Download - Lesson 18 Electronic Payment Systems
![Page 1: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/1.jpg)
Lesson 18Electronic Payment
Systems
![Page 2: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/2.jpg)
Overview
• Data Transaction Systems• Securing the Transaction• Real World Examples
![Page 3: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/3.jpg)
Data Transaction Systems
• Stored Account Systems– Modeled after existing electronic payment
systems such as credit/debit card transactions– New way of shifting funds electronically over
the internet (Paving Cow Paths)
• Stored Value Payment Systems– Use bearer certificates much like hard cash– Bearer certificates reside within PCs or smart
cards
![Page 4: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/4.jpg)
Stored Account Systems
• Uses existing infrastructure for transactions
• Actual monetary value never leaves bank
• Accounting in the future through clearing houses and settlement systems
• Hallmarks are:– High accountability – Traceability
![Page 5: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/5.jpg)
Stored Account Systems(2)
• Payment systems have defined their own secure technologies
• 1995: $13 trillion, in 3 billion transactions by 4 clearing houses
• Fed Reserve Fedwire transfers $1 trillion/day
• Fraud exists now but risk management models in place
![Page 6: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/6.jpg)
Stored Account Systems(3)
• Protocols for supporting credit card types of transactions have been defined and implemented for E-commerce– First Virtual’s Internet Payment System– Cyber Cash’s Secure Internet Payment System– Secure Electronic Transaction (SET)
• Many new technologies emerge daily
• Security and convenience will rule the market place--it’s a balancing act
![Page 7: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/7.jpg)
Stored Value Payment Systems(SVPS)
• Attempts to replace cash with electronic equivalent….E-Cash– No More Cow Paths
• Instantaneous transfer of value, does not require bank approval
• Security stakes are much higher than stored account systems
• Attributes: absence of control and auditing
![Page 8: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/8.jpg)
SVPS(2)
• Possible to counterfeit E-Cash
• Typically used in small-value transaction– Small value transaction market = $8
trillion
• Lack of privacy bothers some
• Finding new cow paths not easy
![Page 9: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/9.jpg)
SVPS(3)
• Author says: “most exciting, innovative, and risk forms of accepting payment”
• Replaces currency with digital equivalent
• Value placed directly on hardware tokens such as PCs or Smart Cards
• Goal: have the advantages of hard currency systems over an electronic medium
![Page 10: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/10.jpg)
Attributes of Hard Currency
ADVANTAGES• Not easily traceable• Instantaneous payment• No bank interference
DISADVANTAGES• Costly to transport• Costly to protect• Easily lost or stolen• Can be forged• Parties must be in
close proximity to exchange
![Page 11: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/11.jpg)
SVPS Pros/ConsPros
• Instantaneous (no approval needed)
• Potentially Anonymous (traceability hard)
• Supports low-value payment
Cons• Secret key from one can be
used for many• Secret key extraction makes
counterfeit money indistinguishable for E-Cash
• SVPS must strike balance between privacy and tracking illicit activity
![Page 12: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/12.jpg)
How E-Cash Works
• E-Cash stored in an electronic device, called a hardware token– Secure processor and non-volatile memory
• Consumers load money into token – Token’s value counter is incremented– Or Value loaded as register-based cash &
electronic coins
• Payment can be made on-line or off-line
![Page 13: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/13.jpg)
E-Cash Online Payment
• Purchaser deals directly with seller’s hardware token device
• Bank must be an intermediary– Allows for traceability
• The H/W devices must be interoperable
![Page 14: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/14.jpg)
Off-line Payment
• Buyer’s H/W token interfaces with seller’s device– IR, dial-up modem, or the Internet
• Sellers device increases by transaction amount• Buyers’s device decreases by transaction amount• Safeguards needed to prevent “counter” malfunction• E-Cash ultimately must be sold back to issuing bank
![Page 15: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/15.jpg)
E-Cash Representation
• A value stored in a counter of a H/W token (aka register-based)
• From of cryptographic tokens called electronic coins
Register BasedBasic unit = 1 centToken cntr = 10000Token value = $100.00
E-Coin System“A Purse”Cents = count + digital signature$ = count + digital signature5$ = count + digital signatureToken value is sum of all
![Page 16: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/16.jpg)
Securing E-Cash
• Security concerns for SV PS>> SAPS– Main reason: lack of traceability fraud
potential
• Main concern: potential to illegally add value to the H/W token
• Physical Attacks on H/W token
• Protocol based attack that mimics a paying device
![Page 17: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/17.jpg)
Physical Attacks
Physical
• An attempt to alter non-volatile memory– Device needs to be shielded so its tamper
resistant – or device needs to be tamper evident
![Page 18: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/18.jpg)
Protocol Attacks
Protocol
• Device counter illegally incremented by “fake” paying device– Secure authentication needed to ensure “fakes”
don’t work– Best way is for both devices to share a symmetric
cryptographic key– All devices do not use a master key– Secret key = master key + device unique ID
![Page 19: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/19.jpg)
Protocol Attacks(2)
• Key must be resistant to replay attacks– Wiretap captures key and “replays” the
session– Challenge/Response systems can thwart
replay attacks
• Gives motive for the token bearer to recover secret key– Greed is a powerful sin
![Page 20: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/20.jpg)
Alternative Approach• PKE is an alternate
– Compromise of public key will not allow reconstruction of secret key
– Response to challenge is digital signature
• Disadvantage is that token cannot contain public keys for all paying devices
• Advantage is ability to prove that accumulated value is legit– Digital signatures from paying devices authorize the
accumulated values
![Page 21: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/21.jpg)
Securing the TransactionWEB Protocols
• SSL: provides secure channel between Web clients and Web servers– Layered approach--remember protocol
stack
– Secures channel by providing end-to-end encryption of the data
– Prevents “easy” packet sniffing
• S-HTTP: application level protocol
![Page 22: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/22.jpg)
Protocol and Security: SSL
HTTP
TCP
IP
NOT SECURE
SSL
TCP
IP
HTTP FTPSMTP
SECURE
![Page 23: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/23.jpg)
![Page 24: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/24.jpg)
Protocol and Security: SHTTP
HTTP
TCP
IP
NOT SECURE SECURE
HTTP
TCP
IP
Security
![Page 25: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/25.jpg)
Securing the Transaction(2)
• Certificate Authority (CA)– Endorses identity of the Web server (or
user)
– No assurance of the quality of Web content
– Users implicitly trust any sites that come loaded in their browser
The Little Yellow Lock = Warm Fuzzy
![Page 26: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/26.jpg)
![Page 27: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/27.jpg)
Secure Payment Protocols (SPP) vs WEB Protocols
• SPPs provide a method to assure a merchants payment
• SPPs provide consumers assurance of credit card confidentiality
• Web protocols (like SSL) leave payment details up to the merchant
• Web protocols do not assure merchant will safeguard credit card number
![Page 28: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/28.jpg)
Real World Examples
• First Virtual• Cybercash• Secure Electronic Transactions (SET)
• Others
![Page 29: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/29.jpg)
First Virtual(FV)
• WWW.fv.com--circa 1994
• Does not use cryptography or secure communications
• Based on exchange of email messages and customer honesty
• Protocol I simple
• 1996: 180,000 buyers, 2650 merchants
![Page 30: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/30.jpg)
FV IN ACTION(1)
Customer FV Merchant
First Value
1. Establish acct-$2with VISA/MC
2. Virtual PIN
3. Request Product
4. Send VPIN?
5. VPIN SENT
0. FV Merchant Setup
6. VPIN, Transactionvia email
![Page 31: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/31.jpg)
FV IN ACTION(2)
Customer FV Merchant
First ValueSEVERAL DAYSLATER
1. TransactionConfirmation?
2. Yes, No, Fraud
3. MC/VISA Charge
3. Or Returnproduct
![Page 32: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/32.jpg)
CyberCash
• Cybercash is a downloadable applications software
• Consumers must generate public/private key pair based on RSA encryption technology
• Merchants must also install CyberCash Library
• Software free to stimulate acceptance
• Future: could be integrated into browsers
• More to come…CyberCoin, and E-Cash Soln
![Page 33: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/33.jpg)
CyberCash(2)
• Uses Cryptography to protect transaction data during a purchase (does not use SSL)
• Provides a secure protocol for credit card purchases over the internet
• Uses existing back-end credit card infrastructure for settling payment
• Payment details of credit card transaction are specified and implemented in the protocol
![Page 34: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/34.jpg)
CyberCash(3)Merchant’s Perspective
• There is no separate back-office system for batch processing card transaction
• Payment assured for each transaction before product sold– Much like point-of-sale(POS) credit card
transactions in physical stores
![Page 35: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/35.jpg)
CyberCash(4)
• Credit card number is protected--even from merchants
• Card number encrypted with CyberCash public key
• Only consumer, cybercahs and bank sees the credit card number
![Page 36: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/36.jpg)
CYBERCASH IN ACTIONCustomer Merchant
CYBERCASH
BANKBANK
1. RegisterCredit Card
2. Go E-Shopping, Request Product
3. Invoice Sent5. Send Payment Info
4a. Select Cybercash Pay
button in browser
4b. Select Credit card from
E-wallet
4c. Encrypt payment
info with CyberCash Public Key
4d. Digitally Sign Payment
info
6a. Strip OrderForm6b. Digitally SignInfo
![Page 37: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/37.jpg)
CYBERCASH IN ACTIONCustomer Merchant
BANKCard Holder BANK
2. Go E-Shopping, Request Product
3. Invoice Sent5. Send Payment Info
8. Decrypt payment info & verify signatures
Bank EDI
9. Brokering
9. Brokering
CYBERCASH
7. Transmit Payment info
10. Approval/Deny
20 SECONDS TOTAL
![Page 38: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/38.jpg)
Secure Electronic Transaction (SET)
• SET is an emerging open standard for secure credit card payments over the internet
• Created by Mastercard and Visa
• Specifies the mechanism for securely processing internet-based credit card orders
• Does not specify the implementation
• Does not specify the shopping or order process for ordering goods, payment selection, and the platform or security procedures
![Page 39: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/39.jpg)
SET Security Assurances
• Confidentiality -- secures payment info
• Data integrity -- uses digital signatures
• Client Authentication -- uses digital certificates: identity plus public key
• Merchant authentication -- uses digital certificate
![Page 40: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/40.jpg)
SET Steps
1. The customer opens an account with a
certificate authority.2. An issuing authority, like a bank, issues a
digital certificate authenticating a customer.
3. Other third-party merchants also receive
their digital certificate when they open their
transaction accounts.
4. The customer places an order.
![Page 41: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/41.jpg)
SET Steps
5. Customer verifies the merchant’s digital
certificate .
6. Customer sends encrypted purchase details.
7. When the merchant receives the order, the
customer’s own digital certificate is checked
for authenticity as well.
![Page 42: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/42.jpg)
SET Steps
8. The merchant then returns its own certificate, order details, customer payment information, and the bank’s digital certificate back to the bank to be used to authenticate the transaction.
9. The bank will then verify the merchant certificate
and order information.
10. The bank will digitally sign and return an
authorization back to the merchant.
11. When these transactions are finished, the order is
completed.
![Page 43: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/43.jpg)
SET IN ACTIONCustomer Merchant
BANK
2. Buyer Opens Acct
3. Buyer receivesDigital Certificate
1. Merchant receivesDigital Certificate
4. Place Order
5. Merchant Certificate Sent
6. Send encrypted purchase details w/ Certificate
7. Sends order to Bank w/customer payment info & digital certificate
![Page 44: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/44.jpg)
SET IN ACTIONBuyer Merchant
BANK
2. Buyer Opens Acct
3. Buyer receivesDigital Certificate
9. Bank digitallysigns & sends authto merchant
4. Place Order
5. Merchant Certificate Sent
6. Send encrypted purchase details w/ Certificate
7. Sends order to Bank w/customer payment info & digital certificate
8. Bank verifies merchantcertificate and order info
10. ORDER COMPLETE
![Page 45: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/45.jpg)
SET Summary
• Large industry backing
• Supports credit card transactions on-line
• Does not support debit card payments
• Does not address stored-value payment solutions
• Does not use SSL, but it could
• Implementations: – Cybercash– RSA Data Security’s: S/PAY
![Page 46: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/46.jpg)
Other Examples
• DigiCash’s e-cash: stored-value cryptographic coin system
• CyberCoin--CyberCash’s payment system for on-line commerce– Designed for small-value payments
• Smart Cards– Conditional Access for Europe (CAFÉ)– Mondex– Visa Cash
![Page 47: Lesson 18 Electronic Payment Systems](https://reader033.vdocuments.us/reader033/viewer/2022051316/56814d70550346895dbac2b0/html5/thumbnails/47.jpg)
Summary
• Data Transaction Systems– Stored Account Systems– Stored Value Payment Systems
• Securing the Transaction– SSL, S-HTTP and Secure Payment Protocols (SPP)
• Real World Examples– FV, CyberCash, SET, E-Cash, and others