 Introduction: Electronic commerce over the Internet is predicted to

grow at an ever-increasing rate over the next few years, with on-line
sales already heading for several billion.

 Many companies are using this new sales channel, and a few retailers
now have established major on-line sales sites.

 Electronic commerce relates to a variety of business dealings

conducted online. They include service providers, selling services,
auctioneers and retail businesses selling items to all types of
customers.

 But whether it is electronic commerce or the traditional way of

shopping, the most important feature is the payment system. Our
traditional payment system had many problems.

i. Lack of Convenience: Traditional payment systems require the

consumer to either send paper cheques by mail or require to be
physically present for the transactions which may lead to annoying
circumstances sometimes.
ii. Lack of Security: This is because of two reasons. Firstly, the
consumer has to send all confidential data on a paper, which is not
encrypted, that too by post where it may be read by anyone.
Secondly, if he deals in cash then also the risk of any mishaps is
always there.

iii. Lack of Coverage: Current business span over many countries or

states and need faster transactions everywhere which is extremely
difficult in the traditional system.

iv. Lack of Support for Micro-transactions: Many transactions done

on the Internet are of very low monetary value but these transactions
also involve data flow between two entities probably in two different
countries. The same if done on paper may not be feasible at all.

 To overcome these shortcomings online transactions in the form of e-

cash, e-cheques, credit cards, smart cards, debit cards etc. came into
existence.
 Types of Electronic Payment Systems:

1. Electronic Tokens: An electronic token is a digital analog of various

forms of payment backed by a bank or financial institution. There are
two types of tokens:-

a. Real Time Token (Pre-Paid tokens): These are exchanged between

buyer and seller. Their users pre-pay for tokens that serve as currency.
Transactions are settled with the exchange of these tokens. Ex:-
DigiCash, Debit Cards, etc.

b. Post-Paid Tokens: These are used with fund transfer instructions

between the buyer and seller. Ex:- Electronic cheques, Credit card
etc.

2. Electronic or Digital Cash: This combines computerized

convenience with security and privacy that improve upon paper cash
though cash still remains the dominant form of payment.
 Cash has the following qualities:-

• Cash is a legal tender i.e. payee is obligatory to take it.

• It is negotiable i.e. can be given or traded to someone else.

• It is a bearer instrument i.e. possession is proof of ownership.

• It can be held & used by anyone, even those without a bank certificate.

• It places no risk on part of the acceptor.

 Limitations of Debit and Credit Cards:-

• They are identification cards owned by the issuer and restricted to one
user i.e. cannot be given away.

• They are not legal tender as of yet.

• Their usage requires an account relationship and authorization

system.
 Properties of Digital Cash:-

i. Must have a monetary value: It must be backed by cash, bank

authorized credit or a bank certified cashier’s check.

ii. Must be interoperable or exchangeable: Just like payment for

other digital cash, paper cash, goods or services, lines of credit, bank
notes or obligations, electronic benefit transfers and the like.

iii. Must be Storable and Retrievable: Cash could be stored on a

remote computer’s memory, in smart cards, or on other easily
transported standard or special purpose devices. Remote storage or
retrieval would allow users to exchange digital cash from home or
office or while travelling.

iv. Should not be easy to Copy or Tamper: This is achieved by using a

very old art of cryptography. Digital cash is based on cryptographic
systems called “Digital Signature” similar to the signatures used by
banks on paper cheques to authenticate a customer.
 Purchase of digital cash from an online currency server (or bank)
involves two steps:-

a. Establishing of an Account: In this type we are given a unique

digital number which also become our digital signature. As it is a
number supposed to be known only to the customer and the bank,
forgery, which may be done in paper cheques becomes very difficult.

b. Maintenance of sufficient money in the account is required to

back any purchase.

3. Electronic Cheques: The electronic cheques are modeled on paper

checks, except that they are initiated electronically.

 They use digital signatures for signing and endorsing and require the
use of digital certificates to authenticate the payer, the payer’s bank
and bank account.

 They are delivered either by direct transmission using telephone lines

or by public networks such as Internet.
 Benefits of Electronic Cheques:-

• Well suited for clearing micro payments. Conventional cryptography of

e-cheques makes them easier to process than systems based on public
key cryptography (like digital cash).

• They can serve corporate markets. Firms can use them in more cost-
effective manner.

• They create float and the availability of float is an important

requirement of Commerce.

4. Credit Card: A credit card is an instrument of payment, which

enables the cardholder to obtain either goods or services from
merchants where arrangements have been made to reimburse the
merchant. The outstanding amount is payable by the cardholder to
the bank over a specified period otherwise it is subject to an interest
amount also.
 It is a source of revolving credit. A number of parties are involved in
credit card transaction and there is a contract between the card
issuer and the card holder whereby the card holder is allowed to
make use of the card at specified retail outlets (membership
establishment) to pay for the goods and services.

 There is also another separate agreement between the card

organization and the member establishment. When a credit holder
makes purchases from specified retail outlets, the retail outlets make
out bills to the account of the cardholder and obtain payment from
the card organization which in turn makes a monthly bill to the
bank which has issued the card.

 The bank makes payment to the debit of customer’s account

subsequently. The whole process takes about 45 days and during this
period the card holder enjoys credit.

5. Debit Card: Debit cards are also known as cheque cards and look
like credit cards or Automated teller Machine (ATM) cards but they
operate like cash or personal checks.
 While credit card is a way to “pay later”, a debit card is a way to
“pay now”. When a debit card is used, money is deducted
immediately form the related bank account and hence they offer an
alternative to carrying a cheques-book or cash.

 The main advantages of debit cards are:-

i. There is no need to carry cash.

ii. It is quick and less complicated than using a cheque.
iii. It can also be used for withdrawal of cash.

iv. Its holders can have a record of the transactions in his bank
statement which will enable him to plan and control the expenditure.
v. It can be issued to any individual without assessing credit worthiness.

6. Electronic Payment System (EPS): EPS are online payment

systems. The goal of their development is to create analogs of
cheques and cash on the Internet.
 These days mobile ATM is also an area of focus as they double as
mobile branches besides offering customers the facility of using
their debit/ATM cards as the ATMs are installed in mobile vans.

 Features of EPS: An EPS implements all or some of the following

features:-

i. Protecting customers from merchant’s fraud by keeping credit card

numbers unknown to merchants.
ii. Allowing people without credit cards to engage in online
transactions.
iii. Protecting confidentiality of customers.

iv. In some cases providing anonymity of customers (‘electronic cash’).

 Advantages of EPS: The various factors that have leaded the

financial institutions to make use of electronic payments are:-
i. Decreasing technology cost: The cost of technology used in the
networks is decreasing day by day, which is evident from the fact that
computers are now highly affordable and Internet is becoming
economical everywhere in the world.

ii. Reduced operational and processing cost: Due to reduced

technology cost the processing cost of various commerce activities
becomes very less. A very simple reason to prove this is the fact that
in electronic transactions we save both paper and time.

iii. Increasing online commerce: The above two factors have lead
many institutions to go online and many others are following them.

 Risks associated with EPS: EPS are steadily replacing traditional

vehicles like currency and the paper cheques as a preferred means of
payment in the world.
• The volume growth of electronic payments and the wider array of
payment vehicles now in common use has made managing the risks
associated with these payments more important than ever to
consumers, businesses, financial institutions, and the economy as a
whole.
• The notion of security of payment is clearly insufficient to provide
appropriate conceptual framework for technical and institutional
design of Internet payment systems.

• There is a need for a broader approach of risk management. Such

approach recognizes that electronic payment entails a series of
interrelated risks: financial risks, technological risks, operational
risks, and legal risks.

• Some of those risks are generic to banking business, others are specific
to electronic payments, such as interception of messages, bread-in
into security infrastructure.

i. Operational Risk: Operational risk arises from the potential for

loss due to significant deficiencies in system reliability or integrity.
Security considerations are paramount, as banks may be subject to
external or internal attacks on their systems or products.

• Operational risk may also arise form customer misuse, and from
inadequately designed or implemented electronic banking and
electronic money systems.
ii. Credit Risk: Credit risk is the risk that a counter party will not settle
an obligation for full value, either when due or at any time thereafter.

• Banks engaging in electronic banking activities may extend credit via

non-traditional channels, and expand their market beyond traditional
geographic boundaries. In these cases, inadequate procedures to
determine the creditworthiness of borrowers applying for credit via
remote banking procedures could increase credit risk for banks.

• Banks engaged in electronic bill payment programs may face credit

risk if a third party intermediary fails to carry out its obligations with
respect to payment.

• Banks that purchase electronic money form an issuer in order to resell

it to customers are also exposed to credit risk in the event the issuer
defaults on its obligations to redeem the electronic money.

iii. Legal Risk: Legal risk arises from violations of, or non-conformance
with laws, rules, regulations, or prescribed practices, or when the
legal rights and obligations of parties to a transaction are not well
established.
• Given the relatively new nature of many retail electronic banking and
electronic money activities, rights and obligations of parties to such
transactions are, in some cases, uncertain. For example, application of
some consumer protection rules to electronic banking and electronic
money activities in some countries may not be clear.

• In addition, legal risk may arise from uncertainty about the validity of
some agreements formed via electronic media.

• Application of money laundering rules may also be inappropriate for

some forms of electronic payments. Moreover, as electronic banking
can be conducted remotely, banks may face increased difficulties in
applying traditional methods to prevent and detect criminal activity.

• Banks engaged in electronic banking and electronic money activities

can face legal risks with respect to customer disclosures and privacy
protection.

• Banks choosing to enhance customer service by linking their Internet

sites to other sites also can face legal risks. A hacker may use the
linked site to defraud a bank customer, and the bank could face
litigation form the customer.
 Risk management options for e-payment system: The rapid pace
of technological innovation is likely to change the nature and scope
of the risks banks face in electronic money and electronic banking.

 A risk management process that includes the three basic elements –

assessing risks, controlling risk exposure, and monitoring risks
will help banks and supervisors attain these goals.

 It is essential that banks have a comprehensive risk management

process in place that is subject to appropriate oversight by the board
of directors and senior management.

 Prior to any new activity being commenced, a comprehensive review

should be conducted so that senior management can ensure that the
risk management process is adequate to assess, control and monitor
any risks arising form the proposed new activity.

i. Assessing Risks: Assessing risks is an ongoing process. It typically

involves three steps.
 First, a bank may engage in a rigorous analytic process to identify
risks and, where possible, to quantify them.

 In the event where risks cannot be quantified, management may still

identify how potential risks can arise and the steps that can be taken
to deal with and to limit those risks.

 Bank management should form a reasonable and defensible

judgments of the magnitude of any risk with respect to both the
impact it could have on the bank and the probability that such
an event will occur.

 The second step in assessing risk is for the board of directors or

senior management is to determine the bank’s risk tolerance,
based on an assessment of the losses the bank can afford to sustain
in the event a given problem materializes.

 Finally, management can compare its risk tolerance with its

assessment of the magnitude of a risk to ascertain if the risk
exposure fits within the tolerance limits.
ii. Managing and Controlling Risks: This phase of a risk
management process includes activities such as implementing
security policies and measures, coordinating internal
communication, evaluating and upgrading products and services,
implementing measures to ensure that outsourcing risks are
controlled and managed, providing disclosures and customer
education, and developing contingency plans.

 Banks increase their ability to control and manage the various risks
inherent in any activity when policies and procedures are set out in
written documentation and made available to all relevant staff.

a. Security policies and measures: Security is the combination of

systems, applications, and internal controls used to safeguard the
integrity, authenticity, and confidentiality of data and operating
processes.

• Proper security relies on the development and implementation of

adequate security policies and security measures for processes within
the bank, and for communication between the bank and external
parties.
b. Security policy: A security polity states management’s intentions to
support information security and provides an explanation of the
bank’s security organization.

• It also establishes guidelines that define the bank’s security risk

tolerance.

• The policy may define responsibilities for designing, implementing,

and enforcing information security measures, and it may establish
procedures to evaluate policy compliance, enforce disciplinary
measures, and report security violations.

c. Security measures: Security measures are combinations of

hardware and software tools, and personnel management, that
contribute to building secure systems and operations.

• Senior management should regard security as a comprehensive

process that is only as strong as the weakest link in the process.
• Banks can choose from a variety of security measures to prevent or
mitigate external and internal attacks and misuse of electronic
banking and electronic money which includes, encryption, passwords,
firewalls, virus controls, and employee screening.

iii. Monitoring Risks: Ongoing monitoring is an important aspect of

any risk management process.

• For electronic banking and electronic money activities, monitoring is

particularly important both because the nature of the activities are
likely to change rapidly as innovations occur, and because of the
reliance of some products on the use of open networks such as the
Internet.

• Two important elements of monitoring are system testing and

auditing.

a. System testing and Surveillance: Testing of systems operations

can help detect unusual activity patterns and avert major system
problems, disruptions, and attacks.
• Penetration testing focuses upon the identification, isolation, and
confirmation of flaws in the design and implementation of security
mechanisms through controlled attempts to penetrate a system
outside normal procedures.

• Surveillance is a form of monitoring in which software and audit

applications are used to track activity.

b. Auditing: Auditing (internal and external) provides an important

independent control mechanism for detecting deficiencies and
minimizing risks in the provision of electronic banking and
electronic money services.

• The role of an auditor is to ensure that appropriate standards, policies,

and procedures are developed, and that the bank consistently adheres
to them.

• An internal auditor should be separate and independent from

employees making risk management decisions.
• To augment internal audit, management may seek qualified external
auditors, such as computer security consultants or other professionals
with relevant expertise, to provide an independent assessment of the
electronic banking or electronic money activity.

iv. Identification, Confidentiality and Payment Integrity:

Payments on the Internet need to fulfil three broad conditions:-

• Firstly, each party involved in the transaction must be sure that its
counterparty is exactly what she tells she is, or in other words, People
involved must be identified.

• Secondly, data exchanged between buyers and sellers must remain

confidential.

• Finally, buyers must be certain that the information they get about
the payment are reliable.

 Those three conditions can be met by the use of encryption

technology.
 Secrrity Requirement of EPS: There are four essential security
requirements for secure electronic payment:-

i. Authentication: A way to verify the buyer’s identity before

payments are been made.

ii. Integrity: Ensuring that information will not be accidentally or

maliciously altered or destroyed, usually during transmission.

iii. Encryption: A process of making messages indecipherable except by

those who have an authorized decryption key.

iv. Non-repudiation: Merchants need protection against the

customer’s unjustifiable denial of placed orders, and customers need
protection against the merchants’ unjustifiable denial of past
payment.
 Cryptography: Cryptography is one of the tool that is being
extensively used for securing different kind of electronic
transactions.

 It is the science of writing in secret code and is an ancient art. The first
documented use of cryptography in writing dates back to 1900 B.C.
when an Egyptian scribe used non-standard hieroglyphs in an
inscription.

 As cryptography converts plain text in encrypted form (cipher text), it

is very useful for securing data on communication channels.

Fig:- Cryptography
 There are two cryptographic methods being used in electronic
payment systems:-

i. Secret key Cryptography: Secret key cryptography is sometimes

referred to as symmetric cryptography also.

• It is the more traditional form of cryptography, in which a single key

can be used to encrypt and decrypt a message.

• Secret-key cryptography not only deals with encryption, but also with
authentication.

• The main problem with secret-key cryptosystems is getting the sender

and receiver to agree on the secret key without anyone else finding
out. This requires a method by which the two parties can
communicate without fear of eavesdropping.

• However, the advantage of secret-key cryptography is that it is

generally faster than public-key cryptography.
ii. Public key Cryptography: Public key cryptography is sometimes
referred to as asymmetric cryptography.

• Public key cryptography is a cryptographic system that uses two keys

i.e. a public key known to everyone and a private or secret key
known only to the recipient of the message.

• An important element of this system is that the public and private

keys are related in such a way that only the public key can be used to
encrypt messages and only the corresponding private key can be used
to decrypt them.

• Moreover, it is virtually impossible to deduce the private key if you

know the public key.

• This idea of public key cryptography was first presented by Martin

Hellman, Ralph Merkle, and Whitfield Diffie at Stanford University in
1976.
 Secrure Socket Layer (SSL): SSL is a protocol developed by
Netscape for transmitting private documents via the Internet. SSL
uses a cryptographic system that uses two keys to encrypt data “a
public key known to everyone and a private or secret key known only
to the recipient of the message.

 Secure Socket Layer (SSL) is a cryptographic protocol, which provide

secure communications on the Internet.

 Secure Electronic Transaction (SET): SET is a standard protocol for

securing credit card transactions over insecure networks, specifically,
the Internet.

 SET was developed by VISA and MasterCard (involving other

companies such as GTE, IBM, Microsoft and Netscape) starting in
1996.

 The SET standard has been developed to protect payment instructions

in transit.
 Payment Gateway: A payment gateway is a separate service and
acts as an intermediary between the merchants’ shopping cart and
all the financial networks involved with the transaction, including
the customers’ credit and debit card issuer and the merchant’s
account.

 It checks for validity, encrypts transaction details, ensures they are

sent to the correct destination and then decrypts the responses which
are sent back to the shopping cart.

 A payment gateway can be thought of as a digital equivalent to a credit

card processing terminal.

 This is a seamless process and the customer does not has to directly
interact with the gateway; as data is forwarded to the gateway via the
shopping cart and a secure (SSL) connection.

 The shopping cart is configured via plugins to send information in a

format that is acceptable to the particular gateway.
 A Payment Gateway is an e-commerce service that authorizes
payments for e-businesses and online retailers.

 Working of the Payment Gateways: Payment gateways encrypt

information handling through SSL. This prevents opportunity for
fraud, and adds security to the transaction process.

 Gateways communicate with a variety of entities which includes:-

• The customer.

• The merchant (through their website)

• Credit Card companies (for verifying information and

establishing authentication)

• Internet Merchant accounts that relay order information form

the gateway to the merchant’s bank account.
 Benefits of Payment Gateways:

i. Security: Gateways keep customers credit card data behind firewalls

so that both the merchant and the customer doesn’t have to worry
about someone “hacking in” to their system.

ii. Encryption: Gateways use SSL encryption to prevent message

tampering while the credit card information is being transmitted
over the Internet. EMS (Expanded Memory Specification
Computing) provides the most secure encryption technology.

iii. Back-up Redundancy: Gateways have a backup system in place to

ensure that merchants can continue processing in the event of an
emergency.

iv. Up-to-date Technology: Gateways are services that are constantly

upgraded to be up to date with the latest technology. And, as the
gateways are not on the merchants’ computers, there is no need for
the merchants to upgrade their hardware.
 Issues Related to Electronic Payment Technology: Online
payment processing requires coordinating the flow of transactions
among a complex network of financial institutions, and processors.

 Fortunately, technology has simplified this process so that, with the

right solution, payment processing is easy, secure, and seamless for
both the merchant and the customer.

 The important issues in online payment processing are:-

i. Online Payment Processing Basics: Purchasing online may seem

to be quick and easy, but most consumers give little thought to the
process that appears to work instantaneously.

 For it to work correctly, merchants must connect to a network of

banks (both acquiring and issuing banks), processors, and other
financial institutions so that payment information provided by the
customer can be routed securely and reliably as payment information
is highly sensitive and trust and confidence are essential elements of
any payment transaction.
 This means that the gateway should be provided by a company with
in-depth experience in payment processing and security.

ii. The Payment Processing Network: This can be broken down

further depending upon the participants and elements involved in
payment processing.

a. Acquiring bank: An acquiring bank provides Internet merchant

accounts. A merchant must open an Internet merchant account with
an acquiring bank to enable online credit card authorization and
payment processing.

b. Authorization: The process by which a customer’s credit card is

verified as active and that they have the credit available to make a
transaction. An authorization also verifies that the billing
information the customer has provided matches up with the
information on record with their credit card company.
c. Credit card association: A financial institution that provides credit
card services that are branded and distributed by customer issuing
banks. Examples include Visa, MasterCard etc.

d. Customer: The holder of the payment instrument – such as a credit

card, debit card, or electronic cheque.

e. Customer issuing bank: A financial institution that provides a

customer with a credit card or other payment instrument. Example
includes various banks.

 During a purchase, the customer issuing bank verifies that the

payment information submitted to the merchant is valid and that the
customer has the funds or credit limit to make the proposed purchase.

f. Internet merchant account: A special account with an acquiring

bank that allows the merchant to accept credit cards over the
Internet. The merchant typically pays a processing fee for each
transaction processed, also known as the discount rate which vary
form bank to bank.
g. Merchant: Someone who owns a company that sells products or
services.

h. Payment gateway: A service that provides connectivity among

merchants, customers, and financial networks to process
authorizations and payments. The service is usually operated by a
third-party provider such as VeriSign.

i. Processor: A large data center that processes credit card

transactions and settles funds to merchants. The processor is
connected to a merchant’s site on behalf on an acquiring bank via a
payment gateway.

j. Settlement: The process by which transactions with authorization

codes are sent to the processor for payment to the merchant.
Settlement is a sort of electronic bookkeeping procedure that causes
all funds from captured transactions to be routed to the merchant’s
acquiring bank for deposit.
iii. How Payment Processing Works: Payment processing in the
online world is similar to payment processing in the offline or “Brick
and Mortar” world with one significant exception.

 In the online world, the card is ‘not present’ at the transaction. That is
why the merchant must take additional steps to verify that the card
information is being submitted by the actual owner of the card.

 Payment processing can be divided into two major phases or steps:

Authorization and Settlement.

 Authorization: Online: A customer who decides to make a purchase

on a merchant’s Web site, proceeds to checkout and inputs credit card
information.

 The merchant’s Web site receives customer information and sends

transaction information to the payment gateway.

 The payment gateway routes information to the processor.

 The processor sends information to the issuing bank of the
customer’s credit card.

 The issuing bank sends the transaction result (authorization or

decline) to the processor.

 The processor routes the transaction result to the payment gateway.

 The payment gateway passes the resultant information to the

merchant.

 The merchant accepts or rejects the transaction and ships the goods
if necessary.

 Authorization: “Brick and Mortar”: A customer selects item(s) to

purchase, brings them to a cashier, and hands the credit card to the
merchant.

 The merchant swipes the card and transfers transaction information

to a point-of-sale terminal.
 The point-of-sale terminal routes information to the processor via a
dial-up connection, the point-of-sale terminal takes the place of the
payment gateway in the offline world.

 The processor sends information to the issuing bank of the

customer’s credit card.

 The issuing bank sends the transaction result (authorization or

decline) to the processor.

 The processor routes the transaction result to the point-of-sale

terminal.

 The point-of-sale terminal shows the merchant whether the

transaction was approved or declined.

 The merchant tells the customer about the outcome of the

transaction. If approved, the merchant asks the customer to sign the
credit card receipt if the card is not PIN protected.
 Payment Processing – Settlement: The settlement process
transfers authorized funds for a transaction from the customer’s
bank account to the merchant’s bank account. The process is
basically the same whether the transaction is conducted online or
offline.

 The Must Know Things About Fraud: Credit card fraud can be a
significant problem for customers, merchants, and credit card issuers.

 Liability for fraudulent transactions belongs to the credit card issuer

for a card-present, in-store transaction, but shifts to the merchant for
‘card not present’ transactions, including transactions conducted
online.

 This means that the merchant does not receive payment for a
fraudulent online transaction. Hence, it is important to limit the risk
as an online merchant.

 The following important fraud prevention steps should be adhered to:

i. Chose a payment services provider that is well-established and
credible.

ii. Make sure that the payment gateway provider offers real-time credit
card authorization results. This ensures that the credit card has not
been reported as lost or stolen and that it is a valid card number.

iii. One of the simplest ways to reduce the risk of a fraudulent

transaction is to use Address Verification Service (AVS). This
matches the card holder billing address on file with the billing
address submitted to ensure that the card holder is the card owner.

iv. Use Card Security Codes, known as CVV2 for Visa, CVVC for
MasterCard, and CID for American Express. For American Express,
the code is a four-digit number that appears on the front of the card
above the account number. For Visa and MasterCard, the code is a
three-digit number that appears at the end of the account number
on the back of the card.
 The code is not printed on any receipts and provides additional
assurance that the actual card is in possession of the person
submitting the transaction.

 As a merchant, one can ask for this code on the online order form as
even if it is not used for processing, simply asking for it acts as a
strong deterrent against fraud.

v. Watch for multiple orders for easily resold items such as electronic
goods purchased on the same credit card.

vi. Develop a negative card and shipping address list and cross-check
transactions against it. Many perpetrators will go back to the same
merchant again and again to make fraudulent transactions.