1

Describe typical electronic payment systems

for EC
Identify the security requirements for safe
electronic payments
Describe the typical security schemes used to
meet the security requirements
Identify the players and procedures of the
electronic credit card system on the Internet
Discuss the relationship between SSL and SET
protocols

Discuss the relationship between

electronic fund transfer and debit card
Describe the characteristics of a stored
value card
Classify and describe the types of IC cards
used for payments
Discuss the characteristics of electronic
check systems

A part of SSL (Secure Socket Layer) is

available on customers browsers

it is basically an encryption mechanism for order

taking, queries and other applications

it does not protect against all security hazards
it is mature, simple, and widely use

SET ( Secure Electronic Transaction) is a

very comprehensive security protocol
it provides for privacy, authenticity, integrity, and,

or repudiation (penolakan)
it is used very infrequently due to its complexity
and the need for a special card reader by the user
it may be abandoned if it is not simplified/improved

SET Protocol is for Credit Card Payments

Electronic Cash and Micropayments

Electronic Fund Transfer on the Internet

Stored Value Cards and Electronic Cash

Electronic Check Systems

Security requirements
Authentication: A way to verify the buyers identity
before payments are made

Integrity: Ensuring that information will not be

accidentally or maliciously altered or destroyed,
usually during transmission

Encryption: A process of making messages

indecipherable except by those who have an
authorized decryption key

Non-repudiation: Merchants need protection

against the customers unjustifiable denial of placed
orders, and customers need protection against the
merchants unjustifiable denial of past payment

Secret Key Cryptography (symmetric)

Keysender (= Keyreceiver)

Original
Message
Sender

Scrambled
Message
Encryption

Internet

Keyreceiver
Scrambled
Message

Original
Message

Decryption Receiver

Public Key Cryptography

Public Keyreceiver

Message

Original
Message

Scrambled
Message

Private Keyreceiver
Internet

Scrambled
Message

Sender

Receiver

Private Keysender
Digital
Original
Signature Message
Sender

Original
Message

Scrambled
Message

Public Keysender
Internet

Scrambled
Message

Original
Message

Receiver

Digital Signature
Analogous to handwritten signature
Sender encrypts
a message with
her private key
A digital signature is
attached by a sender
to a message
encrypted in the
receivers public key

Any receiver with

senders public key
can read it
The receiver is the only
one that can read the
message and at the same
time he is assured that
the message was indeed
sent by the sender

Certificate

Identifying the holder of a public key (KeyExchange)

Issued by a trusted certificate authority (CA)
Name : Richard
key-Exchange Key :
Signature Key :
Serial # : 29483756
Other Data : 10236283025273
Expires : 6/18/96
Signed : CAs Signature

Certificate Authority - e.g. VeriSign

Public or private, comes in levels (hierarchy)

A trusted third party services
Issuer of digital certificates
Verifying that a public key indeed belongs to a
certain individual
RCA
BCA
GCA

CCA

RCA : Root Certificate Authority

BCA : Brand Certificate Authority
GCA : Geo-political Certificate Authority
CCA : Cardholder Certificate Authority
MCA : Merchant Certificate Authority
PCA : Payment Gateway
Certificate Authority

MCA
PCA
Hierarchy of Certificate Authorities

Certificate authority needs to be verified by a government or well trusted entity ( e.g., post office)

The Players
Cardholder
Merchant (seller)
Issuer (your bank)
Acquirer (merchants financial institution,
acquires the sales slips)
Brand (VISA, Master Card)

The process of using credit cards offline

A cardholder requests the issuance of a

card brand (like Visa and MasterCard)
to an issuer bank in which the
cardholder may have an account.
A plastic card is physically delivered
to the customers address by mail.
The cardholder shows the card to a
merchant to pay a requested
amount. Then the merchant asks
for approval from the brand
company.
The acquirer bank requests the
issuer bank to pay for the credit
amount.

The authorization of card issuance

by the issuer bank, or its designated
brand company, may require
customers physical visit to an office.
The card can be in effect as the
cardholder calls the bank for
initiation and signs on the back of
the card.
Upon the approval, the merchant
requests payment to the merchants
acquirer bank, and pays fee for the
service. This process is called a
capturing process

Cardholder

credit
card

Merchant
Payment authorization,
payment data

Card Brand Company

payment data

account debit data

payment data
amount transfer

Issuer Bank

Acquirer Bank

Cardholder
Account

Merchant
Account

Credit Card Procedure (offline and online)

Prentice Hall, 2000

14

 Senders Computer
1. The message is hashed to a prefixed length of message
digest.
2. The message digest is encrypted with the senders
private signature key, and a digital signature is created.
3. The composition of message, digital signature, and
Senders certificate is encrypted with the symmetric key
which is generated at senders computer for every
transaction. The result is an encrypted message. SET
protocol uses the DES algorithm instead of RSA for
encryption because DES can be executed much faster
than RSA.
4. The Symmetric key itself is encrypted with the receivers
public key which was sent to the sender in advance. The
result is a digital envelope.
Prentice Hall, 2000

15

Senders Computer
Message

Senders Private
Signature Key

Message Digest

Digital Signature

+
Message

Symmetric
Key

Encrypt

Senders
Certificate

Receivers
Certificate

Encrypted
Message

Encrypt
Receivers
Key-Exchange Key
Prentice Hall, 2000

Digital
Envelope
16

Secure Electronic Transaction (SET)

Protocol (cont.)
Receivers Computer
5. The encrypted message and digital envelope are
transmitted to receivers computer via the Internet.
6. The digital envelope is decrypted with receivers private
exchange key.
7. Using the restored symmetric key, the encrypted message
can be restored to the message, digital signature, and
senders certificate.
8. To confirm the integrity, the digital signature is decrypted by
senders public key, obtaining the message digest.
9. The delivered message is hashed to generate message
digest.
10. The message digests obtained by steps 8 and 9
respectively, are compared by the receiver to confirm
whether there was any change during the transmission. This
step confirms the integrity.
Prentice Hall, 2000

17

Receivers Computer
Receivers Private
Key-Exchange Key
Decrypt

Digital
Envelope

Message

Decrypt
Symmetric
Key
Encrypted
Message

+
+
Senders
Certificate

Message Digest

compare

Decrypt
Digital Signature

Senders Public
Signature Key
Prentice Hall, 2000

Message Digest

18

IC Card
Reader

Customer y

Customer x
With Digital Wallets
Certificate
Authority

Electronic Shopping Mall

Merchant A

Merchant B

Payment Gateway
Protocol
X.25
Credit Card
Brand

Entities of SET Protocol in Cyber Shopping

Prentice Hall, 2000

19

Secure Electronic Transaction (SET) Secure Socket Layer (SSL)

Complex

Simple

SET is tailored to the credit card

payment to the merchants.

SSL is a protocol for generalpurpose secure message

exchanges (encryption).
SSL protocol may use a
certificate, but there is no
payment gateway. So, the
merchants need to receive both
the ordering information and
credit card information, because
the capturing process should be
initiated by the merchants.

SET protocol hides the customers

credit card information from
merchants, and also hides the
order information to banks, to
protect privacy. This scheme is
called dual signature.

Internet
Payee

Payer

Cyber Bank

Cyber Bank

Payment
Gateway

Payment
Gateway

Bank

VAN

Bank
Automated
Clearinghouse

VAN

An Architecture of Electronic Fund Transfer on the Internet

A delivery vehicle of cash in an

electronic form
Mondex, VisaCash applied this approach
Either anonymous or onymous
CyberCash has commercialized a debit
card named CyberCoin as a medium of
micropayments on the Internet

It is an EDI used for financial transactions

EDI is a standardized way of exchanging

messages between businesses

EFT can be implemented using a Financial EDI
system

Safe Financial EDI needs to adopt a

security scheme used for the SSL protocol
Extranet encrypts the packets exchanged
between senders and receivers using the
public key cryptography

Smart Cards
The concept of e-cash is used in the non-Internet
environment
Plastic cards with magnetic stripes (old technology)
Includes IC chips with programmable functions on
them which makes cards smart
One e-cash card for one application
Recharge the card only at designated locations,
such as bank office or a kiosk. Future: recharge at
your PC
e.g. Mondex & VisaCash

Shopping with Mondex

Adding money to the card
Payments in a new era of
electronic
shopping
Paying on the Internet

DigiCash
The analogy of paper money or coins
Expensive, as each payment transaction must be
reported to the bank and recorded
Conflict with the role of central banks bill
issuance
Legally, DigiCash is not supposed to issue more
than an electronic gift certificate even though it
may be accepted by a wide number of member
stores

Stored Value Cards

No issuance of money
Debit card a delivering vehicle of cash in an
electronic form
Either anonymous or onymous
Advantage of an anonymous card
the card may be given from one person to another

Also implemented on the Internet without

employment of an IC card

Smart card-based e-cash

Can be recharged at home through the

Internet
Can be used on the Internet as well as in a
non-Internet environment

Ceiling of Stored Values

To prevent the abuse of stored values in

money laundry
S$500 in Singapore; HK$3,000 in Hong Kong

Multiple Currencies
Can be used for cross border payments

Proximity Card
Used to access buildings and for paying in

buses and other transportation systems

Bus, subway and toll card in many cities

Amplified Remote Sensing Card

Good for a range of up to 100 feet, and can

be used for tolling moving vehicles at gates

Pay toll without stopping (e.g. Highway 91
in California)

Procedure of Financial Service Technology Consortium Prototype

Remittance
Invoice

Payer

Account
Receivable

Payee

E- Mail
WWW
Signature
Card

Signature Card

Workstation

Mall statement
E-Check line item

Remittance
Check
Signature
Certificate
Certificate

E-mail

Remittance

Check
Signature
Certificate
Certificate
Endorsement
Certificate
Certificate

Secure Envelope
ACH

Secure Envelope

ECP
Payers Bank
Debit account

Clear Check

Payees Bank
Credit account

Deposit check

Electronic Checkbook
Counterpart of electronic wallet
To be integrated with the accounting information
system of business buyers and with the payment
server of sellers
To save the electronic invoice and receipt of
payment in the buyers and sellers computers for
future retrieval
Example : SafeCheck
Used mainly in B2B

Payers

Payees

checkbook

check-receipt

agent
Payer

Issue a check

agent
Payee

Receipt

Checkbook,
screened result

report
Request of
screening check
issuance

control
agent of
payers
bank

Internet

present

control
agent of
payees
bank

clearing

A/C
DB

A/C
DB
payers bank

Prentice Hall, 2000

payees bank

The Architecture of SafeCheck

32

Two potential consolidations:

The on-line electronic check is merging with EFT
The electronic check with a designated settlement

date is merging with electronic credit cards

Security First Network Bank (SFNB)

First cyberbank
Lower service charges to challenge the service

fees of traditional banks

Visa

VisaCash is a debit card

ePay is an EFT service

An onymous card
is necessary to
keep the certificates for
credit cards, EFT, and
electronic checkbooks

The stored value in

IC card can be delivered
in an anonymous mode

Malaysias Multimedia Supper Corridor project

pursues a One-Card system
Relationship Card by Visa is also attempting
a one card system

Dont reveal your online Passcode to anyone. If you think

your online Passcode has been compromised, change it
immediately.
Dont walk away from your computer if you are in the
middle of a session.
Once you have finished conducting your banking on the
Internet, always sign off before visiting other Internet
sites.
If anyone else is likely to use your computer, clear your
cache or turn off and re-initiate your browser in order to
eliminate copies of Web pages that have been stored in
your hard drive.
Bank of America strongly recommends that you use a
browser with 128-bit encryption to conduct secure
financial transactions over the Internet.

Security solution providers can cultivate the opportunity of

providing solutions for the secure electronic payment systems

Electronic payment system solution providers can offer
various types of electronic payment systems to electronic
stores and banks
Electronic stores should select an appropriate set of
electronic payment systems
Banks need to develop cyberbank services to be compatible
with the various electronic payment system
Credit card brand companies need to develop an EC
standard like SET, and watch the acceptance by customers
Smart card brand should develop a business model in
cooperation with application sectors and banks
Certificate authority needs to identify the types of
certificate to provide

Prentice Hall, 2000

36