Internet payment systemsInternet payment systems

Varna Free University

E-BUSINESS

Prof. Teodora Bakardjieva

27 Sept. 99 2

Outline

• Introduction

• Issues related

• Security

• Outstanding protocols

• Mechanisms

• Advantages and disadvantages

• Conclusion

27 Sept. 99 3

Introduction

• In the past year, the number of users reachable through Internet has increased dramatically

• Potential to establish a new kind of open marketplace for goods and services

27 Sept. 99 4

Introduction (cont)

• Online shops in Internet– Bookshop (Amazon.com)– Flight Resevation and Hotel Reservation

shopping place, etc.

• An effective payment mechanism is needed

27 Sept. 99 5

Issues related

• Security Performance

• Reliability

• Efficiency

• Bandwidth

• Anonymity (mainly in electronic coins)

27 Sept. 99 6

Security

• Internet is not a secure place

• There are attacks from:– eavesdropping– masquerading– message tampering– replay

27 Sept. 99 7

How to solve?

• RSA public key cryptography is widely used for authentication and encryption in the computer industry

• Using public/private (asymmetric) key pair or symmetric session key to prevent eavesdropping

27 Sept. 99 8

How to solve? (cont)

• Using message digest to prevent message tampering

• Using nonce to prevent replay

• Using digital certificate to prevent masquerading

27 Sept. 99 12

Outstanding protocols

• Credit card based– Secure Electronic Transaction (SET)– Secure Socket Layer (SSL)

• Electronic coins– DigiCash– NetCash

27 Sept. 99 13

Credit-card based systems

• Parties involved: cardholder, merchant, issuer, acquirer and payment gateway

• Transfer user's credit-card number to merchant via insecure network

• A trusted third party to authenticate the public key

27 Sept. 99 14

Secure Electronic Transaction (SET)

• Developed by VISA and MasterCard

• To facilitate secure payment card transactions over the Internet

• Digital Certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity

• It is the most secure payment protocol

27 Sept. 99 15

FrameworkFinancial Network

Card Issuer

Payment Gateway

Card Holder

MerchantSET

SET

Non-SETNon-SET

27 Sept. 99 16

Payment processes

• The messages needed to perform a complete purchase transaction usually include:– Initialization (PInitReq/PInitRes)– Purchase order (PReq/PRes)– Authorization (AuthReq/AuthRes)– Capture of payment (CapReq/CapRes)

Typical SET Purchase Trans.Payment GatewayMerchantCardHolder

PInitReq

PInitRes

PReq

PRes

AuthReq

AuthRes

CapReq

CapRes

27 Sept. 99 18

Initialization

CardholderCardholder MerchantMerchant

PInitReq: {BrandID, LID_C, Chall_C}

PInitRes: {TransID, Date, Chall_C, Chall_M}SigM, CA, CM

27 Sept. 99 19

Purchase order

CardholderCardholder MerchantMerchant

PReq: {OI, PI}

Pres: {TransID, [Results], Chall_C}SigM

27 Sept. 99 20

Authorization

MerchantMerchant AcquirerAcquirer IssuerIssuer

{{AuthReq}SigM}PKA

{{AuthRes}SigA}PKM

Existing Financial Network

27 Sept. 99 21

Capture of payment

MerchantMerchant AcquirerAcquirer IssuerIssuer

{{CapRes}SigA}PKM

Existing Financial Network

Clearing

CapReqCapTokenCapToken

27 Sept. 99 22

Advantages

• It is secure enough to protect user's credit-card numbers and personal information from attacks

• hardware independent

• world-wide usage

27 Sept. 99 23

Disadvantages

• User must have credit card

• No transfer of funds between users

• It is not cost-effective when the payment is small

• None of anonymity and it is traceable

27 Sept. 99 24

Electronic cash/coins

• Parties involved: client, merchant and bank

• Client must have an account in the bank

• Less security and encryption

• Suitable for small payment, but not for large payment

27 Sept. 99 25

DigiCash (E-cash)• A fully anonymous electronic cash syste

m• Using blind signature technique• Parties involved: bank, buyer and mercha

nt• Using RSA public-key cryptography• Special client and merchant software are

needed

27 Sept. 99 26

Withdrawing Ecash coins

• User's cyberwallet software calculates how many digital coins are needed to withdraw the requested amount

• software then generates random serial numbers for those coins

• the serial numbers are blinded by multiplying it by a random factor

27 Sept. 99 27

Withdrawing Ecash coins (cont)

• Blinded coins are packaged into a message, digitally signed with user's private key, encrypted with the bank's public key, then sent to the bank

• When the bank receives the message, it checks the signature

• After signing the blind coins, the bank returns them to the user

27 Sept. 99 28

Spending Ecash

27 Sept. 99 29

Advantages

• Cost-effective for small payment

• User can transfer his electronic coins to other user

• No need to apply credit card

• Anonymous feature

• Hardware independent

27 Sept. 99 30

Disadvantages

• It is not suitable for large payment because of lower security

• Client must use wallet software in order to store the withdrawn coins from the bank

• A large database to store used serial numbers to prevent double spending

27 Sept. 99 31

Comparisons

• SET– use credit card– 5 parties involved– no anonymous– large and small

payment

• Ecash– use e-coins– 3 parties involved– anonymous nature– a large database is

needed to log used serial numbers

– small payment

27 Sept. 99 32

Conclusions

• An effective, secure and reliable Internet payment system is needed

• Depending on the payment amount, different level of security is used

• SET protocol is an outstanding payment protocol for secure electronic commerce