E Payments Class Feb 19

7 - 1Copyright © 2001 by

Harcourt, Inc. All rights reserved

E-commerce Payment Systems and Security



Electronic money

• Electronic commerce needs– speed– security– privacy– internationalization

• Paper-based systems are inadequate





2001 Daniel L. Silver 4

Traditional Payment Methods

Payment: The transfer of money from one individual or legal entity to another

• Cash• Personal Cheques• Money orders (Bank note)• Credit cards• Debit cards



E-Commerce Payment Systems

• Credit Cards• Electronic Funds Transfer (EFT)• Card-based Digital Cash• Computer-based Digital Case



• Electronic funds transfer (EFT): EFT involves electronic transfer of money by financial institutions.

• Payment cards : They contain stored financial value that can be transferred from the customer's computer to the businessman's computer.

• Credit cards : They are the most popular method used in EPSs and are used by charging against the customer credit.



• Smart cards: They include stored financial value and other important personal and financial information used for online payments.

• Electronic money (e-money/e-cash): This is standard money converted into an electronic format to pay for online purchases.



• Online payment: This can be used for monthly payment for Internet, phone bills, etc.

• Electronic wallets (e-wallets) : They are similar to smart cards as they include stored financial value for online payments.



• Micro-payment systems : They are similar to e-wallets in that they include stored financial value for online payments; on the other hand, they are used for small payments, such as kurus in Turkey .



• Electronic gifts : They are one way of sending electronic currency or gift certificates from one individual to another. The receiver can spend these gifts in their favorite online stores provided they accept this type of currency




Characteristics of Electronic Money Security Authentication Scale of Purchase

Credit Card High High Small to Medium

EFT High High Small to Large

Card-Based Digital Cash

Medium High Nano to Medium

Computer-Based Digital Cash

High High Nano to Medium





Credit Cards• A very common method of payment • Cards are issued by a bank• Unique 16-digit number (including check

digits) and an expiration date • Third party authorization companies

verify purchases



Credit card• Safe, secure, and widely used• Secure servers and clients support

the use of credit cards• Credit card suppliers are working to

improve security (SET)• Does not support person-to-person

transfers• Does not have the privacy of cash



• Most popular payment method• Especially for B2C e-commerce• 1st generation: No protection, only

provide credit card number for processing• 2nd generation: SSL for protecting the

transfer of credit card information• 3rd generation: SET for secure credit card

authorization• 4th generation: Portable smart cards?



SMU CSE 5349/7349

Credit Card Protocols• SSL 1 or 2 parties have private keys• TLS (Transport Layer Security)

– IETF version of SSL

• i KP (IBM)• SEPP (Secure Encryption Payment Protocol)

– MasterCard, IBM, Netscape• STT (Secure Transaction Technology)

– VISA, Microsoft

• SET (Secure Electronic Transactions)– MasterCard, VISA all parties have certificates

OBSOLETE

VERY SLOWACCEPTANCE



Computer-based Digital Cash• Digicash can be used to withdraw

and deposit electronic cash over the Internet

• Anonymity• Need a digital bank account• Person-to-person transfers• Uses public-key encryption



Card-based Digital Cash

• Electronic parallel of notes and cash• Prepaid cards• Smart cards

– Combines many functions• Privacy of cash• Can be lost or stolen



Electronic funds transfer• Introduced in the late 1960s by banks• Electronic check writing• Fast and flexible• All transaction must pass through the

banking system and are recorded– No anonymity




Use of EFT for Consumer Purchase

$ $

Purchase Item withDebit Card

TransmissionElectronically

Submitted

ClearinghouseTransfers Funds

Funds Creditedto Store Account




Purchasing with Digital Cash$

CreateAccount

Receive DigitalCash and Store on PC

Purchase Itemwith Digital Cash

Receive Item via Delivery Service

$Digital

Cash toBank

FundsfromBank

Bank Dealingin Digital Cash

Store AcceptingDigital Cash



SET: Seven business requirements (according to SET Book 1)

• Provide confidentiality of payment information • Ensure the integrity of all transmitted data• Provide cardholder’s authentication• Provide merchant’s authentication• Ensure the use of the best security practices and system design

techniques• Create a protocol that is independent on the transport layer

protocol• Facilitate interoperability• (Please read Book 1: Business Description at

http://www.setco.org/download.html/#spec)



Network Architecture of SET System

Merchant

Certificate authority

Payment gateway/ Acquirer Internet

Authorization and Capture

Existing financial network

Authorization and Capture

Issuer

Cardholder

Payment/Inquiry



Digital Certificate System for SET

Root CA

Brand CA(e.g Visa

or Master)

Geopolitical CA(e.g. Visa Asia)

Merchant CA Cardholder CA Payment gateway CA

User level CA



Steps in Generation of a Dual Signature

Step 1: Find the message digest of OI and PI

Step 2:Concatenate H[OI] and H[PI] and find the message digest

Step 3:Encrypt HPIOI with cardholder’s private signature key (using RSA encryption)

OI PI

H[OI] H[PI]

HPIOI = H[H[PI] || H[OI]]

Dual SignatureCardholder’s private signature key

Reference: W. Stallings, Cryptography and Network Security, Prentice Hall, 1999.



Generation of a Digital Envelope

DigitalEnvelope

DESEncryption

RSAEncryption

keyrandom

MEncrypted by keyrandom

Encrypted by keypublic_exchange,VBS

keyrandom

keypublic_exchange,VBS

M



General SET Information Flow

(5) Authorization request

(6) Authorization response

(7) Capture request

(2) Purchase initialization response(1) Purchase initialization request

(3) Purchase request

(4) Purchase response

Inquiry request (optional)

Inquiry response (optional)

Merchant

(8) Capture response

CardholderAcquirer(Payment Gateway)

Acquirer(Payment Gateway)



Securing Transactions• Security Issues• Encryption and Signing

–Private Key Encryption–Public Key Encryption

• SET and SSL• Internet Security



Security Issues• The openness of the Internet makes

security more difficult• Computer technology can be used to

attack the Internet• Many people worry about the safety of

transactions on the Internet/Web• Need to control access to



Encryption• Encryption is as old as writing• Sensitive information needs to be remain

secure• Critical to electronic commerce• Encryption hides the meaning of a

message• Decryption reveals the meaning of an

encrypted message



Securing Transactions

Public Key Encryption

SenderSender ReceiverReceiverEncrypt Decrypt

Receiver’sPublic

Key

Receiver’sPrivate

Key



Securing Transactions

Signing with Public Key System

SenderSender ReceiverReceiverSign Verify

Sender’sPublicKey

Sender’sPrivate

Key



Secure Electronic Transaction (SET)

• Backed by Visa and MasterCard• Based on cryptography and digital

certificates• Digital certificates uniquely identify the

parties to a transaction– An electronic credit card– Registries for authentication

• A digital signature is used to guarantee a sender’s identity



• Developed by Visa and MasterCard• Designed to protect credit card

transactions• Confidentiality: all messages encrypted• Trust: all parties must have digital

certificates• Privacy: information made available only

when and where necessary



SMU CSE 5349/7349

Participants in the SET System



SMU CSE 5349/7349

SET Business Requirements• Provide confidentiality of payment and

ordering information• Ensure the integrity of all transmitted

data• Provide authentication that a cardholder

is a legitimate user of a credit card account

• Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution



SMU CSE 5349/7349

SET Business Requirements (cont’d)

• Ensure the use of the best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction

• Create a protocol that neither depends on transport security mechanisms nor prevents their use

• Facilitate and encourage interoperability among software and network providers



SMU CSE 5349/7349

SET Transactions



SMU CSE 5349/7349

SET Transactions

• The customer opens an account with a card issuer.– MasterCard, Visa, etc.

• The customer receives a X.509 V3 certificate signed by a bank.– X.509 V3

• A merchant who accepts a certain brand of card must possess two X.509 V3 certificates.

– One for signing & one for key exchange

• The customer places an order for a product or service with a merchant.

• The merchant sends a copy of its certificate for verification.



SMU CSE 5349/7349

SET Transactions

• The customer sends order and payment information to the merchant.

• The merchant requests payment authorization from the payment gateway prior to shipment.

• The merchant confirms order to the customer.• The merchant provides the goods or service to the

customer.• The merchant requests payment from the payment

gateway.



SMU CSE 5349/7349

Key Technologies of SET

• Confidentiality of information: DES• Integrity of data: RSA digital signatures

with SHA-1 hash codes• Cardholder account authentication: X.509v3

digital certificates with RSA signatures • Merchant authentication: X.509v3 digital

certificates with RSA signatures• Privacy: separation of order and payment

information using dual signatures



SMU CSE 5349/7349

Dual Signature for SET

• Concept: Link Two Messages Intended for Two Different Receivers:– Order Information (OI): Customer to Merchant– Payment Information (PI): Customer to Bank

• Goal: Limit Information to A “Need-to-Know” Basis:– Merchant does not need credit card number.– Bank does not need details of customer order.– Afford the customer extra protection in terms of privacy

by keeping these items separate.• This link is needed to prove that payment is intended for this

order and not some other one.



SMU CSE 5349/7349

Why Dual Signature?

• Suppose that customers send the merchant two messages:• The signed order information (OI).• The signed payment information (PI).• In addition, the merchant passes the payment

information (PI) to the bank.• If the merchant can capture another order information (OI)

from this customer, the merchant could claim this order goes with the payment information (PI) rather than the original.



SMU CSE 5349/7349

Dual Signature Operation

• The operation for dual signature is as follows:– Take the hash (SHA-1) of the payment and order information.– These two hash values are concatenated [H(PI) || H(OI)] and then the

result is hashed.– Customer encrypts the final hash with a private key creating the dual

signature.

DS = EKRC [ H(H(PI) || H(OI)) ]



SMU CSE 5349/7349

DS Verification by Merchant

• The merchant has the public key of the customer obtained from the customer’s certificate.

• Now, the merchant can compute two values:H(PIMD || H(OI))DKUC[DS]

• Should be equal!



SMU CSE 5349/7349

DS Verification by Bank

• The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following:

H(H(PI) || OIMD)DKUC [ DS ]



SMU CSE 5349/7349

What did we accomplish?

• The merchant has received OI and verified the signature.• The bank has received PI and verified the signature.• The customer has linked the OI and PI and can prove the linkage.



SET EncryptionRequest is Sent toE-commerce Server

E-Commerce ServerVerifies Transaction

Purchaseis Requested

MerchantSends Recordto Bank

Transactionis Approved Bank Credits

Merchant’s Account

Secure Electronic Transmission (SET)



Secure Sockets Layer (SSL) • Created by Netscape for secure message

transmission. • Uses public-key encryption• Browser is the client• Netscape servers can be enabled for SSL• Other servers can be enabled by installing

the Netscape SSLRef program library



SET Components• Cardholder wallet• Merchant server• Payment gateway



The SET process• Certificate authority• Computerworld quick study

– http://www2.computerworld.com/home/features.nsf/all/980629qs

http://www2.computerworld.com/home/features.nsf/all/980629qs



SET pros and cons• Merchant cannot decipher credit card

details• SSL is well-established and simpler



SMU CSE 5349/7349

SET Overhead

Simple purchase transaction:• Four messages between merchant and customer• Two messages between merchant and payment gateway• 6 digital signatures• 9 RSA encryption/decryption cycles• 4 DES encryption/decryption cycles• 4 certificate verifications

Scaling:• Multiple servers need copies of all certificates



Overview of E-cash• What are the two distinctive characteristics for cash?

– Anonymity and transferability• Ecash was developed by DigiCash and is now provided

by ecashtechnologies (http://www.ecashtechnologies.com)

• Its founder David Chaum is a well known expert in the area of digital cash.

• Ecash allows anonymous and secure electronic cash payment over the Internet.

• Since 1995, Mark Twain bank (USA) has been providing Ecash services.

• Ecash is based on an innovative blind signature method.

http://www.ecashtechnologies.com/#http://www.ecashtechnologies.com



Basic Operation of E-cash system

Pay by the coins

Check the validity of the coins and whether they have been spent and credit the account accordingly

Debit the account and sign the blinded coins

Send the blinded coins to the bank

Return the signed blinded coins

Deposit the coins

Confirm the deposit

Ship goods or perform the service

Generate the blinded coins

Unblind the coins

Customer Bank VBS (Merchant)



• A smart card is about the size of a credit card, made of a plastic with an embedded microprocessor chip that holds important financial and personal information. The microprocessor chip is loaded with the relevant information and periodically recharged.

• In addition to these pieces of information, systems have been developed to store cash onto the chip. The



• The money on the card is saved in an encrypted form and is protected by a password to ensure the security of the smart card solution. In order to pay via smart card it is necessary to introduce the card into a hardware terminal.



• The device requires a special key from the issuing bank to start a money transfer in either direction. Smart cards can be disposable or rechargeable.

• A popular example of a disposable smart card is the one issued by telephone companies.

• After using the pre-specified amount, the card can be discarded





Schematic overview of a smart card

A Smart Card

RAM I/O

CPU

ROM EPROM

Microchip with mechanical contacts



Internet Security• Use data access control• Fix Known Security Holes• System Administrator’s Role

–SATAN –NMap

• Computer Emergency Response Team (CERT)



Data access control• Controlling who has access

– However, goal is often to attract not restrict visitors

• Authentication mechanismsClass ExamplesPersonal memory Name, account number, passwordPossessed object Plastic card, key , IP addressPersonal characteristic Fingerprint, eyeprint, signature



Firewall• A device placed between an

organization’s network and the Internet• Monitors and controls traffic between the

Internet and Intranet• Approaches

– Restrict packets to those with designated IP addresses

– Restrict access to applications



Internet SecurityFirewall Around Network



Internet Security• 4 Basic Firewall Actions

– Packet can be dropped entirely– Alert network administrator– Return failed message to sender– Action can be logged only

• IP Spoofing

Documents

E Payments Class Feb 19