14-1 E-commerce Support Systems Electronic payments –Electronic checks –Electronic credit cards –Virtual credit cards –Purchasing cards –Electronic cash.

14-1

E-commerce Support Systems

• Electronic payments– Electronic checks– Electronic credit cards– Virtual credit cards– Purchasing cards– Electronic cash

o Stored value money cardso Smart cards with microprocessorso Person-to-person payments

– Payment of bills online

14-2

Security in Electronic Payments

Authentication of all partiesProtection of data from alteration

or destruction during transmissionProtection from buyer’s unjustified

repudiationPrivacyCustomer safetyProtection of information at seller’s

end

14-3

Order Fulfillment in Electronic Commerce

Provide customers with ordered goodsGoods must be quickly packaged,

shipped, and deliveredPayment collection system must be in

forceHandle the return of unwanted or

defective merchandiseCustomer relations

4

E-payment systems

• To transfer money over the Internet• Methods of traditional payment

– Check, credit card, or cash• Methods of electronic payment

– Electronic cash, software wallets, smart cards, and credit/debit cards

– Scrip is digital cash minted by third-party organizations

5

Requirements for e-payments

• Atomicity– Money is not lost or created during a transfer

• Good atomicity– Money and good are exchanged atomically

• Non-repudiation– No party can deny its role in the transaction– Digital signatures

6

Desirable Properties of Digital Money

• Universally accepted• Transferable electronically• Divisible• Non-forgeable, non-stealable• Private (no one except parties know the

amount)• Anonymous (no one can identify the payer)• Work off-line (no on-line verification needed)

No known system satisfies all.

7

Types of E-payments

• E-cash• Electronic wallets• Smart card• Credit card

8

Smart Cards

A smart card:• can store data (e.g. profiles, balances,

personal data) • provides cryptographic services (e.g.

authentication, confidentiality, integrity)• is a microcomputer• is small and personal• is a secure device

9

Smart Card Applications

• Communication

• Retail• Transportation• Health care

• Government• E-commerce• E-banking• Education• Office

10

• Retail– Sale of goods

using Electronic Purses, Credit / Debit

– Vending machines– Loyalty programs– Tags & smart labels

• E-commerce– sale of information– sale of products– sale of tickets,

reservations

• E-banking– access to accounts– to do transactions– shares

11

What’s inside a smart card ?

CPU

RAM

test logic

ROM

EEPROMserial I/Ointerface

security logic

Databus databus:

connection between elements of the chip

8 or 16 bits wide

12

Advantages and Disadvantages of Smart Cards

• Advantages:1. Atomic, debt-free transactions2. Feasible for very small transactions (information

commerce)3. (Potentially) anonymous4. Security of physical storage5. (Potentially) currency-neutral

• Disadvantages:1. Low maximum transaction limit (not suitable for B2B or

most B2C)2. High Infrastructure costs (not suitable for C2C)3. Single physical point of failure (the card)4. Not (yet) widely used

13

Processing a Payment Card Order

14

Open and Closed Loop Systems

Closed loop systems– Banks and other financial institutions serve as

brokers between card users and merchants -- no other institution is involved

– American Express and Discover are examples Open loop systems

– Transaction is processed by third party– Visa and MasterCard are examples

15

Payment Acceptance and Processing

Merchants must set up merchant accounts to accept payment cards

Law prohibits charging payment card until merchandise is shipped

Payment card transaction requires:– Merchant to authenticate payment card– Merchant must check with card issuer to ensure

funds are available and to put hold on funds needed to make current charge

– Settlement occurs in a few days when funds travel through banking system into merchant’s account

16

Setting Up Merchant Account

Merchant bank– Also called acquiring bank– Does business with merchants that want to accept

payment cards– Merchant receives account where they deposit card

sales totals– Value of sales slips is credited to merchant’s account

17

Processing Payment Cards Online

Can be done automatically by software packaged with electronic commerce software

Can contract with third party to handle payment card processing– Can also pick, pack, and ship products to the

customer– Allows merchant to focus on web presence and

supply availability

18

Payment Processing Services

Internetsecure– Provides secure credit card payment services– Supports payments with Visa and MasterCard– Provides risk management and fraud detection, and

ensures all proper security for credit card transactions is maintained

– Ensures all transactions are properly credited to merchant’s account

Other services are: Tellan, IC Verify, Authorize.Net

19

Credit Cards

Credit card– Used for the majority of Internet purchases– Has a preset spending limit– Currently most convenient method – Most expensive e-payment mechanism

o MasterCard: $0.29 + 2% of transaction value– Disadvantages

o Does not work for small amount (too expensive)o Does not work for large amount (too expensive)

Charge card– No spending limit– Entire amount charged due at end of billing period

20

Credit Card Processing

21

PPI-Payment Processing Inc.

Outsource the installation of all payment modules without any expense to you and receive complimentary approved transaction software.

Provide a complete suite of electronic payment solutions including payment cards (debit, credit, stored value), ACH and check guarantee services – customized for your merchant’s needs.

Support your existing payment solution and work with you to integrate new customized payment solutions.

PPI works with over 400 software partners to provide integrated transaction processing for face-to-face and remote merchants in industries as diverse as grocery, utilities, storage facilities, retail and healthcare among many others.You can use PPI to

22

Secure Electronic Transaction (SET) Protocol

Jointly designed by MasterCard and Visa with backing of Microsoft, Netscape, IBM, GTE, SAIC, and others

Designed to provide security for card payments as they travel on the Internet– Contrasted with Secure Socket Layers (SSL) protocol, SET

validates consumers and merchants in addition to providing secure transmission

SET specification– to protect Internet credit card transactions– open encryption & security specification– Uses public key cryptography and digital certificates for

validating both consumers and merchants– Provides privacy, data integrity, user and merchant

authentication, and consumer nonrepudiation

23

The SET protocol

The SET protocol coordinates the activities of the customer, merchant, merchant’s bank, and card issuer. [Source: Stein]

24

SET Payment Transactions

1. customer opens account2. customer receives a certificate - Consumer makes purchase

by sending encrypted financial information along with digital certificate

3. merchants have their own certificates - Merchant’s website transfers the information to a payment card processing center while a Certification Authority certifies digital certificate belongs to sender

4. customer places an order5. merchant is verified6. order and payment are sent - Payment card-processing

center routes transaction to credit card issuer for approval7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service - Merchant receives

approval and credit card is charged10. merchant requests payment-Merchant ships merchandise

and adds transaction amount for deposit into merchant’s account

SET-protected payments work like this:

25

SET Components

26

SET uses a hierarchy of trust

All parties hold certificates signed directly or indirectly by a certifying authority

27

SET Protocol Extremely secure

– Fraud reduced since all parties are authenticated– Requires all parties to have certificates

80 percent of SET activities are in Europe and Asian countries

not a payment system, rather a set of security protocols & formats

Problems with SET– Not easy to implement– Not as inexpensive as expected– Expensive to integrated with legacy applications– Not tried and tested, and often not needed– Scalability is still in question

28

What is Secure Socket Layer ?

Secure Socket Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet.

The SSL Security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

SSL is built into all major browsers and web servers.

Allows an SSL-enabled server to authenticate itself to an SSL-enabled client;

Allows to the server; the client to authenticate itself

Allows both machines to establish an encrypted connection.

An encrypted SSL connection or Confidentiality. This protects against electronic eavesdropper.

Integrity. This protects against hackers.

What is Secure Socket Layer ?

30

What is SSL? (cont’d)

Both Netscape Navigator and Internet Explorer support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers.

The primary goal of SSL is to provide privacy and reliability between two communicating applications.

The exchange of messages facilitates the following actions:

Authenticate the server to the client; Allows the client and server to select

a cipher that they both support; Optionally authenticate the client to

the server; Use public-key encryption techniques

to generate share secrets; Establish an encrypted SSL connection

What Does SSL Concern?

32

Payment Gateway Authorization

1. verifies all certificates2. decrypts digital envelope of authorization

block to obtain symmetric key & then decrypts authorization block

3. verifies merchant's signature on authorization block

4. decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block

5. verifies dual signature on payment block6. verifies that transaction ID received from

merchant matches that in PI received (indirectly) from customer

7. requests & receives an authorization from issuer

8. sends authorization response back to merchant