Weitere Ă€hnliche Inhalte KĂŒrzlich hochgeladen (20) 101. Online Payment:Online Payment:
Issues and SolutionsIssues and Solutions
APEC OVOP Training Workshop on E-Commerce
Chinese Taipei
20-24 August 2007
Assoc Prof Margaret Tan
Deputy Director, Singapore Internet Research Centre
Nanyang Technological University, Singapore
1© 2007 The Millennium eTrust Pte Ltd
2. What is Electronic Payment?What is Electronic Payment?
ïIs a system that permits online payment
between parties using an electronic surrogate
of a financial tender
ïThe electronic surrogate is backed by financial
institutions and/or trusted intermediaries
ïThe intent is to act as an alternative form of
payment to the physical cash, cheque or other
financial tender
2© 2007 The Millennium eTrust Pte Ltd
3. Current StatusCurrent Status
ïePayment opportunities are growing albeit slowly
ïNew players are entering ePayment marketplace
ïVariety of ePayment mechanisms and devices -
creating state of chaos
ïInfrastructure for ePayment is complex and
expensive to deploy
ïLack of critical mass adoption and acceptance
ïOnline payment is hard to implement globally
3© 2007 The Millennium eTrust Pte Ltd
4. ePayment is still evolving ...ePayment is still evolving ...
New ePayment Solutions
Security
Infrastructure
Business
Realities
Authentication Models
Spa
Customer
Profiles
Payment Types
4
5. ePayment ChannelsePayment Channels
ïDefined as âtouch pointsâ where a payment
transaction is originated or initiated
ïCan be executed through a variety of channels
⊠Internet based
⊠Kiosks
⊠Contactless or proximity sensors
⊠Mobile eg mobile phones, PDA
5© 2007 The Millennium eTrust Pte Ltd
6. ePayment InstrumentsePayment Instruments
ïDefined as the medium in which the value is
recognised in a payment transaction
ïCard-based such as
⊠Credit and charge cards
ï buy now, pay later
⊠Debit cards
ï buy now, pay now
⊠Cash cards, stored-valued, e-cash
ï buy now, prepaid or pay before
6© 2007 The Millennium eTrust Pte Ltd
7. Credit CardsCredit Cards
ïMost widely used
⊠banks able to leverage existing card infrastructure
⊠appears âdefactoâ online payment
ïLargely unencrypted
⊠âcard-not-presentâ transactions processed without
customer & merchant authentication
ïCharge back risk for merchants
⊠charge-back is when customer demands a refund
⊠banks transfer liabilities of charge-backs to the
merchants
⊠merchants need to have a bond to cover such
charges
7© 2007 The Millennium eTrust Pte Ltd
8. Debit CardsDebit Cards
ïDirect electronic transfer of account - direct
account debiting
ïUses chip/smart eWallets
ïDigital signature to secure access
ïConnected to eBanking solution
8© 2007 The Millennium eTrust Pte Ltd
9. Digital CashDigital Cash
ïA system of purchasing cash and storing the
credits in consumerâs computer
ïComputerised stored value is used as a form
of cash to be spent in small increments
ïA third party is involved in the payment
transactions
ïExamples: Beenz, Billpoint, Paypal
9© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
10. CazhCazh
ïA project by ABN-Amro
ïA debit system that creates network between
merchant and bank to allow customers pay for
the goods by direct debit of customersâ bank
account
ïOnce customer has been authenticated by
his/her bank, he/she can authorise the bank to
pay the merchant on the goods purchase
ïSimilar to Nets POS but in cyberspace
10© 2007 The Millennium eTrust Pte Ltd
11. Cash CardCash Card
ïPayment solution on a proprietary protocol that
allows payment over the Internet
ïA digital/virtual wallet with prepaid credit-
based/token-based payment system
ïEnables low-value electronic payments on the
Internet
ïLimited distribution, proprietary solutions
ïNeeds to install card reader and download free
eWallet
11© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
12. eChequeeCheque
ïA formatted email message that consists of
payee name, amount, payment date, payerâs
account number, and payerâs bank
ïDigital certificate and signature are used to
secure the cheque so that the contents are not
tampered with
ïA signed electronic cheque is exchanged
between the partiesâ financial institutions
through automated clearing house
12© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
13. Mobile WalletMobile Wallet
ïRelatively new space exploited by telcos and non-
financial enterprises
ïProvides ePurse functionality to replace card-type
payments
ïAggregating micro-payments onto the mobile
phone bill
ïCan use mobile access device to authenticate
payerâs identity
ïSIM card well placed to function and control
payment process and authentication
13© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
14. Components of OnlineComponents of Online
Payment SystemPayment System
© 2007 The Millennium eTrust Pte Ltd
Online
Merchants
Consumer Payment
Clearinghouses
Payment
Enablers
âą Payment
Gateways
âą Merchant
Acquirers
âą Shopping Cart
Vendors
âą Non-bank payment
Processors
Competing
Authentication
Services
14© 2007 The Millennium eTrust Pte Ltd
15. ePayment RisksePayment Risks
Internet
Private
network
Internet
Bank
network
âąUse of stolen
card
âąCredit card
number or
password
stolen from
computer
âąUnauthorised
access
âąInformation
modified in
transit
âąPayment info
stolen from
merchant
âąMasquerading
as legitimate
merchant
âąKey info stolen
by merchant
staff
âąInformation
modified in
transit
âąInformation
stolen
Buyer Merchant
Payment
gateway
15© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
16. 60% of non-buyers said âcredit card security,â
the highest factor cited.
Factors that would convert non-
buyers to buyers online?
Odyssey, 2000
58% of new Internet users said âbetter security,â
the 3rd
highest factor cited.
Factors that would motivate new
users to purchase online?
Jupiter Research, May 2000
68% of Internet users said âhackers getting
credit card number,â 2nd
highest concern cited
Worries and concerns regarding
online activities?
Pew Internet & Am Life
Project, June 2000
47% of Internet users said âcredit card security,â
the 3rd
highest barrier cited.
Barriers to online purchasing?Greenfield Online, 2000
79% of Internet users said âcredit card security,â
the number one cited barrier.
Barriers to online purchasing?Pricewaterhouse Coopers,
2000
85% of online shoppers said âsecure
transactions,â the highest cited feature.
Important features of online
shopping sites?
Cyber Dialogue, 2000
88% of online shoppers said âguaranteed credit
card securityâ, 2nd
highest feature cited.
Features that will increase the
likelihood to buy online?
Odyssey, 2000
ResultsResultsQuestion AskedQuestion AskedSurvey BySurvey By
Research on online shopping
16© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
17. How can we secureHow can we secure
ePayment?ePayment?
ïThe Trust Principle
⊠The parties to the transaction must trust each
other
⊠Buyer must believe that seller is legitimate
and will deliver the goods
⊠Buyer must believe that goods are as
represented and are worth the price
⊠Seller must believe that buyer is legitimate
and will pay for the goods purchased
© 2007 The Millennium eTrust Pte Ltd 17© 2007 The Millennium eTrust Pte Ltd
18. How can we secureHow can we secure
ePayment?ePayment?
ïThe Security Principle
⊠Parties need a secure environment in which to
conduct the electronic transactions
⊠Seller needs to protect the details of the
transactions
⊠Buyer needs to be certain that his/her
information is securely handled and stored
⊠Buyer needs to be certain that information is
not stolen that it can be inappropriately used
18© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
19. ePayment SolutionsePayment Solutions
ï Must provide security: resistance to fraud and online
attacks
ï Reliable: highly available and accessible at all times
ï Cost effective: cost per transaction should be low even for
micro-payment
ï Integrated and scaleable: interoperable amongst
different systems, payment methods and multiple servers
distributed across the Internet
ï Convenient and easy to use: should support several
devices
ï Anonymity: should protect the identities of parties to the
transactions and should not monitor the sources of finance
© 2007 The Millennium eTrust Pte Ltd
19© 2007 The Millennium eTrust Pte Ltd
20. Securing ePaymentsSecuring ePayments
ïIdentification and authenticate
⊠the ability to verify both the transacting parties
ïAuthorisation
⊠the ability to validate the rightful owner to the
transaction
ïIntegrity and confidentiality
⊠the ability to transmit the transaction securely
⊠the ability to store the transaction properly
ïAccountability
⊠The ability to provide audit trail as evidence in
dispute
ïPolicies for sharing risks and liabilities
⊠the mechanism to settle disputes/non-repudiation
20
21. Authentication ModelsAuthentication Models
ïSomething you have and something you know â
ATM card model
ïKnown to the back-end (server), synchronize
with each transaction using a one time random
number â Secur-ID model
ïâSignâ each transaction â PKI-model
ïTie into a real person â Biometrics
© 2007 The Millennium eTrust Pte Ltd
21© 2007 The Millennium eTrust Pte Ltd
22. ePayment Transaction CycleePayment Transaction Cycle
© 2007 The Millennium eTrust Pte Ltd
Buyer
Issuing
B
ank
M
erchant
A
cquiring
B
ank
V
isa/M
astercard
Bills buyer
Pays bank
Orders goods
Deliver goods
Reimburses
merchant
Voucher to
Acquiring
Bank
Transaction
voucher to
Issuing Bank
Issuing Bank
pays Visa /
Mastercard
Sends transaction voucher to
Visa / Mastercard
Visa / Mastercard reimburses
Acquiring Bank
1
2 7
45
3
6
8
9
22© 2007 The Millennium eTrust Pte Ltd
23. Secure Sockets LayerSecure Sockets Layer
(SSL)(SSL)
ïA security protocol to protect sensitive data
transmitted over the Internet
ïUses encryption to protect the transmission of
data
ïWhen SSL session starts, server sends key to
the browser, which returns random key to the
server
ïEnsures that data are not tampered with or
stolen en route
© 2007 The Millennium eTrust Pte Ltd 23© 2007 The Millennium eTrust Pte Ltd
24. Secure Electronic TransferSecure Electronic Transfer
- SET- SET
ïProtocol by Visa and MasterCard released in
1996
ï3 party system - cardholder, merchant and bank
using SET-enabled systems
ïUses digital certificate to ensure cardholder is
who he/she says he/she is or claims to be
ïCredit card details are invisible to merchants,
protected by encryption for clearing bank
© 2007 The Millennium eTrust Pte Ltd 24© 2007 The Millennium eTrust Pte Ltd
25. 3D SET (Server-based SET)3D SET (Server-based SET)
ïOvercome the resistance of original SET
ïUses server-based implementation of SET
ïReduces technology that must be deployed by
merchant and customer
⊠Merchants use âthinâ modules
⊠Customers use âslimâ digital wallets
ïNot inter-operable with SSL websites
© 2007 The Millennium eTrust Pte Ltd 25© 2007 The Millennium eTrust Pte Ltd
26. How 3D SET works ...How 3D SET works ...
© 2007 The Millennium eTrust Pte Ltd
Customer
AcquirerIssuer
Cardholder
Certificates
Wallet
Server
Merchant
API or URL
2. Wallet Initiates
Purchase
4. Payment Authorisation
WTLS
SSL SET SET
1. Cardholder
Authentication
3.
Payment
Request
Merchant
Certificates
Payment
Gateway
26© 2007 The Millennium eTrust Pte Ltd
27. Features of 3D SETFeatures of 3D SET
ïCertificate is stored in a central server of the
issuer and not at the cardholder computer
ïCardholder is flexible to use certificates with
other devices
ïCardholder can only use certificate issued by
the CA - a limitation
ïTheft of certificate is still possible from the
server-based SET - a problem
© 2007 The Millennium eTrust Pte Ltd 27© 2007 The Millennium eTrust Pte Ltd
28. Visa 3D SecureVisa 3D Secure
ïA model that provides authenticated payment
capabilities of all parties within the transaction
continuum or cycle
⊠Issuer - cardholders and their banks
⊠Acquirer - merchants and their banks
⊠Interoperability - communication between issuing and
acquiring organisation
ïThe purpose is to isolate the responsibilities of
the transacting parties
© 2007 The Millennium eTrust Pte Ltd 28© 2007 The Millennium eTrust Pte Ltd
29. Visa 3D Secure - For IssuerVisa 3D Secure - For Issuer
ïCardholdersâ banks responsible for the
registration of cardholder, receipt and access
control of server
ïCommunicates with 3D Secure merchant
plug-ins via Visa directory
ïThe issuer backend card system provides
access to cardholder information
© 2007 The Millennium eTrust Pte Ltd 29© 2007 The Millennium eTrust Pte Ltd
30. Visa 3D Secure - For AcquirerVisa 3D Secure - For Acquirer
ïMust install a 3D Secure Merchant-plug-in (MPI)
on website that is integrated with shopping cart
system - payment gateway
ïHandles communications with Visa directory and
customersâ credit card issuer
ïSystem only authenticates customers to
merchant but not converse
ïMerchants do not store customersâ details on
their servers
© 2007 The Millennium eTrust Pte Ltd 30© 2007 The Millennium eTrust Pte Ltd
31. Authentication - MPIAuthentication - MPI
ïSoftware is installed and configured on
merchantsâ machine
ïMerchant is responsible for looking up
transaction records during the chargeback
process and retrieving the âdigital
signaturesâ in order to shift liability to the
cardholder
© 2007 The Millennium eTrust Pte Ltd 31© 2007 The Millennium eTrust Pte Ltd
33. Authentication - ManagedAuthentication - Managed
ServiceService
ï No software required to be installed on
merchants machine
ï Service Provider is responsible for looking up
transaction records on behalf of the
merchant during the chargeback process &
retrieving the âdigital signaturesâ in order to
shift liability to the cardholder
© 2007 The Millennium eTrust Pte Ltd 33© 2007 The Millennium eTrust Pte Ltd
35. MasterCard Secure PaymentMasterCard Secure Payment
Application (SPA)Application (SPA)
ïSPA is an authenticated payment system that
involves participation of the cardholder,
cardholderâs issuer, and merchant
ïCardholder needs authentication mechanism
from the issuer such as a browser plug-in or an
electronic wallet in their computers
ïMerchants needs plug-in from the acquirer in
shopping cart to carry hidden fields of
transaction-specific information which can be
checked with the security token
© 2007 The Millennium eTrust Pte Ltd 35© 2007 The Millennium eTrust Pte Ltd
36. Issues with AuthenticationIssues with Authentication
ïVerifying the identity and authenticity of party
to the transaction
ïVerifying that the same person/entity is
conducting the transaction
ïIf the authentication scheme is broken, a user
can impersonate another!
ïThe level of authentication should correspond to
the âvalueâ of the transaction
ïOne authentication secret for all application is
dangerous - a single point of failure
© 2007 The Millennium eTrust Pte Ltd 36© 2007 The Millennium eTrust Pte Ltd
37. To Summarise ...To Summarise ...
ïâDefactoâ authentication standards for âcard-
not-presentâ system
ïMandates for compliance and integration -
âfront-endâ and âback-endâ
ïOvercome problem of authentication and
integrity in online transactions
© 2007 The Millennium eTrust Pte Ltd 37© 2007 The Millennium eTrust Pte Ltd
38. Thank You âŠThank You âŠ
© 2007 The Millennium eTrust Pte Ltd 38© 2007 The Millennium eTrust Pte Ltd
Hinweis der Redaktion 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.2 - Source: Achex, February 2002 3.1 - Source: Visa International, 2002 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - Source: Authentication - The missing element in online payment security, www.gpayments.com 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - Source: i -TransACT, 2002 3.2 - 3.2 - Source: i -TransACT, 2002 3.2 - 3.2 - 3.2 -