Electronic Payment Gateway

7/30/2019 Electronic Payment Gateway

1/25

ELECTRONIC PAYMENT

GATEWAY

PRESENTED BY

SURUMI K K

LENNY BABU

1


2/25

A payment gateway is an e-commerce applicationservice provider

service that authorizes payments for e-businesses,online retailers, bricks and clicks, or traditional brick andmortar.

It is the equivalent of a physical point of sale terminal

located in most retail outlets.

Payment gateways protect credit card details byencrypting sensitive information.

2


3/25

3

1. How payment gateways work2. Security


4/25

A payment gateway facilitates the transfer of information between apayment portal and the Front End Processor or acquiring bank.

When a customer orders a product from a payment gateway-enabled

merchant. the payment gateway performs a variety of tasks to process the

transaction

1. A customer places order on website by pressing the 'Submit Order' or

equivalent button, or perhaps enters their card details using anautomatic phone answering service.

2. If the order is via a website, the customer's web browser encrypts theinformation to be sent between the browser and the merchant'swebserver. This is done via SSL (Secure Socket Layer) encryption.

4

How payment gateways work


5/25

3. The merchant then forwards the transaction details to their paymentgateway. This is another SSL encrypted connection to the paymentserver hosted by the payment gateway.

4. The payment gateway forwards the transaction information to thepayment processor used by the merchant's acquiring bank.

5. The payment processor forwards the transaction information to thecard association (e.g., Visa/MasterCard)

6. The credit card issuing bank receives the authorization request and

does fraud and credit or debit checks and then sends a response back tothe processor (via the same process as the request for authorization)with a response code [eg: approved, denied].

7. The processor forwards the authorization response to the paymentgateway.

8. The payment gateway receives the response, and forwards it on to thewebsite (or whatever interface was used to process the payment)where it is interpreted as a relevant response then relayed back to themerchant and cardholder. This is known as the Authorization or "Auth

9. The entire process typically takes 23 seconds.5


6/25

10 The merchant then fulfills the order and the above process isrepeated but this time to "Clear" the authorization by

consummating the transaction.11 The merchant submits all their approved authorizations, in a"batch" (eg: end of day), to their acquiring bank for settlementvia its processor.

12 The acquiring bank makes the batch settlement request of the

credit card issuer.13 The credit card issuer makes a settlement payment to the

acquiring bank (eg: the next day).

14 The acquiring bank subsequently deposits the total of the

approved funds in to the merchant's nominated account (eg: theday after). This could be an account with the acquiring bank if themerchant does their banking with the same bank, or an accountwith another bank.

15 The entire process from authorization to settlement to funding

typically takes 3 days. 6


7/25

Since the customer is usually required to enter personal details, the entirecommunication of 'Submit Order' page (i.e. customer - payment gateway)is often carried out through HTTPS protocol.

To validate the request of the payment page result, signed request isoften used - which is the result of the hash function in which theparameters of an application confirmed by a secret word, known onlyto the merchant and payment gateway.

To validate the request of the payment page result, sometimes IP of therequesting server has to be verified.

There is a growing support by acquirers, issuers and subsequently bypayment gateways for Virtual Payer Authentication (VPA), implemented

as 3-D Secure protocol - branded as Verified by VISA, MasterCardSecureCode and J/Secure by JCB, which adds additional layer of securityfor online payments.

3-D Secure promises to alleviate some of the problems facing onlinemerchants, like the inherent distance between the seller and the buyer,and the inability of the first to easily confirm the identity of the second.

7

2.Security


8/25

8

a) SECURE SOCKET LAYER


9/25

1. Computing and electronics2. Business

3. Language

4. Places5. Science

6. Space sciences

7. Sports8. Other

9

SSL can refer to:


10/25

Computing and electronics Secure Socket Layer, a protocol for encrypting information

over the Internet

Single stuck line, a fault model for digital circuits

S/SL programming language

RoboCup Small Size League

Semi-supervised learning, a class of machine learning

techniques Serato Scratch Live, a digital DJing tool

Solid State Logic A brand of audio mixing consoles

10


11/25

Business

Sasol, a company in South Africa, NYSE stock symbol SSL Solid State Logic, a manufacturer of mixing consoles and software

for broadcast (Gravity)

Space Systems/Loral (SS/L), a spacecraft manufacturer

SSL International, a consumer healthcare manufacturer, owning

brands like Durex and Scholl System Simulation Ltd, a software engineering company

Language Selangor Sign Language, a sign language used in Malaysia

Swedish Sign Language, a sign language used in SwedenPlaces

South Salt Lake, Utah, a city in the US state of Utah

Social Science Library, Oxford, the Oxford University departmental

library for Social Sciences, on Manor Road.11


12/25

Science

Sodium stearoyl lactylate, a food additive used as anemulsifier

Solid-state lighting, a lighting technology that utilizesa cluster of LEDs

Space sciences Space Sciences Laboratory, in Berkeley, California

Space Systems Laboratory, at the University ofMaryland, College Park, formerly at MIT

12


13/25

Sports

Swedish Super League, a floorball league in Sweden

Other Saitama Seibu Lions, a professional baseball team in Japan's

Pacific League

Sesame Street Live, a touring version of the children's

television show

Standard sea level, the air conditions at sea level

The sub-surface lines, cut-and cover railway lines forming partof London Underground

Student Service Learning

13


14/25

MOTIVATION 14

b) Secure ElectronicTransaction


15/25

Secure Electronic Transaction (SET) was a standardprotocol for securing credit card transactions over insecurenetworks, specifically, the Internet. SET was not itself apayment system, but rather a set of security protocols andformats that enable users to employ the existing creditcard payment infrastructure on an open network in a

secure fashion. However, it failed to gain traction. VISAnow promotes the 3-D Secure scheme.

15

Secure Electronic Transaction


16/25

1. History and development

2. Key features

3. Participants

4. Transaction

5. Dual signature

16

Contents


17/25

SET was developed by SETco, led by VISA and MasterCard (andinvolving other companies such as GTE, IBM, Microsoft, Netscape,RSA, Safelayer --formerly SET Projects-- and VeriSign) starting in1996.

SET was based on X.509 certificates with several extensions. The

first version was finalised in May 1997 and a pilot test wasannounced in July 1998.

SET allowed parties to cryptographically identify themselves toeach other and exchange information securely.

SET used a blinding algorithm that, in effect, would have letmerchants substitute a certificate for a user's credit-card number.

If SET were used, the merchant itself would never have had toknow the credit-card numbers being sent from the buyer, whichwould have provided verified good payment but protected

customers and credit companies from fraud.17

History and development


18/25

SET was intended to become the de facto standard ofpayment method on the Internet between the merchants,the buyers, and the credit-card companies.

Despite heavy publicity, it failed to win market share.

Reasons for this include: Network effect - need to install client software (an e-wallet).

Cost and complexity for merchants to offer support andcomparatively low cost and simplicity of the existing SSL

based alternative.

Client-side certificate distribution logistics.

18


19/25

To meet the business requirements, SETincorporates the following features:

Confidentiality of information Integrity of data

Cardholder account authentication

Merchant authentication

19

Key features


20/25

A SET system includes the following participants:

Cardholder

Merchant Issuer

Acquirer

Payment gateway Certification authority

20

Participants


21/25

The sequence of events required for a transactionare as follows:

The customer obtains a credit card account with a bank thatsupports electronic payment and SET

The customer receives a X.509v3 digital certificate signed by thebank.

Merchants have their own certificates The customer places an order

The merchant sends a copy of its certificate so that the customercan verify that it's a valid store

21

Transaction


22/25

The order and payment are sent

The merchant requests payment authorization

The merchant confirms the order The merchant ships the goods or provides the

service to the customer

The merchant requests payment

22


23/25

An important innovation introduced in SET is the dualsignature.

The purpose of the dual signature is the same as the standardelectronic signature: to guarantee the authentication andintegrity of data.

It links two messages that are intended for two differentrecipients. In this case, the customer wants to send the orderinformation (OI) to the merchant and the paymentinformation (PI) to the bank.

The merchant does not need to know the customer's creditcard number, and the bank does not need to know the detailsof the customer's order.

The link is needed so that the customer can prove that thepayment is intended for this order.

23

Dual signature


24/25

The message digest (MD) of the OI and the PI areindependently calculated by the customer. The dualsignature is the encrypted MD (with the customer's secretkey) of the concatenated MD's of PI and OI.

The dual signature is sent to both the merchant and thebank.

The protocol arranges for the merchant to see the MD ofthe PI without seeing the PI itself, and the bank sees the MD

of the OI but not the OI itself. The dual signature can be verified using the MD of the OI or

PI. It doesn't require the OI or PI itself. Its MD does notreveal the content of the OI or PI, and thus privacy is

preserved. 24


25/25

THANK YOU

The End

Electronic Payment Gateway

Documents