introduction

the purpose of this document is to provide a brief background to the rapid emergence of methods
which use electronic means to transfer value, or to facilitate the transfer of value. some of these
are operational (e.g. eft/pos, f-edi and stored-value cards), whereas others are in trial or on the
drawing boards (e.g. electronic cash, especially of the 'milli-cent' variety).
receiving electronic payments incurs extra costs. when you pay for a good or service in a shop
using a credit or debit card the retailer must pay a commission to the financial institution
processing the card details; additionally there will be operating costs for the system used to
process the cards.
these systems are often costly, challenging to implement and sometimes technically difficult to
understand. these hurdles represent a ‘barrier to entry’ , which, if overcome, can give you the
competitive edge.
electronic business is real and continues to grow as a medium with over 44% of uk adults having
used the internet to order tickets, goods or services (office of national statistics, 2002). this
website and its diagnostic tool give you impartial and informed information to make the right
choices for your business and help push your revenues and the uk economy forward in the digital
age.

conventional payment mechanisms

value has been conventionally transferred using a variety of techniques, including:

•cash

•notes, which were until this century issued in many cases by banks, but during this
century largely by national governments;

•coins; and

•unofficial tokens accepted as having value, e.g. sweets for small change in italy in
the 1960s and 1970s, when the intrinsic value of the metals in the coins exceeded
their face value;

•documents

•bills of exchange;

•cheques drawn on a bank;

•money orders written by an accepted authority such as a national post office;

•letters of credit;

prashant sharma : prashant1786@yahoo.com 1

 •payment card vouchers.

these mechanisms have various characteristics, such as the extent to which the parties are
identified, the traceability of the transaction, and the taxability of the transaction. the reason that
so many mechanisms exist is that there are many different circumstances in which value is
exchanged, and each of the mechanisms has niche-markets in which it is perceived by at least
some parties to have advantages.

electronic payment methods

introdution
electronic payment methods may be costly and challenging but they will give you the
competitive edge. different payment systems include traditional card payments, mail order,
online payments, and payment bureaus, secure order forms, bacs alternative payment options and
no payment option.
receiving electronic payments incurs extra costs. when you pay for a good or service in a shop
using a credit or debit card the retailer must pay a commission to the financial institution
processing the card details; additionally there will be operating costs for the system used to
process the cards.
these systems are often costly, challenging to implement and sometimes technically difficult to
understand. these hurdles represent a ‘barrier to entry’, which, if overcome, can give you the
competitive edge.
there are several approaches to taking electronic payments. all of these types of payment systems
can be compared by trying the electronic payments comparison tool. some of them can co-exist
with others and some are mutually exclusive. in this section we will discuss:

•traditional card payments

•mail-order

•online payments

•acquiring banks

•payment bureaus

•secure order forms

•bacs

•alternative payment options

prashant sharma : prashant1786@yahoo.com 2

 •no payment option

electronic payment systems

one of the main requirements in e-commerce is the ability to accept a form of electronic payment. this
form of electronic payment is referred to as financial electronic data interchange (fedi).

fedi has become increasingly popular over the last number of years due to the widespread use of the
internet based shopping and banking.

there are dozens, if not hundreds, of electronic payment systems being developed to facilitate secure web
transactions.

electronic payment systems can be grouped into four basic categories, as follows:
• session level protocols for secure communications

• credit card and debit cards

• electronic cash

• micro payment systems

• financial cyber-mediaries
to be considered secure, an electronic financial transaction should satisfy the following four requirements:
1. ensuring communications are private

2. verifying that the communications have not been altered in transmission

3. ensuring the server and client are who they claim to be

4. ensuring the information to be transferred was written by the signed author

session level protocols for secure transmission

secure socket layer (ssl)

one of the earliest internet security protocols, the secure socket layer protocol (ssl) is currently the most
popular protocol for the secure transfer of information over the web.

ssl is a protocol-independent encryption scheme developed by netscape that provides channel security
between the application layer and the transport layer of a network packet. in plain english, this means that
encrypted transactions are handled "behind the scenes" by the server and are essentially transparent to
the html or cgi author.

ssl supports, but does not mandate the use of public key encryption and certification techniques.

it is important to note that ssl is not an electronic payment system. ssl is a secure transmission
protocol which can be used to provide security not just for payments over the internet but also for other
types of server-to-client communications.

ssl’s popularity as a secure transmission protocol has allowed it to become the most popular method of
conducting financial transactions are over the web.

currently there are over 65,000 ssl enabled hosts on the web. there are a number of other session layer

prashant sharma : prashant1786@yahoo.com 3

protocols that compete with ssl. however, none of the other protocols have attracted any significant level
of use on the web. ssl has achieved such a wide acceptance because it was one of the earliest security
protocols, capturing the attention of the early on-line merchants and consumers.
ssl also benefits from netscape’s powerful brand recognition as one of the leaders in internet related
software. programmers like ssl because it is protocol-independent, allowing for easier development of on-
line commerce applications.

ssl also benefits from the fact that many other security protocols are still in testing stage or have yet to
gain wide acceptance. however, ssl’s dominance is being challenged by a host of new secure electronic
payment systems.

secure credit card / debit payment systems

consumers are comfortable using credit cards to make purchases in the physical world. in 1996, over
$500 billion worth of goods and services were purchased worldwide using credit cards. currently the bulk
of purchases on the web are made using credit cards. not surprisingly, many companies, including
mastercard and visa, are rushing to develop secure credit card payment systems for the web.

the secure electronic transactions (set) specification

one of the major reasons electronic commerce is expected to grow rapidly over the next few years is
because of the secure electronic transactions specification.

released to the public on may 31st, 1997, set was jointly developed by mastercard and visa with the
backing of microsoft, netscape, ibm, gte, saic, terisa systems, and verisign. the stated goal of this
consortium is "to develop a single method that consumers and merchants will use to conduct bankcard
transactions in cyberspace as securely and easily as they do in retail stores today".

mastercard and visa publicly state that they believe creating the set standard will speed the acceptance of
commerce on the internet. currently, the bulk of business-to-consumer electronic commerce is conducted
by transmitting a credit card number using ssl. set represents a bold attempt to make credit card payment
the choice for the future for online payment.

technically speaking, set is an open standard, multi-party protocol for conducting secure credit card
payments over the internet. the set specification is based on public key cryptography and digital
certificates. i

it is important to note that set’s development as an open standard, multi-party protocol will facilitate and
encourage the interoperability of set across various software and network providers.

the graphic below outlines the basic steps involved in a set transaction:

1. an online shopper wishes to make a credit card purchase from a web merchant that supports the
set specification. using a browser plug in called an electronic wallet, the customer transmits

prashant sharma : prashant1786@yahoo.com 4

 encrypted financial information (ie. credit card number) to the merchant, along with his or her
digital certificate.

2. the merchant’s server sends the set transaction to a payment gateway where it is decrypted,
processed, and verified by a certification authority.

3. the payment gateway then routes the transaction back to the financial institution that issued the
credit card for approval.

4. the merchant is advised electronically that the purchase is approved, and the cardholder is
debited. the merchant can then ship merchandise knowing that the customer transaction
has been approved.

digital cash (also called electronic cash)

the term "digital cash" defines a category of electronic payment systems that attempt to replicate the
benefits of cash in the off-line world. there are a number of electronic cash protocols. to a degree, all
digital cash schemes operate in the following manner:

1. a user installs a "cyberwallet" onto his or her computer. money can be put in the wallet by
deciding how much is needed and then sending an encrypted message to the bank asking for this
amount to be deducted from the user's account. the bank reads the message (by using its private
key to decode the message) and sees that it has been digitally signed (which requires a
certificate authority such as verisign) so it knows that the request comes from the individual who
authorizes account debits.

2. the bank then generates "serial numbers", encrypts the message, signs it with its digital signature
and then sends it back. the user can then take the message, often referred to as a coin or a
token, and spend it at merchant sites.

3. merchants receive ecash during a transaction and see that it has been authorized by a bank. they
then contact the bank to make sure the coins have not been spent somewhere else, and the
amount is credited to the merchant's account. (computer money: a systematic overview of
electronic payment systems, andreas furche and graham wrightson, dpunkt: heidelberg, 1996.)

accept credit card payments

summary traditional card payments take place offline. offline electronic payments are common
and need you to have a merchant service and pdq machine from your acquiring bank. there are
ten basic steps to setting up offline payment.
most high street stores can take offline electronic payments through their credit and debit card
facilities. all banks can process these transactions and some will also process internet based
transactions.
to take offline electronic payments you usually need to apply for the appropriate facility from
your bank. here are some key electronic payment terms to consider:
merchant service: this is the generic term for the service provided by banks that allow you to
‘swipe’ credit and debit cards at your place of business. pdq machine: this generic term for the

prashant sharma : prashant1786@yahoo.com 5

machine that is used to ‘swipe’ a credit or debit card. acquiring bank: once you have ‘swiped’
the card, the customer’s details are passed to an acquiring bank for processing. the acquiring
bank checks the details of the card and authorizes the transaction. the acquiring bank is the bank
that provides your merchant service.
ten steps to setting up offline electronic payment:

• apply to a bank for a merchant service.

• negotiate the costs.

• on acceptance, pay the set-up costs.

• receive and install a pdq machine.

• ‘swipe’ the customer’s card to collect their credit or debit card details.

• wait while the card details are passed to the acquiring bank <merchant_service.jsp>
for approval.

• ask the customer to sign the sales voucher.

• verify the signature and process the payment.

• a transaction charge is automatically paid to the bank.

• the customer leaves with the goods or service.

for electronic payment in a shop, the customer is present to sign the sales voucher. if the
transaction takes place via the phone or the internet, the customer is not present so there is an
increased fraud risk.
any merchant service (whether offline or online) is provided at the discretion of the financial
institution concerned. there are few set rules as to which businesses can and cannot be approved
for a merchant service. be prepared to negotiate the product at a price that suits your needs
mail order payments by phone, post or fax are more at risk of fraud. acquiring banks ask for
more commission to carry out these customer not present transactions.mail order payments
involve more risks for banks and financial institutions than transactions where the customer is
present at the point of sale.
consequently, acquiring banks usually ask for more commission per transaction (perhaps 3.1%
instead of 2.79%) and a more detailed agreement on the fraud checks you use.
with proper planning, your mail order operation should be able to get a customer not present
merchant service from your bank without difficulty. if you already have an offline service
negotiate with your bank to avoid paying another set up charge.
the bank will approve each application individually but there are other equally valid options
available if you cannot get a merchant service .

prashant sharma : prashant1786@yahoo.com 6

micropayments

credit card and debit card fees charged by the issuing banks range from 1.5-3%, with a typical
minimum fee of 20 cents. thus, to preserve margins from being eroded by transaction fees, most
vendors in the off and online world require minimum credit card purchases of around $5.00. is
there an online market for information, products and services priced below $5.00? you bet your
cookie!

enter micropayment systems. micropayments are transactions that range from 1/10 of a cent to
$10.00 and up, with varying limits being set by the micropayment system developer. under this
concept, a consumer can buy one chapter from an online book for $1.00 versus having to pay
10.00 for the entire contents. single articles from the wall street journal online could be bought
for 10 cents, freeing the consumer from the obligation of a long term subscription.

typically, micropayment systems require the consumer to purchase micropayment currency in

bulk either from a broker or the content provider. this bulk purchase is paid for with a credit card
and the currency is then stored in a "wallet" which resides in the user’s hard drive, at the mp’s or
content provider’s web site. each time a consumer makes a purchase from a content provider,
their wallet is debited the appropriate amount of currency.

the idea of selling inexpensive products and services opens a world of options for content
providers and new realm of flexibility and selection to consumers. however, small transactions
demand proportionately small transaction fees. the most promising micropayment systems are
designed to meet the goal of minimizing transactions fees first. to varying degrees, each
micropayment system addresses the need for transaction security and the anonymity of the
consumer.

cybank

cybank is an example of an online bank somewhat similar to first virtual but using alternatives to
credit card transactions. cybank offers free ccounts and software. users contact cybank merchants
and authorize debits to their accounts for merchandise (all with encryption). users can add credit
to their account by using a credit card, check, money order, or "phonecash"--which credits your
account a specified amount of money that is paid out via your phone bill.

a new type of payment method is emerging whereby vendors create their own forms of currency
using the model of frequent flyer points. this phenomenon of points conveying value both within
the issuer's system of products and for exchange in other vendors' systems is undoubtedly
occurring. companies such as netcentives have been created to capitalize on just this opportunity.
netcentives aggregates merchants affinity point programs on the net and allows users to use them
interchangeably for a variety of merchandise. however, we contend that these point systems are
at their heart, essentially loyalty programs. they are very effective at consumer retention and they
do use the model of creating a system of value outside of the world of cash, but their underlying
premise is that the points were a reward for the use of cash payments to the merchants.

prashant sharma : prashant1786@yahoo.com 7

ecash
with ecash, the user purchases digital money from an ecash licensed bank (with which she has an
existing account) on the internet. the "coins" are then stored on the user’s hard drive. when a user
makes a purchase at an ecash enabled site, the system software deducts the coins form her hard
drive and forwards them to the vendor. the vendor then sends the coins to the users bank for
verification. the vendor then chooses whether to be issued new ecash or to have a deposit made
into an ecash account. one major advantage of ecash is that the user can engage in direct person
to person transactions. in addition, this system provides complete user anonymity.

virtualpin
virtualpin is an email based system that stores a user’s credit card information off-line. user’s
register with the service over the phone, so credit card information is never transmitted over the
internet. upon receiving the user’s account information, first virtual issues him/her a pin. when
making a purchase, a user gives the vendor the pin and the vendor then sends the transaction
information to first virtual for approval. first virtual then confirms the purchase with the user via
email and then charges the proper amount to the users credit card. this system is very flexible in
that it can handle purchases from $1.00 on up. however, the entire process can be slow and
transaction costs are relatively high (thus, the unusually high "micropayment" minimum).

cybercoin
users download the cybercoin wallet and register it with a cybercoin participating financial
institution (bank or credit card company). users buy the cybercoins in bulk using a credit card or
their existing checking account. the cybercoin enabled bank stores the account balance and
transfers all the real money within the established banking network. the wallet is simply a legal
record of who the owner is and what exists in his or her account. cybercoin acts as the
middleman, taking a transaction fee from both the merchant and the bank in order to facilitate the
exchange. cybercoin allows the user to remain anonymous to the vendor. financial information is
encrypted, but the actual message is not.

millicent
digital’s millicent system does not issue one standard "currency." instead, each vendor has their
own specific scrip, which it sells to a broker at a dicount. users register with one broker and buy
broker scrip in bulk. brokers will vary in the way they bill users (through credit cards, isp
accounts, or cybercash type wallets). when a user wishes to make a purchase, s/he converts
broker scrip into vendor-specific scrip, which is then stored in the users hard drive wallet. when
the user enacts the purchase from the vendor, their wallet pays the vendor with its specific
currency. the major feature of this system is its low transaction costs, which allow for purchases
of as little as 1/10 of a cent. while millicent transactions are not as well encrypted as other
micropayment systems, it does allow for some degree of user anonymity.

prashant sharma : prashant1786@yahoo.com 8

clickshare
this system is aimed at newspaper and magazine publishers. users register with one content
provider or isp, then enter that password once per session. that content provider then becomes the
users home site. links to other publishers registered with clickshare exist on that site and the user
is free to make purchases at those sites without having to enter any additional information.
clickshare keeps transaction records and bills the user’s isp, who already has an account
relationship with the user. another major feature of clickshare is that it keeps anonymous records
of users’ "travels," which can then be sold to marketers for analysis.

brief overview of cryptography, digital signatures and digital certificates

almost every electronic payment system developed or under development relies on some form of
encryption and/or the use of digital certificates. therefore, a brief discussion of the cryptography
and digital certificates is appropriate before launching into a discussion of the various electronic
payment systems.

cryptography is the science of keeping messages secret. the original text, or plaintext, is
converted into a coded equivalent called ciphertext via an encryption algorithm. the ciphertext is
decoded (decrypted) at the receiving end and turned back into plaintext. the encryption algorithm
uses a key, which is a binary number that is typically from 40 to 128 bits in length. the data is
"locked" for sending by combining the bits in the key mathematically with the data bits. at the
receiving end, another key is used to "unlock" the code, restoring it to its original binary form.

there are two cryptographic methods being used in electronic payment systems: secret key and
public key. the traditional secret key method uses the same key to encrypt and decrypt. this is the
fastest method, but transmitting the secret key to the recipient in the first place is not secure. the
second method, public-key cryptography, uses both a private and a public key. each recipient has
a private key that is kept secret and a public key that is published for everyone. the sender looks
up the recipient's public key and uses it to encrypt the message. the recipient uses the private key
to decrypt the message. key owners do not need to transmit their private keys to anyone in order
to have their messages decrypted and thus the private keys are not in transit and are not
vulnerable.

the security of a strong system resides with the secrecy of the key rather than with secrecy of the
algorithm. in theory, any cryptographic method with a key can be broken by trying all possible
keys in sequence. however, using brute force to try all keys requires computing power that
increases exponentially with the length of the key. a system with using a 40 bit keys take 2^40
steps. this kind of computing power is available in most universities. however, keys with 64 bits
would require computing power available only to major governments. keys with 80 bits and 128
bits will probably remain unbreakable by brute force for the foreseeable future.

digital signatures a digital signature is an electronic signature that cannot be forged. it is a

coded message that accompanies the text message transmitted over a network. to send a digital
signature, the sender uses an algorithm to compute a hash value from his or her text message.
using the sender's private key, the sender encrypts the hash value, turning it into a message
digest. the text message is then encrypted with the private key, and both message and message

prashant sharma : prashant1786@yahoo.com 9

digest are transmitted to the recipient. the recipient uses the sender's public key to decrypt the
message and message digest. using the same hashing algorithm, a new message digest is
computed from the text message and compared with the message digest that accompanied it. if
they match, the signature is authenticated. however, the sender could still be an impersonator and
not the person he or she claims to be. to verify that the message was indeed sent by the person
claiming to send it requires a digital certificate (digital id) which is issued by a certification
authority.

prashant sharma : prashant1786@yahoo.com 10