electronic payment systems and security
TRANSCRIPT
-
8/12/2019 Electronic Payment Systems and Security
1/36
Electronic Payment Systems
and Security
1
-
8/12/2019 Electronic Payment Systems and Security
2/36
Learning Objectives
Describe typical electronic payment systems for EC
Identify the security requirements for safe electronicpayments
Describe the typical security schemes used to meetthe security requirements
Identify the players and procedures of the
electronic credit card system on the InternetDiscuss the relationship between SSL and SET
protocols
-
8/12/2019 Electronic Payment Systems and Security
3/36
Discuss the relationship between electronic fundtransfer and debit card
Describe the characteristics of a stored value
cardClassify and describe the types of IC cards used
for payments
Discuss the characteristics of electronic checksystems
Learning Objectives (cont.)
-
8/12/2019 Electronic Payment Systems and Security
4/36
SSL Vs.SET: Who Will Win?
A part of SSL (Secure Socket Layer) is availableon customers browsersit is basically an encryption mechanism for order taking,
queries and other applications
it does not protect against all security hazards
it is mature, simple, and widely use
SET ( Secure Electronic Transaction) is a verycomprehensive security protocol
it provides for privacy, authenticity, integrity, and, orrepudiation
it is used very infrequently due to its complexity and theneed for a special card reader by the user
it may be abandoned if it is not simplified/improved
-
8/12/2019 Electronic Payment Systems and Security
5/36
Payments, Protocols and Related Issues
SET Protocol is for Credit Card Payments
Electronic Cash and Micropayments
Electronic Fund Transfer on the Internet
Stored Value Cards and Electronic Cash
Electronic Check Systems
-
8/12/2019 Electronic Payment Systems and Security
6/36
Security requirements
Payments, Protocols and Related Issues (cont.)
Authentication:A way to verify the buyers identitybefore payments are made
Integrity: Ensuring that information will not be
accidentally or maliciously altered or destroyed,usually during transmission
Encryption:A process of making messagesindecipherable except by those who have an
authorized decryption keyNon-repudiation: Merchants need protection
against the customers unjustifiable denial of placed
orders, and customers need protection against the
merchants unjustifiable denial of past payment
-
8/12/2019 Electronic Payment Systems and Security
7/36
Security Schemes
Secret Key Cryptography (symmetric)
Scrambled
Message
Original
Message
Sender
InternetScrambled
Message
Keysender(= Keyreceiver)
Encryption
Original
Message
Receiver
Keyreceiver
Decryption
-
8/12/2019 Electronic Payment Systems and Security
8/36
Public Key Cryptography
Sender
OriginalMessage
Scrambled
Message
Scrambled
Message
Public Keyreceiver
Original
Message
Receiver
Private Keyreceiver
Internet
Security Schemes (cont.)
Message
Sender
Original
Message
Scrambled
Message
Scrambled
Message
Private Keysender
Original
Message
Receiver
Public Keysender
InternetDigital
Signature
-
8/12/2019 Electronic Payment Systems and Security
9/36
Digital Signature
A digital signature is
attached by a sender
to a message
encrypted in the
receivers public key
The receiver is the only
one that can read themessage and at the same
time he is assured that
the message was indeed
sent by the sender
Sender encrypts
a message with
her private key
Any receiver with
senders public key
can read it
Security Schemes (cont.)
Analogous to handwritten signature
-
8/12/2019 Electronic Payment Systems and Security
10/36
Certificate
Name : Richard
key-Exchange Key :
Signature Key :
Serial # : 29483756
Other Data : 10236283025273
Expires : 6/18/96
Signed : CAs Signature
Security Schemes (cont.)
Identifying the holder of a public key (Key-Exchange)
Issued by a trusted certificate authority (CA)
-
8/12/2019 Electronic Payment Systems and Security
11/36
Certificate Authority - e.g. VeriSign
RCA
BCA
GCA
CCA MCA PCA
RCA : Root Certificate Authority
BCA : Brand Certificate Authority
GCA : Geo-political Certificate Authority
CCA : Cardholder Certificate AuthorityMCA : Merchant Certificate Authority
PCA : Payment Gateway
Certificate Authority
Hierarchy of Certificate AuthoritiesCertificate authority needs to be verified by a government or well trusted entity ( e.g., post office)
Security Schemes (cont.)
Public or private, comes in levels (hierarchy)
A trusted third party services
Issuer of digital certificates
Verifying that a public key indeed belongs to acertain individual
-
8/12/2019 Electronic Payment Systems and Security
12/36
Electronic Credit Card System
on the Internet
The Players
Cardholder
Merchant (seller)
Issuer (your bank)
Acquirer (merchants financial institution,
acquires the sales slips)
Brand (VISA, Master Card)
El t i C dit C d S t
-
8/12/2019 Electronic Payment Systems and Security
13/36
The process of using credit cards offlineA cardholder requests the issuance of acard brand (like Visa and MasterCard)to an issuer bank in which thecardholder may have an account.
Electronic Credit Card System
on the Internet (cont.)
The authorization of card issuanceby the issuer bank, or its designatedbrand company, may require
customers physical visit to an office.A plastic card is physically deliveredto the customers address by mail. The card can be in effect as the
cardholder calls the bank forinitiation and signs on the back ofthe card.
The cardholder shows the card to amerchant to pay a requested
amount. Then the merchant asksfor approval from the brandcompany.
Upon the approval, the merchantrequests payment to the merchantsacquirer bank, and pays fee for theservice. This process is called acapturing process
The acquirer bank requests theissuer bank to pay for the credit
amount.
-
8/12/2019 Electronic Payment Systems and Security
14/36
Cardholder Merchantcredit
card
Card Brand Company
Payment authorization,
payment data
Issuer Bank
CardholderAccount
Acquirer Bank
MerchantAccount
account debit data payment data
Credit Card Procedure (offline and online)14
payment data
amount transfer
Prentice Hall, 2000
-
8/12/2019 Electronic Payment Systems and Security
15/36
Secure Electronic Transaction (SET)
Protocol
1.The message is hashed to a prefixed length of message digest.
2.The message digest is encrypted with the senders privatesignature key, and a digital signature is created.
3.The composition of message, digital signature, and Senderscertificate is encrypted with the symmetric key which isgenerated at senders computer for every transaction. The
result is an encrypted message. SET protocol uses the DES
algorithm instead of RSA for encryption because DES can beexecuted much faster than RSA.
4.The Symmetric key itself is encrypted with the receivers publickey which was sent to the sender in advance. The result is adigital envelope.
15
Senders Computer
-
8/12/2019 Electronic Payment Systems and Security
16/36
Senders ComputerSenders Private
Signature Key
Senders
Certificate
+
+
Message
+
Digital Signature
Receivers
Certificate
Encrypt
Symmetric
Key
Encrypted
Message
Receivers
Key-Exchange Key
Encrypt
Digital
Envelope
Message
Message Digest
16
-
8/12/2019 Electronic Payment Systems and Security
17/36
5.The encrypted message and digital envelope are transmitted toreceivers computer via the Internet.
6.The digital envelope is decrypted with receivers private
exchange key.7.Using the restored symmetric key, the encrypted message can
be restored to the message, digital signature, and senderscertificate.
8.To confirm the integrity, the digital signature is decrypted bysenders public key, obtaining the message digest.
9.The delivered message is hashed to generate message digest.
10.The message digests obtained by steps 8 and 9 respectively,are compared by the receiver to confirm whether there was any
change during the transmission. This step confirms the integrity.
Receivers Computer
Secure Electronic Transaction (SET)
Protocol (cont.)
17
-
8/12/2019 Electronic Payment Systems and Security
18/36
Receivers Computer
DecryptSymmetric
Key
Encrypted
Message
Senders
Certificate
+
+
Message
compare
DigitalEnvelope
Receivers Private
Key-Exchange Key
Decrypt
Message DigestDigital SignatureSenders Public
Signature Key
Decrypt
Message Digest
18
-
8/12/2019 Electronic Payment Systems and Security
19/36
Entities of SET Protocol in Cyber Shopping
IC Card
Reader Customer x Customer y
With Digital WalletsCertificate
Authority
Electronic Shopping Mall
Merchant A Merchant B
Credit Card
Brand
Protocol
X.25
Payment Gateway
19
-
8/12/2019 Electronic Payment Systems and Security
20/36
SET Vs. SSL
Secure Electronic Transaction (SET) Secure Socket Layer (SSL)
Complex Simple
SET is tailored to the credit card
payment to the merchants.
SSL is a protocol for general-
purpose secure messageexchanges (encryption).
SET protocol hides the customers
credit card information from
merchants, and also hides the
order information to banks, toprotect privacy. This scheme is
called dual signature.
SSL protocol may use a
certificate, but there is no
payment gateway. So, the
merchants need to receive boththe ordering information and
credit card information, because
the capturing process should be
initiated by the merchants.
El t i F d T f (EFT)
-
8/12/2019 Electronic Payment Systems and Security
21/36
Electronic Fund Transfer (EFT)
on the Internet
An Architecture of Electronic Fund Transfer on the Internet
Internet
Payer
Cyber Bank
Bank
Cyber Bank
Payee
Automated
Clearinghouse
VAN
Bank
VAN
Payment
Gateway
Payment
Gateway
-
8/12/2019 Electronic Payment Systems and Security
22/36
Debit Cards
A delivery vehicle of cash in an electronicform
Mondex, VisaCash applied this approachEither anonymousor onymous
CyberCash has commercialized a debit cardnamed CyberCoin as a medium ofmicropayments on the Internet
-
8/12/2019 Electronic Payment Systems and Security
23/36
Financial EDI
It is an EDI used for financial transactionsEDI is a standardized way of exchanging messages
between businesses
EFT can be implemented using a Financial EDI system
Safe Financial EDI needs to adopt a securityscheme used for the SSL protocol
Extranet encrypts the packets exchanged between
senders and receivers using the public keycryptography
-
8/12/2019 Electronic Payment Systems and Security
24/36
Electronic Cash and Micropayments
Smart CardsThe concept of e-cash is used in the non-Internet
environment
Plastic cards with magnetic stripes (old technology)
Includes IC chips with programmable functions onthem which makes cards smart
One e-cash card for one application
Recharge the card only at designated locations,such as bank office or a kiosk. Future: recharge atyour PC
e.g. Mondex & VisaCash
-
8/12/2019 Electronic Payment Systems and Security
25/36
Mondex Makes Shopping Easy
Shopping with Mondex
Adding money to the card
Payments in a new era of electronic
shopping
Paying on the Internet
-
8/12/2019 Electronic Payment Systems and Security
26/36
Electronic Money
DigiCashThe analogy of paper money or coins
Expensive, as each payment transaction mustbe reported to the bank and recorded
Conflict with the role of central banks bill
issuance
Legally, DigiCash is not supposed to issue more
than an electronic gift certificate even though itmay be accepted by a wide number of memberstores
-
8/12/2019 Electronic Payment Systems and Security
27/36
Stored Value Cards
Electronic Money (cont.)
No issuance of money
Debit card a delivering vehicle of cash in anelectronic form
Either anonymous or onymous
Advantage of an anonymous card
the card may be given from one person to
anotherAlso implemented on the Internet without
employment of an IC card
-
8/12/2019 Electronic Payment Systems and Security
28/36
Smart card-based e-cashCan be recharged at home through the Internet
Can be used on the Internet as well as in a non-Internet environment
Ceiling of Stored Values
To prevent the abuse of stored values in moneylaundry
S$500 in Singapore; HK$3,000 in Hong Kong
Multiple Currencies
Can be used for cross border payments
Electronic Money (cont.)
-
8/12/2019 Electronic Payment Systems and Security
29/36
Contactless IC Cards
Proximity CardUsed to access buildings and for paying in buses
and other transportation systems
Bus, subway and toll card in many cities
Amplified Remote Sensing Card
Good for a range of up to 100 feet, and can beused for tolling moving vehicles at gates
Pay toll without stopping (e.g. Highway 91 inCalifornia)
-
8/12/2019 Electronic Payment Systems and Security
30/36
Electronic Check Systems
Check
Signature
Remittance
Invoice
Secure Envelope
Remittance
Check
Signature
Certificate
Certificate
Remittance
Secure Envelope
Certificate
Certificate
Endorsement
CertificateCertificate
Signature CardSignature
CardWorkstation
Mall statement
E-Check line item
Payers Bank
Debit account
Payees Bank
Credit account
E- Mail
WWW
ACH
ECP
Clear Check
Deposit check
Payer Payee
E-mail
Account
Receivable
Procedure of Financial Service Technology Consortium Prototype
-
8/12/2019 Electronic Payment Systems and Security
31/36
Electronic Checkbook
Electronic Check Systems (cont.)
Counterpart of electronic wallet
To be integrated with the accounting informationsystem of business buyers and with the paymentserver of sellers
To save the electronic invoice and receipt ofpayment in the buyers and sellers computers for
future retrievalExample : SafeCheck
Used mainly in B2B
-
8/12/2019 Electronic Payment Systems and Security
32/36
Payers
checkbook
agent
Payees
check-receipt
agent
Payer Payee
Issue a check
Receipt
A/C
DBA/C
DB
control
agent of
payers
bank
control
agent of
payees
bank
clearing
Checkbook,
screened resultRequest of
screening checkissuance present
report
payers bank payees bank
Internet
The Architecture of SafeCheck 32
-
8/12/2019 Electronic Payment Systems and Security
33/36
Integrating Payment Methods
Two potential consolidations:The on-line electronic check is merging with EFTThe electronic check with a designated
settlement date is merging with electronic credit
cardsSecurity First Network Bank (SFNB)First cyberbank
Lower service charges to challenge the service
fees of traditional banks
VisaVisaCash is a debit card
ePay is an EFT service
-
8/12/2019 Electronic Payment Systems and Security
34/36
How Many Cards are Appropriate?
An onymous card
is necessary to
keep the certificates for
credit cards, EFT, and
electronic checkbooks
The stored value in
IC card can be delivered
in an anonymous mode
Malaysias Multimedia Supper Corridor projectpursues a One-Card system
Relationship Card by Visa is also attempting
a one card system
-
8/12/2019 Electronic Payment Systems and Security
35/36
Five Security Tips
Dont reveal your online Passcode to anyone. If you think
your online Passcode has been compromised, change itimmediately.
Dont walk away from your computer if you are in themiddle of a session.
Once you have finished conducting your banking on theInternet, always sign off before visiting other Internetsites.
If anyone else is likely to use your computer, clear yourcache or turn off and re-initiate your browser in order to
eliminate copies of Web pages that have been stored inyour hard drive.
Bank of America strongly recommends that you use abrowser with 128-bit encryption to conduct secure
financial transactions over the Internet.
Managerial Iss es
-
8/12/2019 Electronic Payment Systems and Security
36/36
Managerial Issues
Security solution providers can cultivate the opportunity of
providing solutions for the secure electronic payment systemsElectronic payment system solution providers can offer
various types of electronic payment systems to electronic storesand banks
Electronic stores should select an appropriate set of electronicpayment systems
Banks need to develop cyberbank services to be compatiblewith the various electronic payment system
Credit card brand companies need to develop an ECstandard like SET, and watch the acceptance by customers
Smart card brand should develop a business model incooperation with application sectors and banks
Certificate authority needs to identify the types of certificate to
id