You are on page 1of 61

E-commerce Systems

Electronic Payment Systems

Department of Business Computing MUBS
1

E-payment systems
y To transfer money over the Internet y Methods of traditional payment y Cheque, credit card, or cash y Methods of electronic payment y Electronic cash, software wallets, smart cards,

and credit/debit cards y Scrip is digital cash minted by third-party organizations
2

Requirements for e-payments
y Atomicity y Money is not lost or created during a transfer y Good atomicity y Money and goods are exchanged atomically y Non-repudiation y No party can deny its role in the transaction y Digital signatures

3

. ´non-stealableµ y Private (no one except parties know the amount) y Anonymous (no one can identify the payer) y Work off-line (no on-line verification needed) 4 No known system satisfies all.Desirable Properties of Digital Money y Universally accepted y Transferable electronically y Divisible y Non-forgeable.

Types of E-payment tools y E-cash y E-cheques y Electronic wallets y Smart card y Credit card y Debit Cards y Mobile Money and Airtime 5 .

Electronic Cash y Also called e-money y Primary advantage is with purchase of items less than $10 y Credit card transaction fees make small purchases unprofitable y Micropayments y Payments for items costing less than $1 6 .

Bank sends e-cash bits to consumer (after charging that amount plus fee) 3. Bank verifies that e-cash is valid 6.. Merchant checks with Bank that e-cash is valid (check for forgery or fraud) 5. merchant present e-cash to issuing back for deposit once goods or services are delivered Consumer still has (invalid) e-cash Consumer 7 . Parties complete transaction: e.g. Consumer sends e-cash to merchant 4. Consumer buys e-cash from Bank 2.E-cash Concept Merchant 5 4 Bank 3 2 1 1.

Electronic Cash Issues y E-cash must allow spending only once y Must be anonymous. just like regular currency y Safeguards must be in place to prevent counterfeiting/ forgery y Must be independent and freely transferable regardless of nationality or storage mechanism y Divisibility and Convenience y Complex transaction (checking with Bank) y Atomicity problem 8 .

e. online bank.Two storage methods y On-line y Individual does not have possession personally 9 of electronic cash y Trusted third party. holds customers· cash accounts y Off-line y Customer holds cash on smart card or software wallet y Fraud and double spending require tamperproof encryption .g.

and does not require special authorization y Disadvantages y Tax trail non-existent.Advantages and Disadvantages of Electronic Cash y Advantages y More efficient. unlike credit cards. eventually meaning lower prices y Lower transaction costs y Anybody can use it. like regular cash y Money laundering y Susceptible to forgery 10 .

Electronic Cash Security y Complex cryptographic algorithms prevent double spending y Anonymity is preserved unless double spending is attempted y Serial numbers can allow tracing to prevent money laundering y Does not prevent double spending. since the merchant or consumer could be at fault 11 .

y Why? ± Anonymity with Authentication 12 .Blind Signatures inE-cash y Goal y to have the bank sign documents without knowing what they are signing.

How to sign with blind fold? 1. You spend it 13 . Send it to the bank 3. The bank signs the message and returns it 4. You encrypt the message 2. You decrypt the signed message 5.

3. It then signs the remaining one. and verifies them. Prepare n copies of the messages and n different keys.Cut and Choose y Problems The bank honours anything I write down y Solution: the Cut-and-choose algorithm 1. The bank sends back the signed message. and send them to the bank 2.1 of them. which can then be decrypted and spent 14 . The bank requests the keys for and opens n .

Anonymous digital cash? y Protocol #1 y Protocol #2 y Protocol #3 y Protocol #4 15 .

Detecting Double Spending 16 .

25c and $10 y PayNow -. a software storage mechanism located on customer·s computer y Used to make purchases between .Past and Present E-cash Systems y CyberCash y Combines features from cash and checks y Offers credit card.payments made directly from checking accounts 17 . and check payment services y Connects merchants directly with credit card processors to provide authorizations for transactions in real time y No delays in processing prevent insufficient e-cash to pay for the transaction y CyberCoins y Stored in CyberCash wallet. micropayment.

y eCoin server prevents double-spending and traces transactions. but consumer is anonymous to merchant 18 .Past and Present E-cash Systems y DigiCash y Trailblazer in e-cash y Allowed customers to purchase goods and services using anonymous electronic cash y Recently entered Chapter 11 reorganization y Coin.Net y Electronic tokens stored on a customer·s computer is used to make purchases y Works by installing special plug-in to a customer·s web browser y Merchants do not need special software to accept eCoins.

Aggregation y Used when individual transactions are too small for credit y y y y y card (e. $2. Aggregator keeps Consumer·s account. GlobeID 19 . When amount owed is large enough (or every month). charges to Consumer·s credit card Aggregator sends money (less fees) to Merchant QPASS.00) Consumer and Merchant sign up with Aggregator Consumer makes purchase. CyberCash. Merchant notifies Aggregator.g.

i. usually with credit card y Customers buy by converting broker scrip to vendor-specific scrip.e. now part of Compaq y Electronic scrip system y Participating merchant creates and sells own scrip to broker at a discount y Consumers register with broker and buy bulk generic scrip.customer need only deal with one broker for all their scrip needs 20 . scrip that a particular merchant will accept y Customers can purchase items of very low value y Brokers required for two reasons: y Small payments require aggregation to insure profitability y System is easier to use -.Past and Present E-cash Systems y MilliCent y Developed by Digital.

com was one of the first online merchants to eliminate repeat form-filling for purchases 21 .Electronic Wallets y Stores credit card. owner identification and address y Makes shopping easier and more efficient y Eliminates need to repeatedly enter identifying information into forms to purchase y Works in many different stores to speed checkout y Amazon. electronic cash.

An Electronic Checkout Counter Form 22 .

stored on a central server y Information pops up in supported merchants· payment pages. but company expects to soon 23 . allowing one-click payment y Does not support smart cards or CyberCash.Electronic Wallet Types y Agile Wallet y Developed by CyberCash y Allows customers to enter credit card and identifying information once.

not on a central server. info is dragged into payment form from eWallet y Information is encrypted and password protected y Works with Netscape and Internet Explorer 24 .Electronic Wallets Types y eWallet y Developed by Launchpad Technologies y Free wallet software that stores credit card and personal information on users· computer.

Electronic Wallets y Microsoft Wallet y Comes pre-installed in Internet Explorer 4.0. but not in Netscape y All information is encrypted and password protected y Microsoft Wallet Merchant directory shows merchants setup to accept Microsoft Wallet 25 .

Entering Information Into Microsoft Wallet 26 .

W3C Proposed Standard for Electronic Wallets y World Wide Web Consortium (W3C) is attempting to create an extensible and interoperable method of embedding micropayment information on a web page y Extensible systems allow improvement of the system without eliminating previous work 27 .

W3C Proposed Standard for Electronic Wallets y Merchants must accept several payment options to insure the widest possible Internet audience y Merchants must embed in their Web page payment information specific to each pay system y This redundancy spurred W3C to develop 28 common standards for Web page markup for all payment systems .

W3C Electronic Commerce Interest Group (ECIG) Draft Standard Architecture y Client (consumer·s web browser) initiates micropayment activity y Client browser includes Per Fee Link Handler module and one or more electronic wallets y New HTML tags will carry micropayment 29 information .

W3C Proposed Micropayment HTML Tags 30 .

IBM. and MasterCard y Ultimate goal is for all commerce sites to accept ECML y Unclear how this standard will incorporate privacy standards W3C set forth y Electronic Commerce Modeling Language (ECML) Wallet/Merchant Standards Initiative July 1999 Initiative. 31 .The ECML Standard y Electronic Commerce Modeling Language (ECML) proposed standards for electronic wallets y Companies forming the consortium are America Online. Microsoft. Visa.

will evolve over time .Wallet/Merchant Standard y Creating a standard approach for the exchange of information will enhance the ability for digital wallets to be used at all merchant sites and therefore facilitate the growth of e-commerce y ECML is a universal. open standard for digital wallets and online merchants that facilitates the seamless exchange of payment and order information to support online purchase transactions 32 y Uniform field names only to start.ECML .

Wallet/Merchant Standard y The ECML Alliance today: y America Online. Discover. and Visa y ECML is designed to be security protocol independent. IBM. and support any payment instrument y ECML does not change the ´look and feelµ of a merchant·s site 33 .ECML . support global implementations. Novell. Microsoft. MasterCard. SETCo. Brodia (formerly Transactor Networks). Financial Services Technology Consortium (FSTC). American Express. CyberCash. Compaq. Sun Microsystems. Trintech.

00 y Microprocessor cards y Embedded microprocessor y (OLD) 8-bit processor.75 y Memory cards y 1-4 KB memory.Smart Cards y Magnetic stripe y 140 bytes.00-12. cost $7.00-2. cost $7.00-15. cost $1. 512 bytes RAM y Equivalent power to IBM XT PC.50 y Optical memory cards y 4 megabytes read-only (CD-like).00 y 32-bit processors now available 34 . 16 KB ROM. no processor. cost $0.20-0.

Australia.S..S. and applications 35 . but popular in Europe. and Japan y Unsuccessful in U. success depends on: y Critical mass of smart cards that support applications y Compatibility between smart cards.S. partly because few card readers available y Smart cards gradually reappearing in U. card-reader devices.Smart Cards y Plastic card containing an embedded microchip y Available for over 10 years y So far not successful in U..

Smart Card Applications y Ticketless travel y Seoul bus system: y Medical records y Ecash y Store loyalty programs y Personal profiles y Government y Licenses y Mall parking 4M cards. .. 1B transactions since 1996 y Planned the SF Bay Area system y Authentication. ID 36 ..

debt-free Disadvantages: 1. Security of physical storage 5.Advantages and Disadvantages of Smart Cards Advantages: 1. Low maximum transactions 2. Single physical point of failure (the card) 4. (Potentially) currencyneutral 37 transaction limit (not suitable for B2B or most B2C) 2. High Infrastructure costs (not suitable for C2C) 3. Not (yet) widely used . Feasible for very small transactions (information commerce) 3. (Potentially) anonymous 4. Atomic.

must be on Mondex card y Loaded through ATM y ATM does not know transfer protocol.Mondex Smart Card y Holds and dispenses electronic cash (Smart-card based. for merchant or customer to use card over Internet y Supports micropayments as small as 3c and works both online and off-line at stores or over the telephone y Secret chip-to-chip transfer protocol y Value is not in strings alone. called Mondex terminal. connects with secure device at bank . 38 stored-value card) y Developed by MasterCard International y Requires specific card reader.

Mondex Smart Card Processing

39

Mondex transaction: 1
y Placing the card in a Mondex terminal

starts the transaction process: 1.

yInformation from the customer's chip is

validated by the merchant's chip.
ySimilarly, the merchant's card is
40

validated by the customer's card.

Mondex transaction: 2
2. The merchant's card requests payment and transmits a "digital signature" with the request.
y Both cards check the authenticity of each other's

message.
y The customer's card checks the digital signature

and, if satisfied, sends acknowledgement, again with a digital signature.
41

Mondex transaction: 3 3. 42 . Only after the purchase amount has been deducted from the customer's card is the value added to the merchant's card. y The digital signature from this card is checked by the customer's card and y If confirmed. the transaction is complete.

Mondex Smart Card Disadvantages yCard carries real cash in electronic form. creating the possibility of theft yNo deferred payment as with credit cards -cash is dispensed immediately 43 .

Security y Active and dormant security software y Security methods constantly changing y ITSEC E6 level (military) y VTP (Value Transfer Protocol) y Globally unique card numbers y Globally unique transaction numbers y Challenge-response user identification y Digital signatures y MULTOS operating system y firewalls on the chip 44 .

Credit Cards yUsed for the majority of Disadvantages y Does not work for small Internet purchases yHas a preset spending limit y Does not work for large yCurrently most convenient amount (too expensive) method yMost expensive e-payment y Charge card mechanism yMasterCard: $0.29 + 2% of y No spending limit transaction value y Entire amount charged due 45 amount (too expensive) at end of billing period .

Payment Acceptance & Processing y Merchants must set up merchant accounts to accept payment cards y Law prohibits charging payment card until merchandise is shipped y Payment card transaction requires: y Merchant to authenticate payment card y Merchant must check with card issuer to ensure funds are available and to put hold on funds needed to make current charge y Settlement occurs in a few days when funds travel through banking system into merchant·s account 46 .

Processing a Payment Card Order 47 .

Open and Closed Loop Systems y Closed loop systems y Banks and other financial institutions serve as brokers between card users and merchants & no other institution is involved y E.g: American Express and Discover y Open loop systems y Transaction is processed by third party y Visa and MasterCard are examples 48 .

Setting Up Merchant Account yMerchant bank y Also called acquiring bank y Does business with merchants that want to accept payment cards y Merchant receives account where they deposit card sales totals y Value of sales slips is credited to merchant·s account 49 .

and ship products to the customer y Allows merchant to focus on web presence and supply availability 50 .Processing Payment Cards Online y Can be done automatically by software packaged with electronic commerce software y Can contract with third party to handle payment card processing y Can also pick. pack.

Credit Card Processing 51 .

Payment Processing Services yInternetsecure y Provides secure credit card payment services y Supports payments with Visa and 52 MasterCard y Provides risk management and fraud detection. and ensures all proper security for credit card transactions is maintained y Ensures all transactions are properly credited to merchant·s account .

leased lines y Bank network receives credit info. performs credit authorization. which is communicated to customer 53 .& deposits money in merchant·s bank y Merchant·s site receives confirmation or rejection of the transaction.Payment Processing Services yTellan y Provides PCAuthorize for smaller sites and WebAuthorize for larger enterprise-class sites y Both systems capture credit card info from merchant·s form & connect directly to bank network using dialup or private.

real time service that links merchants with issuing banks by simply inserting a small block of HTML code into their transaction page 54 .Payment Processing Services yICVerify y Provides electronic transaction processing for merchants for all major credit and debit cards y Allows check guarantees and verification transactions yAuthorize.Net y Online.

and others y Designed to provide security for card payments y Contrasted with Secure Socket Layers (SSL) protocol y SET validates consumers & merchants y Provides secure transmission y SET specification y Uses public key cryptography and digital certificates for validating both consumers and merchants y Provides privacy. user and merchant authentication. IBM. data integrity. GTE.Secure Electronic Transaction (SET) Protocol y Jointly designed by MasterCard and Visa with backing of Microsoft. Netscape. and consumer non-repudiation 55 . SAIC.

and card issuer.The SET Protocol 56 The SET protocol coordinates the activities of the customer. merchant. merchant¶s bank. [Source: Stein] .

Bank checks card with issuing authority like VISA 5. Customer browses and decides to buy online 2. 7. for authorization Issuer authorizes payment transaction Bank authorizes transaction Merchant completes order Merchant captures transaction Issuer sends credit card bill to customer .The SET Protocol Process 1. 57 9. 8. Merchant sends order info to bank 4. 6. SET protocol sends order and payment info 3.

SET Payment Transactions y SET-protected payments work like this: y Consumer makes purchase by sending encrypted financial information along with digital certificate y Merchant·s website transfers the information to a payment card processing center while a Certification Authority certifies digital certificate belongs to sender y Payment card-processing center routes transaction to credit card issuer for approval y Merchant receives approval and credit card is charged y Merchant ships merchandise and adds transaction amount for deposit into merchant·s account 58 .

SET uses a hierarchy of trust 59 All parties hold certificates signed directly or indirectly by a certifying authority. [Source: Stein] .

and often not needed y Scalability is still in question .SET Protocol y Extremely secure y Fraud reduced since all parties are authenticated y Requires all parties to have certificates y So far has received lukewarm reception y 80 percent of SET activities are in Europe and Asian countries 60 y Problems with SET y Not easy to implement y Not as inexpensive as expected y Expensive to integrated with legacy applications y Not tried and tested.

Q&A 61 .