electronic payment systems and security

8/12/2019 Electronic Payment Systems and Security

1/36

Electronic Payment Systems

and Security

1


2/36

Learning Objectives

Describe typical electronic payment systems for EC

Identify the security requirements for safe electronicpayments

Describe the typical security schemes used to meetthe security requirements

Identify the players and procedures of the

electronic credit card system on the InternetDiscuss the relationship between SSL and SET

protocols


3/36

Discuss the relationship between electronic fundtransfer and debit card

Describe the characteristics of a stored value

cardClassify and describe the types of IC cards used

for payments

Discuss the characteristics of electronic checksystems

Learning Objectives (cont.)


4/36

SSL Vs.SET: Who Will Win?

A part of SSL (Secure Socket Layer) is availableon customers browsersit is basically an encryption mechanism for order taking,

queries and other applications

it does not protect against all security hazards

it is mature, simple, and widely use

SET ( Secure Electronic Transaction) is a verycomprehensive security protocol

it provides for privacy, authenticity, integrity, and, orrepudiation

it is used very infrequently due to its complexity and theneed for a special card reader by the user

it may be abandoned if it is not simplified/improved


5/36

Payments, Protocols and Related Issues

SET Protocol is for Credit Card Payments

Electronic Cash and Micropayments

Electronic Fund Transfer on the Internet

Stored Value Cards and Electronic Cash

Electronic Check Systems


6/36

Security requirements

Payments, Protocols and Related Issues (cont.)

Authentication:A way to verify the buyers identitybefore payments are made

Integrity: Ensuring that information will not be

accidentally or maliciously altered or destroyed,usually during transmission

Encryption:A process of making messagesindecipherable except by those who have an

authorized decryption keyNon-repudiation: Merchants need protection

against the customers unjustifiable denial of placed

orders, and customers need protection against the

merchants unjustifiable denial of past payment


7/36

Security Schemes

Secret Key Cryptography (symmetric)

Scrambled

Message

Original

Message

Sender

InternetScrambled

Message

Keysender(= Keyreceiver)

Encryption

Original

Message

Receiver

Keyreceiver

Decryption


8/36

Public Key Cryptography

Sender

OriginalMessage

Scrambled

Message

Scrambled

Message

Public Keyreceiver

Original

Message

Receiver

Private Keyreceiver

Internet

Security Schemes (cont.)

Message

Sender

Original

Message

Scrambled

Message

Scrambled

Message

Private Keysender

Original

Message

Receiver

Public Keysender

InternetDigital

Signature


9/36

Digital Signature

A digital signature is

attached by a sender

to a message

encrypted in the

receivers public key

The receiver is the only

one that can read themessage and at the same

time he is assured that

the message was indeed

sent by the sender

Sender encrypts

a message with

her private key

Any receiver with

senders public key

can read it


Analogous to handwritten signature


10/36

Certificate

Name : Richard

key-Exchange Key :

Signature Key :

Serial # : 29483756

Other Data : 10236283025273

Expires : 6/18/96

Signed : CAs Signature


Identifying the holder of a public key (Key-Exchange)

Issued by a trusted certificate authority (CA)


11/36

Certificate Authority - e.g. VeriSign

RCA

BCA

GCA

CCA MCA PCA

RCA : Root Certificate Authority

BCA : Brand Certificate Authority

GCA : Geo-political Certificate Authority

CCA : Cardholder Certificate AuthorityMCA : Merchant Certificate Authority

PCA : Payment Gateway

Certificate Authority

Hierarchy of Certificate AuthoritiesCertificate authority needs to be verified by a government or well trusted entity ( e.g., post office)


Public or private, comes in levels (hierarchy)

A trusted third party services

Issuer of digital certificates

Verifying that a public key indeed belongs to acertain individual


12/36

Electronic Credit Card System

on the Internet

The Players

Cardholder

Merchant (seller)

Issuer (your bank)

Acquirer (merchants financial institution,

acquires the sales slips)

Brand (VISA, Master Card)

El t i C dit C d S t


13/36

The process of using credit cards offlineA cardholder requests the issuance of acard brand (like Visa and MasterCard)to an issuer bank in which thecardholder may have an account.

Electronic Credit Card System

on the Internet (cont.)

The authorization of card issuanceby the issuer bank, or its designatedbrand company, may require

customers physical visit to an office.A plastic card is physically deliveredto the customers address by mail. The card can be in effect as the

cardholder calls the bank forinitiation and signs on the back ofthe card.

The cardholder shows the card to amerchant to pay a requested

amount. Then the merchant asksfor approval from the brandcompany.

Upon the approval, the merchantrequests payment to the merchantsacquirer bank, and pays fee for theservice. This process is called acapturing process

The acquirer bank requests theissuer bank to pay for the credit

amount.


14/36

Cardholder Merchantcredit

card

Card Brand Company

Payment authorization,

payment data

Issuer Bank

CardholderAccount

Acquirer Bank

MerchantAccount

account debit data payment data

Credit Card Procedure (offline and online)14

payment data

amount transfer

Prentice Hall, 2000


15/36

Secure Electronic Transaction (SET)

Protocol

1.The message is hashed to a prefixed length of message digest.

2.The message digest is encrypted with the senders privatesignature key, and a digital signature is created.

3.The composition of message, digital signature, and Senderscertificate is encrypted with the symmetric key which isgenerated at senders computer for every transaction. The

result is an encrypted message. SET protocol uses the DES

algorithm instead of RSA for encryption because DES can beexecuted much faster than RSA.

4.The Symmetric key itself is encrypted with the receivers publickey which was sent to the sender in advance. The result is adigital envelope.

15

Senders Computer


16/36

Senders ComputerSenders Private

Signature Key

Senders

Certificate

+

+

Message

+

Digital Signature

Receivers

Certificate

Encrypt

Symmetric

Key

Encrypted

Message

Receivers

Key-Exchange Key

Encrypt

Digital

Envelope

Message

Message Digest

16


17/36

5.The encrypted message and digital envelope are transmitted toreceivers computer via the Internet.

6.The digital envelope is decrypted with receivers private

exchange key.7.Using the restored symmetric key, the encrypted message can

be restored to the message, digital signature, and senderscertificate.

8.To confirm the integrity, the digital signature is decrypted bysenders public key, obtaining the message digest.

9.The delivered message is hashed to generate message digest.

10.The message digests obtained by steps 8 and 9 respectively,are compared by the receiver to confirm whether there was any

change during the transmission. This step confirms the integrity.

Receivers Computer

Secure Electronic Transaction (SET)

Protocol (cont.)

17


18/36

Receivers Computer

DecryptSymmetric

Key

Encrypted

Message

Senders

Certificate

+

+

Message

compare

DigitalEnvelope

Receivers Private

Key-Exchange Key

Decrypt

Message DigestDigital SignatureSenders Public

Signature Key

Decrypt

Message Digest

18


19/36

Entities of SET Protocol in Cyber Shopping

IC Card

Reader Customer x Customer y

With Digital WalletsCertificate

Authority

Electronic Shopping Mall

Merchant A Merchant B

Credit Card

Brand

Protocol

X.25

Payment Gateway

19


20/36

SET Vs. SSL

Secure Electronic Transaction (SET) Secure Socket Layer (SSL)

Complex Simple

SET is tailored to the credit card

payment to the merchants.

SSL is a protocol for general-

purpose secure messageexchanges (encryption).

SET protocol hides the customers

credit card information from

merchants, and also hides the

order information to banks, toprotect privacy. This scheme is

called dual signature.

SSL protocol may use a

certificate, but there is no

payment gateway. So, the

merchants need to receive boththe ordering information and

credit card information, because

the capturing process should be

initiated by the merchants.

El t i F d T f (EFT)


21/36

Electronic Fund Transfer (EFT)

on the Internet

An Architecture of Electronic Fund Transfer on the Internet

Internet

Payer

Cyber Bank

Bank

Cyber Bank

Payee

Automated

Clearinghouse

VAN

Bank

VAN

Payment

Gateway

Payment

Gateway


22/36

Debit Cards

A delivery vehicle of cash in an electronicform

Mondex, VisaCash applied this approachEither anonymousor onymous

CyberCash has commercialized a debit cardnamed CyberCoin as a medium ofmicropayments on the Internet


23/36

Financial EDI

It is an EDI used for financial transactionsEDI is a standardized way of exchanging messages

between businesses

EFT can be implemented using a Financial EDI system

Safe Financial EDI needs to adopt a securityscheme used for the SSL protocol

Extranet encrypts the packets exchanged between

senders and receivers using the public keycryptography


24/36

Electronic Cash and Micropayments

Smart CardsThe concept of e-cash is used in the non-Internet

environment

Plastic cards with magnetic stripes (old technology)

Includes IC chips with programmable functions onthem which makes cards smart

One e-cash card for one application

Recharge the card only at designated locations,such as bank office or a kiosk. Future: recharge atyour PC

e.g. Mondex & VisaCash


25/36

Mondex Makes Shopping Easy

Shopping with Mondex

Adding money to the card

Payments in a new era of electronic

shopping

Paying on the Internet


26/36

Electronic Money

DigiCashThe analogy of paper money or coins

Expensive, as each payment transaction mustbe reported to the bank and recorded

Conflict with the role of central banks bill

issuance

Legally, DigiCash is not supposed to issue more

than an electronic gift certificate even though itmay be accepted by a wide number of memberstores


27/36

Stored Value Cards

Electronic Money (cont.)

No issuance of money

Debit card a delivering vehicle of cash in anelectronic form

Either anonymous or onymous

Advantage of an anonymous card

the card may be given from one person to

anotherAlso implemented on the Internet without

employment of an IC card


28/36

Smart card-based e-cashCan be recharged at home through the Internet

Can be used on the Internet as well as in a non-Internet environment

Ceiling of Stored Values

To prevent the abuse of stored values in moneylaundry

S$500 in Singapore; HK$3,000 in Hong Kong

Multiple Currencies

Can be used for cross border payments

Electronic Money (cont.)


29/36

Contactless IC Cards

Proximity CardUsed to access buildings and for paying in buses

and other transportation systems

Bus, subway and toll card in many cities

Amplified Remote Sensing Card

Good for a range of up to 100 feet, and can beused for tolling moving vehicles at gates

Pay toll without stopping (e.g. Highway 91 inCalifornia)


30/36

Electronic Check Systems

Check

Signature

Remittance

Invoice

Secure Envelope

Remittance

Check

Signature

Certificate

Certificate

Remittance

Secure Envelope

Certificate

Certificate

Endorsement

CertificateCertificate

Signature CardSignature

CardWorkstation

Mall statement

E-Check line item

Payers Bank

Debit account

Payees Bank

Credit account

E- Mail

WWW

ACH

ECP

Clear Check

Deposit check

Payer Payee

E-mail

Account

Receivable

Procedure of Financial Service Technology Consortium Prototype


31/36

Electronic Checkbook

Electronic Check Systems (cont.)

Counterpart of electronic wallet

To be integrated with the accounting informationsystem of business buyers and with the paymentserver of sellers

To save the electronic invoice and receipt ofpayment in the buyers and sellers computers for

future retrievalExample : SafeCheck

Used mainly in B2B


32/36

Payers

checkbook

agent

Payees

check-receipt

agent

Payer Payee

Issue a check

Receipt

A/C

DBA/C

DB

control

agent of

payers

bank

control

agent of

payees

bank

clearing

Checkbook,

screened resultRequest of

screening checkissuance present

report

payers bank payees bank

Internet

The Architecture of SafeCheck 32


33/36

Integrating Payment Methods

Two potential consolidations:The on-line electronic check is merging with EFTThe electronic check with a designated

settlement date is merging with electronic credit

cardsSecurity First Network Bank (SFNB)First cyberbank

Lower service charges to challenge the service

fees of traditional banks

VisaVisaCash is a debit card

ePay is an EFT service


34/36

How Many Cards are Appropriate?

An onymous card

is necessary to

keep the certificates for

credit cards, EFT, and

electronic checkbooks

The stored value in

IC card can be delivered

in an anonymous mode

Malaysias Multimedia Supper Corridor projectpursues a One-Card system

Relationship Card by Visa is also attempting

a one card system


35/36

Five Security Tips

Dont reveal your online Passcode to anyone. If you think

your online Passcode has been compromised, change itimmediately.

Dont walk away from your computer if you are in themiddle of a session.

Once you have finished conducting your banking on theInternet, always sign off before visiting other Internetsites.

If anyone else is likely to use your computer, clear yourcache or turn off and re-initiate your browser in order to

eliminate copies of Web pages that have been stored inyour hard drive.

Bank of America strongly recommends that you use abrowser with 128-bit encryption to conduct secure

financial transactions over the Internet.

Managerial Iss es


36/36

Managerial Issues

Security solution providers can cultivate the opportunity of

providing solutions for the secure electronic payment systemsElectronic payment system solution providers can offer

various types of electronic payment systems to electronic storesand banks

Electronic stores should select an appropriate set of electronicpayment systems

Banks need to develop cyberbank services to be compatiblewith the various electronic payment system

Credit card brand companies need to develop an ECstandard like SET, and watch the acceptance by customers

Smart card brand should develop a business model incooperation with application sectors and banks

Certificate authority needs to identify the types of certificate to

id

electronic payment systems and security

Documents