UNIT IV ECOMMERCE PAYMENTS AND SECURITY

E PAYMENTS Traditionally, all payment transaction involved some form of paper, whether a check, an invoice, a credit card slip or cash. Now you can pay all of your monthly bills with a few clicks of the mouse, purchase products without leaving your desk or sofa and have your paycheck directly deposited into your bank account CHARACTERISITICS OF E-PAYMENT y An electronic payment is a payment that is transmitted electronically either over telephone lines or between web sites on the internet. y y No tangible currency such as a bank note or check changes hands. Any information required to make the payment such as a credit card number or Personal Identification Number (PIN), exists only in digital form. Projected growth The use of electronic methods to pay bills and purchase products online is growing as the internet grows. Electronic Payment Categories Most e-payments are for B2B and B2C. You can divide e-payments for B2C into two categories : i) Payments made for goods and services purchased online. For example, the consumer selects a product, completes an online form and selects a payment method, such as credit card, debit card, e-cash or e-check. ii) Payments made in response to bills or invoices. For example, a consumer authorizes a bank to transfer money from a bank account to specified recipients such as the telephone company or a utility company.

Electronic Payment Process  A customer who decides to purchase an item from an online business is transferred to a secure server where he or she enters a credit card number into a form.  The information entered into the secure server is encrypted using security technologies.  The payment information moves to the online transaction server where the payment is authorized (or declined), depending on whether the credit card number is valid and the customer has sufficient credit to cover the purchase.  If the credit card information is valid and funds are available, the information is transmitted to the institution or organization that receives payments owed to the merchant and a deposit is made to the merchants bank account.  The customer is informed that the transaction has been processed and shipping the goods has been initiated.  If the goods are shipped electronically such as a downloadable computer game, then the entire process could take no more than a minute or two from the time the customer submits the payment to the time that the file appears on the customers hard drive, depending on the size of the file and the computers download speed. Figure 4.1 illustrates the process.

Figure 4.1 Electronic payment processes

Four parts involved in e-payments: i) Issuer the bank or a financial institution which issues the credit card and sets the limit based on the customers credit history. ii) Customer Person who purchase a product and made an electronic payment. iii) iv) Merchant Party that receives payment form customer via electronically. Regulator Governmental agency which controls the electronic payment process according to law. Electronic Payment Issues  The increasing dependence on using electronic methods to process payments has its benefits and its challenges.  On the other hand, electronic payments can be less expensive to process than paper payments.  But the perceived risk of fraud might worry some vendors, while concerns about the security of electronic transactions and the buying pattern they divulge might discourage some consumers. Costs and Benefits Issues  Electronic payments are intended to lower transaction costs significantly.  Since less paper resources are used to process an online payment, the environment may benefit from a decreased demand for paper products.  On the other hand, significant technical resources, such as high-speed internet connections, secure servers and computers capable of processing high volume transactions, are required. Security Issues For many consumers, the issue of security remains paramount. Stories about credit card number harvesting, teenagers hacking into celebrity bank account and internet fraud help to fuel skepticism. These are the main concerned faced by consumers:

Privacy Relates to what information is gathered about an individual. For example, consumers are concerned about the privacy of internet transaction information. When they pay for a product online, is the information about their purchase sold or given to other businesses? Therefore the company should keep the consumers transaction information confidentially and the information should not be used without permission.

Authentication and Authorization A crucial part of any security system knows who is doing what and whether they are supposed to do what they are doing. The merchant, the consumer and broker should identify and authenticate who is involved in the transaction. Only authorized party can transfer data and information upon receiving a payment.

Integrity The integrity of the payment transaction is highly ensured that no changes can be made without being noticed.

Non-repudiation All parties involved in the e-payment process is undeniable

From the issues, there are few crucial factors in determining which method of e-payment achieves widespread acceptance.  Independence  Interoperability  Security  Anonymity  Divisibility  Ease of use  Transaction fees Security for Electronic Payment  Companies that use their computers to access the internet and process orders must develop security procedures to prevent unauthorized access to their systems, to protect data transmitted over the internet from loss or damage and to safeguard customers information from unauthorized used.  A company also must use the available technology to keep its system safe before competitors and others use the same technology to gain unlawful access.

 A security plan also called a security policy grows and changes as new risks are identified and old risks are removed by the development of new technology. Six steps that companies can take to develop a security plan are described below. Erect firewalls y y y y y Issue the monitor passwords Develop access control lists Obtain digital certificates Monitor active control Employ encryption methods

Public Key Infrastructure (PKI)  A public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA).  The user identity must be unique for each CA. This is carried out by software at a CA, possibly under human supervision, together with other coordinated software at distributed locations.  For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA. Purpose and functions PKI arrangements enable computer users without prior contact to be authenticated to each other and to use the public key information in their public key certificates to encrypt messages to each other. In general, a PKI consists of client software, server software, hardware (e.g., smart cards), legal contracts and assurances, and operational procedures. A signer's public key certificate may also be used by a third-party to verify the digital signature of a message, which was made using the signer's private key. In general, a PKI enables the parties in a dialogue to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance, or even any prior contact.

Public Key Cryptography Public key cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key. Conversely, Secret key cryptography, also known as symmetric cryptography uses a single secret key for both encryption and decryption. The two main branches of public key cryptography are:
y

Public key encryption a message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key. This is used to ensure confidentiality.

digital signatures a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender signed it and that the message has not been tampered with. This is used to ensure authenticity.

 An analogy for public-key encryption is that of a locked mailbox with a mail slot.  The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key.  Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the key can open the mailbox and read the message.  An analogy for digital signatures is the sealing of an envelope with a personal wax seal.  The message can be opened by anyone, but the presence of the seal authenticates the sender.

Figure 4.2 key Generation A big random number is used to make a public-key pair. Anyone can encrypt using the public key, but only the holder of the private key can decrypt. Secrecy depends on the secrecy of the private key.

Figure 4.3 Example for encryption using key

Using a private key to encrypt (thus signing) a message; anyone can check the signature using the public key. Validity depends on private key security. By combining your own private key with the other user's public key, you can calculate a shared secret that only the two of you know. The shared secret can be used as the key for a symmetric cipher. A central problem for public-key cryptography is proving that a public key is authentic, and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public-key infrastructure (PKI), in which one or more third parties, known as certificate authorities, certify ownership of key pairs.. Infrastructure and Security of Electronic Payment Secure Socket Layer (SSL)  Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers.  The TLS protocol(s) allow applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery.  TLS provides endpoint authentication and communications privacy over the Internet using cryptography.  Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating.  The next level of securityin which both ends of the "conversation" are sure with whom they are communicatingis known as mutual authentication.  Mutual authentication requires public key infrastructure (PKI) deployment to clients.

Secure Electronic Transactions (SET) Secure Electronic Transaction (SET) is a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET is not itself a payment system, but rather a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network in a secure fashion. SET specification lists the following business requirements for secure payment processing with credit cards over the Internet and other networks:  Provide confidentiality of payment and ordering information  Ensure the integrity of all transmitted data  Provide authentication that a cardholder is a legitimate user of credit card account  Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution  Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction  Create a protocol that neither depends in transport security mechanisms nor prevents their use  Facilitate and encourage interoperability among software and network providers Digital Signatures A digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form. Digital signature schemes normally give two algorithms, one for signing which involves the user's secret or private key, and one for verifying signatures which involves the user's public key. The output of the signature process is called the "digital signature."

Digital signatures, like written signatures, are used to provide authentication of the associated input, usually called a "message." Messages may be anything, from electronic mail to a contract, or even a message sent in a more complicated cryptographic protocol. Digital signatures are used to create public key infrastructure (PKI) schemes in which a user's public key (whether for public-key encryption, digital signatures, or any other purpose) is tied to a user by a digital identity certificate issued by a certificate authority. PKI schemes attempt to unbreakably bind user information (name, address, phone number, etc.) to a public key, so that public keys can be used as a form of identification. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. Certificate Authority (CA)

A certificate authority (CA) is a body either public or private that seeks to fill the need for trusted third party services in e-commerce. A CA accomplishes this by issuing digital certificates that attest to certain facts about the subject of the certificate. VeriSign is one of the pioneering CAs. In the context of credit cards, the cardholder certificate authority (CCA) issues the certificate to cardholders, the merchant certificate authority (MCA) to merchants who operate e-stores and the payment gateway certificate authority to payment gateway service providers.

Electronic Payment Methods The methods used to pay for products and services online include credit cards, electronic funds transfer (EFT), electronic cash, electronic wallet, smart cards, digital checks and e-billing. All of those have the ability to transfer payment from one person or party to another.

Credit Payment System Credit card When taking online Payments you need an Internet Merchant Service and a Payment Service Provider to collect card details over the Internet. A Payment Service Provider acts like a virtual PDQ machine. Your bank will carry out thorough credit checks and will charge you for this service.

Authorization and Capture are the two main stages in the processing of a card payment over the Internet. Authorization is the process of checking the customers credit or debit card. The card issuer will respond to the authorization request with one of three answers: 1. Accepted sale can go ahead. 2. Rejected card cannot be used for this transaction. 3. Invalid Data there is some problem with the details provided and these should be checked again with the customer. If the request is accepted the customers card limit is reduced temporarily by the amount of the transaction. This can be done manually or automatically. Capture is when the card is actually debited. This may take place simultaneously with the authorization request if the retailer can guarantee a specific delivery time. Otherwise the capture will happen when the goods are shipped. Again there are both manual and automatic options available to the retailer. E-Wallet  An Electronic wallet or E-Wallet serving as function similar to a physical wallet, holds credit card numbers, electronic cash, owner identification and owner contact information and provides that information at an electronic commerce websites check out counter. Some electronic wallets contain an address book number.

 Software, residing as a plug-in in the Web browser, that enables a cardholder to conduct online transactions, manages payment receipts and store digital certificates.  Like your real wallet, your digital wallet stores your credit card number and shipping details. This wallet initiates the data encryption in a SET transaction.  A server side Electronic wallet stores a customers information on a remote server belonging to particular wallet publisher.  A client side Electronic wallet stores a consumers information on his or her own computer. Storing an electronic wallet on the users computer shifts the responsibility for maintaining security to the user. Smart card A smart card, chip card, or integrated circuit card (ICC), is defined as any pocket-sized card with embedded integrated circuits which can process information. This implies that it can receive input which is processed - by way of the ICC applications - and delivered as an output. There are two broad categories of ICCs. Memory cards contain only non-volatile memory storage components, and perhaps some specific security logic. Microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally PVC, but sometimes ABS. The card may embed a hologram to avoid counterfeiting. Cash Payment System Electronic Fund Transfer and Electronic funds transfer or EFT refers to the computer-based systems used to perform financial transactions electronically. The term is used for a number of different concepts:
y y y

cardholder-initiated transactions, where a cardholder makes use of a payment card electronic payments by businesses, including salary payments Electronic check (or cheque) clearing.

Debit card  A debit card is a plastic card which provides an alternative payment method to cash when making purchases.  Physically the card is an ISO 7810 card like a credit card; however, its functionality is more similar to writing a cheque as the funds are withdrawn directly from either the cardholder's bank account (often referred to as a cheque card), or from the remaining balance on a gift card. E Cash  E-cash or electronic cash, is an electronic payment option. It is also known as digital cash.  The main characteristic that distinguishes e-cash from other electronic payment solutions is that the monetary values are stored on a device controlled by the user.  In analogy to real cash, both this device and the information representing the e-cash are sometimes called the users electronic wallet.  All wholehearted implementations of e-cash need to secure the user's balance. This means that a user cannot manipulate the amount of e-cash in her e-wallet.  A bank card that supports electronic purse features is an example for an e-cash system which relies on the tamper resistance of the chip-card to secure the user's balance. Classification of e-Cash E-Cash could be on-line, or off-line. On-Line E-Cash refers to amount of digital money kept by your E-Cash issuers, which is only accessible via the network. Off-line E-Cash refers to digital money which you keep in your electronic wallet or other forms of off-line devices. Another way to look at E-Cash is to see if it is traceable or not. On-line credit card payment is considered as a kind of "Identified" E-Cash since the buyer's identity can be traced. Contrary to Identified E-Cash, we have "anonymous" E-Cash which hides buyer's identity. These procedures can be implemented in either of two ways:

 On-line payment means that Bob calls the Bank and verifies the validity of Alice's token3 before accepting her payment and delivering his merchandise. (This resembles many of today's credit card transactions.)  Off-line payment means that Bob submits Alice's electronic coin for verification and deposit sometime after the payment transaction is completed. (This method resembles how we make small purchases today by personal check.) Note that with an on-line system, the payment and deposit are not separate steps. We will refer to on-line cash and off-line cash schemes, omitting the word "electronic" since there is no danger of confusion with paper cash. A Simplified Electronic Cash Protocol We now present simplified electronic cash system, without the anonymity features. PROTOCOL 1: On-line electronic payment. Withdrawal: Alice sends a withdrawal request to the Bank. Bank prepares an electronic coin and digitally signs it. Bank sends coin to Alice and debits her account. Payment/Deposit: Alice gives Bob the coin. Bob contacts Bank and sends coin. Bank verifies the Bank's digital signature. Bank verifies that coin has not already been spent. Bank consults its withdrawal records to confirm Alice's withdrawal. (Optional) Bank enters coin in spent-coin database. Bank credits Bob's account and informs Bob. Bob gives Alice the merchandise. One should keep in mind that the term "Bank" refers to the financial system that issues and clears the coins. For example, the Bank might be a credit card company, or the overall banking system. In the latter case, Alice and Bob might have separate banks. If that is so, then

the "deposit" procedure is a little more complicated: Bob's bank contacts Alice's bank, "cashes in" the coin, and puts the money in Bob's account. PROTOCOL 2: Off-line electronic payment. Withdrawal: Alice sends a withdrawal request to the Bank. Bank prepares an electronic coin and digitally signs it. Bank sends coin to Alice and debits her account. Payment: Alice gives Bob the coin. Bob verifies the Bank's digital signature. (Optional) Bob gives Alice the merchandise. Deposit: Bob sends coin to the Bank. Bank verifies the Bank's digital signature. Bank verifies that coin has not already been spent. Bank consults its withdrawal records to confirm Alice's withdrawal. (optional) Bank enters coin in spent-coin database. Bank credits Bob's account. The above protocols use digital signatures to achieve authenticity. The authenticity features could have been achieved in other ways, but we need to use digital signatures to allow for the anonymity mechanisms we are about to add. Store-value card A stored-value card represents money on deposit with the issuer, and is similar to a debit card. One major difference between stored value cards and debit cards is that debit cards are usually issued in the name of individual account holders, while stored value cards are usually anonymous. The value associated with the card can be accessed using a magnetic stripe embedded in the card, on which the card number is encoded.

using radio-frequency identification (RFID); or by entering a code number, printed on the card, into a telephone or other numeric keypad E-loyalty  Loyalty programs are structured marketing efforts that reward, and therefore encourage, loyal buying behaviour - behaviour which is potentially of benefit to the firm.  In marketing generally and in retailing more specifically, a loyalty card, rewards card, points card, or club card is a plastic or paper card, visually similar to a credit card or debit card that identifies the card holder as a member in a loyalty program. Loyalty cards are a system of the loyalty business model. E-check  An e-Check is an electronic transfer of funds in which the money is taken from a bank account, typically a checking account.  The account's routing number and account number are used to draw funds from the account. E-Checks can clear much faster than written checks. Managerial issues In the B2C world, understand your customers and products In the B2B world, keep an open mind about online alternatives In-house or outsource Security continues to be a major issue Payment systems A payment is the transfer of wealth from one party (such as a person or company) to another. A payment is usually made in exchange for the provision of goods, services, or both, or to fulfill a legal obligation. The oldest form of payment is barter, the exchange of one good or service for another.

Barter is a type of trade in which goods or services are directly exchanged for other goods and/or services, without the use of money.

Barter usually replaces money as the method of exchange in times of monetary crisis, when the currency is unstable and devalued by hyperinflation.

Micro payment systems Micropayments are means for transferring very small amounts of money, in situations where collecting such small amounts of money with the usual payment systems is impractical, or very expensive, in terms of the amount of money being collected. Micropayment originally meant 1/1000th of a US dollar, meaning a payment system that could efficiently handle payments at least as small as a tenth of a cent, or few paisas to rupees. But now is often defined to mean payments too small to be affordably processed by credit card or other electronic transaction processing mechanism. The use of micropayments may be called Micro-commerce. A micropayment is an online transaction of a small denomination e.g. $2, 3.50, or 4, and can be used for digital content purchase such as music, news or consumer reports. Beverages, Phone calls, Tolls, transportation, parking, Copying Internet content, Lotteries, gambling. A micropayment can also be used to charge for digital services such as P2P applications and access to website member areas. A micropayment system is an online payment system which supports charging relatively small amounts for online content or services. Here the speed and cost of processing payments are critical factors in assessing schemes usability. Fast user response is essential if the user is to be encouraged to make a large number of purchases.

Processing and storage requirements placed on micropayment providers and vendors must be economic for low value transactions.

Technological savings: Dont verify every transaction Use symmetric encryption

Float-preserving methods Prepayment Grouping  Aggregate purchases (to amortize fixed costs)  Provide float to processor  Partial anonymity (individual purchases disguised)

Prepaid cards Issued by non-banks Represent call on future service Not money since usable only with one seller

Electronic purse (wallet) Issued by bank Holds representation of real money In form of a card (for face-to-face or Internet use) In virtual form (computer file for Internet use) The two forms are converging, e.g. wireless

Loading (charging) the purse with money Making a payment (removing money from the card) Clearance (getting money into the sellers account)

Micropayment Efficiency  Providers need to process a peak load of at least 2500 transactions/second  Public-key cryptography is expensive y 1 RSA signature verifications = 1000 symmetric encryptions = 10,000 hashes

 Need to minimize Internet traffic y y y Servers must be up More servers required, longer queues, lost packet delay Remove the provider from the process (user + vendor only)

 For small payment amounts, perfection is not needed y y Losing a micropayment Keep micropayment fraud low

Remote Micropayments Remote micropayments Buyer is not physically in sellers presence Cant insert card into vendors machine No physical goods, only information goods if micropayment will work, goods must be cheap, e.g. $0.01

Subscriptions, credit cards, checks, ACH (even PayPal) too expensive