030416 E-Commerce Payment
Total Page:16
File Type:pdf, Size:1020Kb
Electronic Payment Systems n To transfer money over the Internet n Methods of traditional payment E-Commerce Payment ¨Check, credit card, or cash n Methods of electronic payment ¨Electronic cash, software wallets, smart cards, Jane Hsu and credit/debit cards ¨Scrip is digital cash minted by third-party organizations The Vision of Electronic Payments The Reality of Electronic Payments The transition from atoms to bits is unstoppable The transition from atoms to bits is unstoppable, and irrevocable irrevocable but it will be slow and have limitations. -- Seasoned Banker - N. Negroponte n Checks are still around in the US – 60+ billion of them. n Computing, storage power and narrowband n Physical cards of any type are anachronisms. They will die a slow death much like checks. connectivity growing exponentially n Vested interests will slow the pace of change but will not n Science of networks is better understood be able to resist the winds of change. n Will a new phoenix emerge from the ashes of n Will a new player like eBay lead the change or will it be a large incumbent FI? History sides with the likes of eBay. the dotcom meltdown ? Requirements for e-payments Desirable Properties of Digital Money n Atomicity n Universally accepted n Transferable electronically ¨Money is not lost or created during a transfer n Divisible n Good atomicity n Non-forgeable, non-stealable ¨Money and good are exchanged atomically n Private (no one except parties know the amount) n Anonymous (no one can identify the payer) n Non-repudiation n Work off-line (no on-line verification needed) ¨No party can deny its role in the transaction ¨Digital signatures n No known system satisfies all. 1 Electronic Cash Electronic Cash Issues n Primary advantage is with purchase of n E-cash must allow spending only once items less than $10 n Must be anonymous, just like regular ¨Credit card transaction fees make small currency purchases unprofitable ¨ Safeguards must be in place to prevent counterfeiting ¨Micropayments ¨ Must be independent and freely transferable n Payments for items costing less than $1 regardless of nationality or storage mechanism n Divisibility and Convenience n Complex transaction (checking with Bank) ¨ Atomicity problem Two storage methods Smart Cards n On-line n Magnetic stripe ¨ 140 bytes, cost $0.20-0.75 ¨ Individual does not have possession personally of electronic cash n Memory cards ¨ 1-4 KB memory, no processor, cost $1.00-2.50 ¨ Trusted third party, e.g. online bank, holds customers’ cash accounts n Optical memory cards ¨ 4 megabytes read-only (CD-like), cost $7.00-12.00 n Off-line n Microprocessor cards ¨ Customer holds cash on smart card or software wallet ¨ Embedded microprocessor ¨ Fraud and double spending require tamper-proof n (OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM encryption n Equivalent power to IBM XT PC, cost $7.00-15.00 n 32-bit processors now available Smart Cards Smart Card Applications n Plastic card containing an embedded microchip n Ticketless travel n Available for over 10 years ¨ Seoul bus system: 4M cards, 1B transactions since 1996 ¨ Planned the SF Bay Area system n So far not successful in U.S., but popular in Europe, n Authentication, ID Australia, and Japan n Medical records n Unsuccessful in U.S. partly because few card readers n Ecash available n Store loyalty programs n Smart cards gradually reappearing in U.S.; success n Personal profiles depends on: n Government ¨ Critical mass of smart cards that support applications ¨ Licenses ¨ Compatibility between smart cards, card-reader devices, and applications n Mall parking n . 2 Advantages and Disadvantages of Mondex Smart Card Smart Cards n Advantages: n Holds and dispenses electronic cash (Smart-card based, ¨ Atomic, debt-free transactions stored-value card) ¨ Feasible for very small transactions (information commerce) n Developed by MasterCard International ¨ (Potentially) anonymous n Requires specific card reader, called Mondex terminal, ¨ Security of physical storage for merchant or customer to use card over Internet ¨ (Potentially) currency-neutral n Supports micropayments as small as 3c and works both online and off-line at stores or over the telephone n Disadvantages: n Secret chip-to-chip transfer protocol ¨ Low maximum transaction limit (not suitable for B2B or most B2C) n Value is not in strings alone; must be on Mondex card ¨ High Infrastructure costs (not suitable for C2C) n Loaded through ATM ¨ Single physical point of failure (the card) ¨ ATM does not know transfer protocol; connects with secure ¨ Not (yet) widely used device at bank Mondex Smart Card Processing Mondex transaction n Here's what happens "behind the scenes" during a Mondex transaction between a consumer and merchant. Placing the card in a Mondex terminal starts the transaction process: ¨ Information from the customer's chip is validated by the merchant's chip. Similarly, the merchant's card is validated by the customer's card. ¨ The merchant's card requests payment and transmits a "digital signature" with the request. Both cards check the authenticity of each other's message. The customer's card checks the digital signature and, if satisfied, sends acknowledgement, again with a digital signature. ¨ Only after the purchase amount has been deducted from the customer's card is the value added to the merchant's card. The digital signature from this card is checked by the customer's card and if confirmed, the transaction is complete. Advantages and Disadvantages of Mondex Smart Card Electronic Cash n Disadvantages n Advantages ¨ Card carries real cash in electronic form, creating the possibility of theft ¨ More efficient, eventually meaning lower prices ¨ No deferred payment as with credit cards -cash is dispensed ¨ immediately Lower transaction costs n Security ¨ Anybody can use it, unlike credit cards, and does not ¨ Active and dormant security software require special authorization n Security methods constantly changing n ITSEC E6 level (military) n Disadvantages ¨ VTP (Value Transfer Protocol) ¨ Tax trail non-existent, like regular cash n Globally unique card numbers n Globally unique transaction numbers ¨ Money laundering n Challenge-response user identification ¨ Susceptible to forgery n Digital signatures ¨ MULTOS operating system n firewalls on the chip 3 Secure Electronic Transaction The SET protocol (SET) Protocol n Jointly designed by MasterCard and Visa with backing of Microsoft, Netscape, IBM, GTE, SAIC, and others n Designed to provide security for card payments as they travel on the Internet ¨ Contrasted with Secure Socket Layers (SSL) protocol, SET validates consumers and merchants in addition to providing secure transmission n SET specification ¨ Uses public key cryptography and digital certificates for validating both consumers and merchants ¨ Provides privacy, data integrity, user and merchant authentication, and consumer non-repudiation The SET protocol coordinates the activities of the customer, merchant, merchant’s bank, and card issuer. [Source: Stein] SET Payment Transactions SET uses a hierarchy of trust SET -protected payments work like this: n Consumer makes purchase by sending encrypted financial information along with digital certificate n Merchant’s website transfers the information to a payment card processing center while a Certification Authority certifies digital certificate belongs to sender n Payment card-processing center routes transaction to credit card issuer for approval n Merchant receives approval and credit card is charged n Merchant ships merchandise and adds transaction amount for deposit into merchant’s account All parties hold certificates signed directly or indirectly by a certifying authority. [Source: Stein] SET Protocol n Extremely secure ¨ Fraud reduced since all parties are authenticated ¨ Requires all parties to have certificates n So far has received lukewarm reception n 80 percent of SET activities are in Europe and Asian countries n Problems with SET ¨ Not easy to implement ¨ Not as inexpensive as expected ¨ Expensive to integrated with legacy applications ¨ Not tried and tested, and often not needed ¨ Scalability is still in question 4.