is an E,T service


34/36

An onymous card

is necessary to

/eep the certificates for

credit cards, %34, and

electronic chec/boo/s

4he stored value in

I! card can be delivered

in an anonymous mode

Malaysias Multimedia Supper !orridor pro5ectpursues a One&!ard system

$elationship !ard by 6isa is also attempting

a one card system


35/36

Dont reveal your online Passcode to anyone. If you think

your online Passcode has been compromised, change itimmediately.

Dont walk away from your computer if you are in themiddle of a session.

Once you have nished conducting your banking on theInternet, always sign o before visiting other Internet

sites. If anyone else is likely to use your computer, clear your

cache or turn o and re!initiate your browser in order toeliminate copies of "eb pages that have been stored inyour hard drive.

#ank of $merica strongly recommends that you use a

browser with %&'!bit encryption to conduct securenancial transactions over the Internet.


36/36

Security solution providers can cultivate the opportunity ofprovidin$ solutions for the secure electronic payment systems

Electronic payment system solution providers can oervarious types of electronic payment systems to electronicstores and banks

Electronic stores should select an appropriate set ofelectronic payment systems

anks need to develop cyberbank services to be compatiblewith the various electronic payment system

Credit card brand companies need to develop an ECstandard like SET% and watch the acceptance by customers

Smart card brand should develop a business model incooperation with application sectors and banks

Certi(cate authority needs to identify the types ofcerti(cate to provide

chapter 05- payment and security 1.ppt

Documents