San J ose State University email: jerrygao@email.sjsu.edu URL: http://www.engr.sjsu.edu/gaojerry Sept., 2000 Topic: Account-Based Electronic Payment Systems - I ntroduction to Credit Card-Based Payment Systems - Credit-Card based electronic payment systems - First Virtual - CyberCash - Set - Electronic check payment systems - FSTC - NetBill - Comparisons and summary J erry Gao Ph.D. 5/20000 Presentation Outline All Rights Reserved Credit Card payment schemes have been in use as a payment methodsince 1960s. There are two major international brands: VI SA and MasterCard About VI SA: - The VI SA brand grew from a scheme launched by the Bank of America, which was subsequently licensed by Barclaycard in the United Kingdom in 1966. - By the middle of 1995, VI SA owned by its 180,000 member financial institutions, had issued more than 420 million cards and is accepted by more than 12 million merchants in 247 countries. About MasterCard: - MasterCard is of comparable size with 13 million merchants in 220 countries and 22,000 member organizations. - More than 800 million cards issued and nearly $1,300 billion of sales each year. J erry Gao Ph.D. 5/2000 I ntroduction To Credit Card-Based Payment Systems Topic: Account-Based Electronic Payment Systems Different types of payment card schemes: (A) Credit cards, where payments are set against a special-purpose account associated with some form of installment-based repayment scheme or a revolving line of credit. - pay later with limit and interest rate. (B) Debit cards (paperless checks) are linked to a checking/saving account. - pay now with balance checking. (C)Charge cards: work in a similar way to credit cards in that payments are set against a special-purpose account. - payment must be made at the end of billing period without limit. (D) Travel and entertainment cards are charge cards whose usage is linked to airlines, hotels, restaurants, car rental companies, or particular retail outlets. J erry Gao Ph.D. 5/2000 I ntroduction To Credit Card-Based Payment Systems Topic: Account-Based Electronic Payment Systems J erry Gao Ph.D. 5/2000 I ntroduction To Credit Card-Based Payment Systems Topic: Account-Based Electronic Payment Systems Card Association Card I ssuers Bank Card Acquirers Bank Merchant CardHolder Payment Model: J erry Gao Ph.D. 5/2000 I ntroduction To Credit Card-Based Payment Systems Topic: Account-Based Electronic Payment Systems Region -------------------------------------------------------------------------------------------------------- U.S. 358.4 228.1 202.4 174 Europe 262.4 81.2 not available 53.5 Asia-Pacific 91.6 73 116.2 72.5 Canada 36.8 18.6 not available not available Middle East 5.6 2.3 5.5 2 Africa Latin America 23.6 21.4 19.1 21.2 Totals 778.4 424.7 470 338.7 VI SA (total $1248.4B sales) ----------------------------------------------- Sales Volume No. of billions of $(U.S.) Cards (millions) MasterCard (763.4 million cards) -------------------------------------------- Sales Volume No. of billions of $(U.S.) Cards (millions) J erry Gao Ph.D. 5/2000 Topic: Electronic Cash Payment Protocols and Systems Special Features of Credit Card-Based Electronic Payment Systems - Online Transaction. - Anonymity: This ensure that no detailed cash transactions for customer are traceable. Even sellers do not know the identity of customers involved in the purchases - Security: High security and low risk due to the use of traditional banking system and user accounts. - Standardization: Use of the existing standardized payment model - Flexibility: consumers can have multiple cards used in different countries and concurrency - All transactions can be easily traced by banking system and merchants. J erry Gao Ph.D. 5/2000 Topic: Electronic Check Payment Protocols and Systems Limitations: - Dependency: dependent on existing banking systems. - Transaction cost: high transaction cost compared with other approaches - Performance: slower performance due to the authentication and account validation using the existing banking systems - Privacy: consumer loss of the privacy of their transactions Special Features of Credit Card-Based Electronic Payment Systems J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems About First Virtual: - First Virtual was the first Credit Card Processing System started in Oct. 1994 by a company called First Virtual Holding. -The product is called Virtual PI N. - The major goal is to allow the selling of low value informationitems across the network without the need of a client software or hardware to be in place. - Both the merchant and the buyers are required to register with First Virtual before any transactions can take place. - First Virtual depends on the conventional bank automated clearing house (ACH) service. - First Virtual use WWW web server to support online purchasing and selling. - Security method: VirtualPI N are used to verify accounts of merchants and buyers. Credit Card-Based Electronic Payment System: First Virtual J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Credit Card-Based Electronic Payment System: First Virtual Web Server First Virtual I nternet Payment System Server Buyer 1. Account I D 4. I nformation Goods 2. Account I D Valid? 3. Account OK! 5. Transaction Details 7. Accept/Reject or Fraud I ndication 6. Satisfied Buying with First Virtual: J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Major advantages of First Virtual: - Simple due to: - no use of encryption - no export problems - simple exchanges without special software and hardware at the client side - server software is not complex The disadvantages and limitations of First Virtual: - Both merchants and buyers must pre-register. - No encryption mechanisms are used. Credit Card-Based Electronic Payment System: First Virtual J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems History of SET: - I n October 1995, the Secure Electronic Payment Protocol (SEPP) was proposed by the alliance of MasterCard, Netscape Corp, I BM, and others. - After a few days, a different network payment specification, called Secure Transaction Technology (STT) was launched by a VI SA and Microsoft consortium. - Both efforts were made in parallel to develop secure payment protocols and technologies for a number of months. - I n J anuary 1996, both companies announced that they would come together to develop a unified system -- a secure I nternet payment system based on Secure Electronic Transitions (SET) protocol. - I t is developed by Visa and MasterCard jointly later. - Later, most significant organizations in the I nternet payment industry have stated that they will support SET. Credit Card-Based Electronic Payment System: Set J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Phases of a credit card payment addressed by SET standards: Credit Card-Based Electronic Payment System: Set Financial Network Card I ssuer Card Holder Merchant Payment Gateway Non-Set Non-Set Set Set J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Credit Card-Based Electronic Payment System: Set Set Transaction Processing Layer (E-Wallet,Digital Certificate) Application Layer I nternet Protocol Layer HTTP, SMTP SSL, X.509 Set Transport and Secure Sockets Layer Set Message Structure Layer SET Protocol Layered Architecture: J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Credit Card-Based Electronic Payment System: Set Certificate Authority Certificate Authority Payment Gateway Payment Gateway Cardholder Merchant Purchasing Transaction s Certify with CA for Digital Certificate Validates SET Digital Certificates, preprocesses, authorization, capture, and settlement work SET Process Architecture: E-Wallet SET POS Certify with CA for Digital Certificate Certify with CA for Digital Certificate Wakeup Wakeup Store Front Certificate Authority E-Wallet SET POS Payment Gateway Browser Merchant Server Acquirer Legacy System Bank Interchange CertReq CertReq CertRes CertRes PInitReq PInitRes PReq PRes AuthReq AuthRes CapReq CapRes Wakeup CertReq CertRes Post HTTP Page Message Details Wakeup AuthRes AuthReq Shop wakeup Interactions among all SET entities: J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Topic: Account-based Electronic Payment Systems Cardholder Cardholder Merchant Merchant Acquirer Payment Gateway Acquirer Payment Gateway PWakeup PI nitReq PI nitRes PReq PRes AuthReq AuthRes I nqReq I nqRes CapReq CapRes Sequence of SET message pairs: J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems The messages needed to perform a complete purchase transaction include: Initialization (PInitReq/PInitRes) Purchase order (PReq/Pres) Authorization (AuthReq/AuthRes) Capture of payment (CapReq/CapRes) Cardholder inquiry (InqReq/InqRes) Security mechanism in SET: Certification for all parties, including Cardholder CA, Merchant CA, and Payment CA. Authentication for parties based on a public-key pair with RSA. Encryption is performed on parts of certain messages. Dual signatures are used in the SET protocol. J erry Gao Ph.D. 5/2000 Credit Card-Based Electronic Payment System: Set Topic: Account-based Electronic Payment Systems J erry Gao Ph.D. 5/2000 Credit Card-Based Electronic Payment System: Set Brand Certification Authority Geo-Political Authority (optional) Root Certification Authority Cardholder CA Cardholder Merchant CA Merchant Payment CA Payment Gateway J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems About CyberCash: - CyberCash is a secure I nternet payment system developed byCyberCash, I nc., which is located at Reston, VA, USA, and it was found in August 1994 to provide software and service solutions for secure financial transactions over theI nternet. - CyberCash uses special wallet software, enable consumers to make secure purchases using major credit cards from CyberCash-affiliated merchants. - theCyberCashpayment system was launched in April 1995. I t had over half a million copies in circulation. - CyberCash has other payment systems, such as CyberCoin (electronic cash system) and PayNow (electronic check system). Credit Card-Based Electronic Payment System: CyberCash J erry Gao Ph.D. 5/2000 Topic: Account-based Electronic Payment Systems Features of CyberCash: - Use the existing credit card infrastructure for settlement payments. - Use cryptographic techniques to protect the transaction data during a purchase. - Authenticate the identifies of both parties to the transaction. - Provide online transaction and online authentication. - Broker the transaction between merchants bank and cardholdersbank. Credit Card-Based Electronic Payment System: CyberCash J erry Gao Ph.D. 5/2000 Topic: Account-Based Payment Protocols and Systems Credit Card-Based Electronic Payment System: CyberCash Web Browser Customer Wallet Web Server Merchant Software CyberCash Server Shopping Purchase Purchase messages Registration Card binding Banking Network I nternet CyberCash Payment Model J erry Gao Ph.D. 5/2000 Topic: Account-Based Payment Protocols and Systems Credit Card-Based Electronic Payment System: CyberCash Payment Steps in aCyberCashPurchase Consumer Cybercash Server (CS) Merchant Click PAY order form forward details issue receipt authorize +clear with bank Credit-card pay Payment-req Charge-card-res auth-capture charge-action-res Finish shopping Choose CC, addr log transaction Topic: Account-Based Payment Protocols and Systems Credit Card-Based Electronic Payment System: CyberCash Header Transport Trailer Opaque CyberCashMessages: Header: I t indicates the start of a CyberCashmessage. Transport: I t contains the order information in a purchase, transaction I D, date, and the key I D to the encrypt the opaque part. Opaque: The encrypted part of a message. Trailer: the end of aCyberCashmessage. J erry Gao Ph.D. 5/2000 Topic:Elect ronicCheck Payment Protocols and Systems Overview of NetBill: - NetBill is a dependable, secure and economical payment method for purchasing digital goods and services through the I nternet. - NetBill protocol is developed by Carnegie Mellon University. - I n partnership with Visa I nternational and MellonBank, the first trial of the system was installed in early 1996. Major goals of NetBill: - Support high transaction volumes at low cost - Provide authentication, privacy, and security for transactions - Provide account management and administration for consumers andmerchants Electronic Check Payment System: NetBill J erry Gao Ph.D. 5/2000 Topic: Electronic Check Payment Protocols and Systems Electronic Check Payment Process: NetBill NetBill Server Customer Merchant Bank Network J erry Gao Ph.D. 5/2000 Topic: Electronic Check Payment Protocols and Systems Electronic Check Payment System: NetBill 1. Consumers application send a price quote request to the merchants application through a checkbook library. 2. Merchants application sends back the price quote the consumers application. 3. Consumer accepts the price quote, and then sends a purchase request through the Checkbook library. 4. Merchants application sends to the consumers Checkbook encrypted in a one- time key. 5.Consumer sends a electronic payment order (EPO) to merchants application. 6. The merchants application sends the endorsed EPO to the NetBill server. 7. NetBill server verifies that the consumer and merchant signatures are valid. Then, return the merchant a digitally signed receipt with a decryptionkey. 8. The merchants application forward the NetBill servers receipt to the Check book. NetBill Server Customer Merchant 1 2 3 4 8 6 7 5 J erry Gao Ph.D. 5/2000 Topic: Electronic Check Payment Protocols and Systems Electronic Check Payment System: NetBill NetBill Archecture: (Source: NetBill 1994 Prototype) Consumer Application Checkbook Merchant Application Till User Admin. Server Transaction Server Security Server System Admin. Server Payment & Collection Server DB J erry Gao Ph.D. 5/2000 Topic: Electronic Check Payment Protocols and Systems Electronic Check Payment System: NetBill Major features of NetBill: - Certified delivery: delivering encrypted information goods and then charging against the consumers NetBill account. Then, decryption key registration are used at both the merchants application and the NetBill server. - Scalability: the bottleneck in the NetBill model is the NetBill Server which supports many different merchants. - Support for flexible pricing: by including the steps of offer and acceptance. The merchant can calculate a customized quote for individual consumer. - Protection of consumer accounts against unscrupulous merchants in a conventional credit card transaction. J erry Gao Ph.D. 5/2000 Topic: Electronic Check Payment Protocols and Systems Electronic Check Payment System: NetBill Security Mechanisms of NetBill: - Create a NetBill account for each consumer by using a unique user I D and the RSA public key. - the key pair is certified by NetBill and is used for signatures and authentication in the system. -These signatures are used to check the elements of NetBill transactions (the price quote, the acceptance, etc) really came from the right parties. - NetBill uses symmetric cryptogrphy method for message authentication and encryption and decryption. J erry Gao Ph.D. 5/2000 Topic:Elect ronicCheck Payment Protocols and Systems Overview of FSTC: - The Financial Service Technology Consortium (FSTC) is a group of American Banks, research agencies, and government organizations, formed in 1995. - The basic concepts is use electronic checks to conduct payment transactions. - I n Sept. 1995, a demonstration of the FSTC electronic check concept was given that involved a purchase of an item from a merchant site on the I nternet. - the FSTC payment system uses: - electronic checks to transfer and moves funds from the buyers bank account to the merchants bank account based on a conventional ACH network. - a secure hardware device, called a Smart Token, is used to play as a checkbook. I t takes the form of a PC card with an in-built cryptographic support processor.. Electronic Check Payment System: FSTC J erry Gao Ph.D. 5/2000 Topic:Electronic Check Payment Protocols and Systems Electronic Check Payment System: FSTC payer Payee Secure H/W Debit Account Credit Account ACH Check Clearing Checkbook (secure H/W) Secure envelope invoice E-mail Statement Secure envelope Certs Sig Check Electronic check Certs endorsement certs sig check J erry Gao Ph.D. 5/2000 Topic:Electronic Check Payment Protocols and Systems Electronic Check Payment System: FSTCsFunctional Flows payer Payee write endorse Payers Bank Payees Bank debit credit 1. pay 5. statement 2. deposit 4. report 3.clear payer Payee write Payers Bank Payees Bank debit Endorse & credit 1. pay 4. statement 3.accounts receivable update 2.clear payer Payee write endorse Payers Bank Payees Bank debit credit 1. pay 6. statement 2.cash 5. report 4.EFT payer Payee write Payers Bank Payees Bank debit credit 1. pay 5. statement 3. Accounts Receivable update 2.EFT 3.notify Deposit-and-clear scenario Cash-and-transfer scenario Lockbox scenario Fund transfer scenario