10

Online Payment:Online Payment:
Issues and SolutionsIssues and Solutions
APEC OVOP Training Workshop on E-Commerce
Chinese Taipei
20-24 August 2007
Assoc Prof Margaret Tan
Deputy Director, Singapore Internet Research Centre
Nanyang Technological University, Singapore
1© 2007 The Millennium eTrust Pte Ltd

What is Electronic Payment?What is Electronic Payment?
Is a system that permits online payment
between parties using an electronic surrogate
of a financial tender
The electronic surrogate is backed by financial
institutions and/or trusted intermediaries
The intent is to act as an alternative form of
payment to the physical cash, cheque or other
financial tender

Current StatusCurrent Status
ePayment opportunities are growing albeit slowly
New players are entering ePayment marketplace
Variety of ePayment mechanisms and devices -
creating state of chaos
Infrastructure for ePayment is complex and
expensive to deploy
Lack of critical mass adoption and acceptance
Online payment is hard to implement globally

ePayment is still evolving ...ePayment is still evolving ...
New ePayment Solutions
Security
Infrastructure
Business
Realities
Authentication Models
Spa
Customer
Profiles
Payment Types
4

ePayment ChannelsePayment Channels
Defined as ‘touch points’ where a payment
transaction is originated or initiated
Can be executed through a variety of channels
◦ Internet based
◦ Kiosks
◦ Contactless or proximity sensors
◦ Mobile eg mobile phones, PDA

ePayment InstrumentsePayment Instruments
Defined as the medium in which the value is
recognised in a payment transaction
Card-based such as
◦ Credit and charge cards
 buy now, pay later
◦ Debit cards
 buy now, pay now
◦ Cash cards, stored-valued, e-cash
 buy now, prepaid or pay before

Credit CardsCredit Cards
Most widely used
◦ banks able to leverage existing card infrastructure
◦ appears ‘defacto’ online payment
Largely unencrypted
◦ ‘card-not-present’ transactions processed without
customer & merchant authentication
Charge back risk for merchants
◦ charge-back is when customer demands a refund
◦ banks transfer liabilities of charge-backs to the
merchants
◦ merchants need to have a bond to cover such
charges

Debit CardsDebit Cards
Direct electronic transfer of account - direct
account debiting
Uses chip/smart eWallets
Digital signature to secure access
Connected to eBanking solution

Digital CashDigital Cash
A system of purchasing cash and storing the
credits in consumer’s computer
Computerised stored value is used as a form
of cash to be spent in small increments
A third party is involved in the payment
transactions
Examples: Beenz, Billpoint, Paypal
9© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd

CazhCazh
A project by ABN-Amro
A debit system that creates network between
merchant and bank to allow customers pay for
the goods by direct debit of customers’ bank
account
Once customer has been authenticated by
his/her bank, he/she can authorise the bank to
pay the merchant on the goods purchase
Similar to Nets POS but in cyberspace

Cash CardCash Card
Payment solution on a proprietary protocol that
allows payment over the Internet
A digital/virtual wallet with prepaid credit-
based/token-based payment system
Enables low-value electronic payments on the
Internet
Limited distribution, proprietary solutions
Needs to install card reader and download free
eWallet

eChequeeCheque
A formatted email message that consists of
payee name, amount, payment date, payer’s
account number, and payer’s bank
Digital certificate and signature are used to
secure the cheque so that the contents are not
tampered with
A signed electronic cheque is exchanged
between the parties’ financial institutions
through automated clearing house

Mobile WalletMobile Wallet
Relatively new space exploited by telcos and non-
financial enterprises
Provides ePurse functionality to replace card-type
payments
Aggregating micro-payments onto the mobile
phone bill
Can use mobile access device to authenticate
payer’s identity
SIM card well placed to function and control
payment process and authentication

Components of OnlineComponents of Online
Payment SystemPayment System
© 2007 The Millennium eTrust Pte Ltd
Online
Merchants
Consumer Payment
Clearinghouses
Payment
Enablers
• Payment
Gateways
• Merchant
Acquirers
• Shopping Cart
Vendors
• Non-bank payment
Processors
Competing
Authentication
Services

ePayment RisksePayment Risks
Internet
Private
network
Internet
Bank
network
•Use of stolen
card
•Credit card
number or
password
stolen from
computer
•Unauthorised
access
•Information
modified in
transit
•Payment info
stolen from
merchant
•Masquerading
as legitimate
merchant
•Key info stolen
by merchant
staff
•Information
modified in
transit
•Information
stolen
Buyer Merchant
Payment
gateway

60% of non-buyers said “credit card security,”
the highest factor cited.
Factors that would convert non-
buyers to buyers online?
Odyssey, 2000
58% of new Internet users said “better security,”
the 3rd
highest factor cited.
Factors that would motivate new
users to purchase online?
Jupiter Research, May 2000
68% of Internet users said “hackers getting
credit card number,” 2nd
highest concern cited
Worries and concerns regarding
online activities?
Pew Internet & Am Life
Project, June 2000
47% of Internet users said “credit card security,”
the 3rd
highest barrier cited.
Barriers to online purchasing?Greenfield Online, 2000
79% of Internet users said “credit card security,”
the number one cited barrier.
Barriers to online purchasing?Pricewaterhouse Coopers,
2000
85% of online shoppers said “secure
transactions,” the highest cited feature.
Important features of online
shopping sites?
Cyber Dialogue, 2000
88% of online shoppers said “guaranteed credit
card security”, 2nd
highest feature cited.
Features that will increase the
likelihood to buy online?
Odyssey, 2000
ResultsResultsQuestion AskedQuestion AskedSurvey BySurvey By
Research on online shopping

How can we secureHow can we secure
ePayment?ePayment?
The Trust Principle
◦ The parties to the transaction must trust each
other
◦ Buyer must believe that seller is legitimate
and will deliver the goods
◦ Buyer must believe that goods are as
represented and are worth the price
◦ Seller must believe that buyer is legitimate
and will pay for the goods purchased
© 2007 The Millennium eTrust Pte Ltd 17© 2007 The Millennium eTrust Pte Ltd

How can we secureHow can we secure
ePayment?ePayment?
The Security Principle
◦ Parties need a secure environment in which to
conduct the electronic transactions
◦ Seller needs to protect the details of the
transactions
◦ Buyer needs to be certain that his/her
information is securely handled and stored
◦ Buyer needs to be certain that information is
not stolen that it can be inappropriately used

ePayment SolutionsePayment Solutions
 Must provide security: resistance to fraud and online
attacks
 Reliable: highly available and accessible at all times
 Cost effective: cost per transaction should be low even for
micro-payment
 Integrated and scaleable: interoperable amongst
different systems, payment methods and multiple servers
distributed across the Internet
 Convenient and easy to use: should support several
devices
 Anonymity: should protect the identities of parties to the
transactions and should not monitor the sources of finance

Securing ePaymentsSecuring ePayments
Identification and authenticate
◦ the ability to verify both the transacting parties
Authorisation
◦ the ability to validate the rightful owner to the
transaction
Integrity and confidentiality
◦ the ability to transmit the transaction securely
◦ the ability to store the transaction properly
Accountability
◦ The ability to provide audit trail as evidence in
dispute
Policies for sharing risks and liabilities
◦ the mechanism to settle disputes/non-repudiation
20

Authentication ModelsAuthentication Models
Something you have and something you know –
ATM card model
Known to the back-end (server), synchronize
with each transaction using a one time random
number – Secur-ID model
“Sign” each transaction – PKI-model
Tie into a real person – Biometrics

ePayment Transaction CycleePayment Transaction Cycle
Buyer
Issuing
B
ank
M
erchant
A
cquiring
B
ank
V
isa/M
astercard
Bills buyer
Pays bank
Orders goods
Deliver goods
Reimburses
merchant
Voucher to
Acquiring
Bank
Transaction
voucher to
Issuing Bank
Issuing Bank
pays Visa /
Mastercard
Sends transaction voucher to
Visa / Mastercard
Visa / Mastercard reimburses
Acquiring Bank
1
2 7
45
3
6
8
9

Secure Sockets LayerSecure Sockets Layer
(SSL)(SSL)
A security protocol to protect sensitive data
transmitted over the Internet
Uses encryption to protect the transmission of
data
When SSL session starts, server sends key to
the browser, which returns random key to the
server
Ensures that data are not tampered with or
stolen en route

Secure Electronic TransferSecure Electronic Transfer
- SET- SET
Protocol by Visa and MasterCard released in
1996
3 party system - cardholder, merchant and bank
using SET-enabled systems
Uses digital certificate to ensure cardholder is
who he/she says he/she is or claims to be
Credit card details are invisible to merchants,
protected by encryption for clearing bank

3D SET (Server-based SET)3D SET (Server-based SET)
Overcome the resistance of original SET
Uses server-based implementation of SET
Reduces technology that must be deployed by
merchant and customer
◦ Merchants use ‘thin’ modules
◦ Customers use ‘slim’ digital wallets
Not inter-operable with SSL websites

How 3D SET works ...How 3D SET works ...
Customer
AcquirerIssuer
Cardholder
Certificates
Wallet
Server
Merchant
API or URL
2. Wallet Initiates
Purchase
4. Payment Authorisation
WTLS
SSL SET SET
1. Cardholder
Authentication
3.
Payment
Request
Merchant
Certificates
Payment
Gateway

Features of 3D SETFeatures of 3D SET
Certificate is stored in a central server of the
issuer and not at the cardholder computer
Cardholder is flexible to use certificates with
other devices
Cardholder can only use certificate issued by
the CA - a limitation
Theft of certificate is still possible from the
server-based SET - a problem

Visa 3D SecureVisa 3D Secure
A model that provides authenticated payment
capabilities of all parties within the transaction
continuum or cycle
◦ Issuer - cardholders and their banks
◦ Acquirer - merchants and their banks
◦ Interoperability - communication between issuing and
acquiring organisation
The purpose is to isolate the responsibilities of
the transacting parties

Visa 3D Secure - For IssuerVisa 3D Secure - For Issuer
Cardholders’ banks responsible for the
registration of cardholder, receipt and access
control of server
Communicates with 3D Secure merchant
plug-ins via Visa directory
The issuer backend card system provides
access to cardholder information

Visa 3D Secure - For AcquirerVisa 3D Secure - For Acquirer
Must install a 3D Secure Merchant-plug-in (MPI)
on website that is integrated with shopping cart
system - payment gateway
Handles communications with Visa directory and
customers’ credit card issuer
System only authenticates customers to
merchant but not converse
Merchants do not store customers’ details on
their servers

Authentication - MPIAuthentication - MPI
Software is installed and configured on
merchants’ machine
Merchant is responsible for looking up
transaction records during the chargeback
process and retrieving the “digital
signatures” in order to shift liability to the
cardholder

Merchant with MPIMerchant with MPI

Authentication - ManagedAuthentication - Managed
ServiceService
 No software required to be installed on
merchants machine
 Service Provider is responsible for looking up
transaction records on behalf of the
merchant during the chargeback process &
retrieving the “digital signatures” in order to
shift liability to the cardholder

Authentication ManagedAuthentication Managed
ServiceService

MasterCard Secure PaymentMasterCard Secure Payment
Application (SPA)Application (SPA)
SPA is an authenticated payment system that
involves participation of the cardholder,
cardholder’s issuer, and merchant
Cardholder needs authentication mechanism
from the issuer such as a browser plug-in or an
electronic wallet in their computers
Merchants needs plug-in from the acquirer in
shopping cart to carry hidden fields of
transaction-specific information which can be
checked with the security token

Issues with AuthenticationIssues with Authentication
Verifying the identity and authenticity of party
to the transaction
Verifying that the same person/entity is
conducting the transaction
If the authentication scheme is broken, a user
can impersonate another!
The level of authentication should correspond to
the ‘value’ of the transaction
One authentication secret for all application is
dangerous - a single point of failure

To Summarise ...To Summarise ...
‘Defacto’ authentication standards for ‘card-
not-present’ system
Mandates for compliance and integration -
“front-end” and “back-end”
Overcome problem of authentication and
integrity in online transactions

Thank You …Thank You …

10

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Ähnlich wie 10

Ähnlich wie 10 (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

10

Hinweis der Redaktion