Emerging eCommerce Credit and Debit Card Protocols
Mark E. Peters
IBM Corporation
mepeters@us.ibm.com
Abstract
Internet sellers need guaranteed payments for
goods and services. Buyers need protection from
misuse of their financial accounts. Credit cards
dominate the internet payment world, but
merchant fraud is rampant and cardholders are
scared. This paper explores emerging protocols
and technologies that are being developed to
eliminate card fraud and internet payment
methods that will compete with credit cards.
Keywords: Credit Card, Debit Card, Fraud,
Cardholder Authentication, MasterCard, VISA
1. Introduction
In the late nineties, dot coms were allowed by
the stock markets to hemorrhage money without
consequence. And hemorrhage they did, many
losing millions per quarter to organized crime
exploiting credit card fraud. With a sole focus on
gaining market share and clicks, dot coms had no
desire to push banks for fraud protection or to
likewise pressure government for regulatory
relief. Many sellers and several electronic cash
companies have been severely crippled or failed
due to excessive credit card chargebacks.
Internet sellers would be much more efficient
if they were able to focus more on their core
competencies such as marketing, advertising,
customer relationships, store design, and
fulfillment. Imagine the day when all internet
payments are handled
without human
intervention, without chargebacks, and without
having to protect credit card numbers. In the
meantime, eCommerce site managers, designers,
and operators need to know how to minimize their
risk and prepare for emerging solutions.
1.1. Credit Card Industry
According to NUA ComputerScope, 90
percent of the $5 billion 2001 internet transactions
are credit card based [1]. Given this dominance in
the online retail world, it is important to
understand the players in the credit card business.
Issuers have a contractual relationship with
cardholders. Acquirers have a contractual
relationship with merchants.
Credit card
associations, such as MasterCard and VISA, make
the rules that form the contractual relationships
between Issuers, Acquirers, and the processing
entities of the system.
1.2. Chargebacks and Fraud
Chargebacks occur when a cardholder refutes
a transaction. Typical chargeback types include
situations where the cardholder claims he or she
did not participate in the transaction, did not
receive the goods, or believed the goods were not
as represented by the merchant. Stolen card
numbers result in the stereotypical type of fraud.
Though consumers typically are not
responsible for the actual chargeback amounts in
these situations, they fear that it could lead to
identity theft resulting in a lasting impact on their
credit history. Victims of this type of fraud lose
confidence in the credit card system when they
notice fraudulent charges on their credit card or
receive calls from their card issuer indicating that
their account has exceeded the typical velocity of
charges or that suspect authorizations had
occurred. It is equally unnerving to many victims
that they receive ongoing notices that the credit
card was denied for an order the victim never
placed. Even more disturbing are the cases where
cardholder is informed that goods he or she never
ordered have arrived or have been shipped for
authorizations which initially succeeded
Another type of fraud, “Friendly fraud”,
occurs when a cardholder did make a transaction,
but wants to deny that he made a potentially
embarrassing type of adult purchase [2]. One
cardholder successfully charged back $70,000 in
internet gambling debt after claiming in court that
the credit card companies should not have
allowed the charges to succeed! [3]
Credit card transactions fall into two primary
categories:
Card Present
Card Not Present, a.k.a. Mail
Order/Telephone Order (MOTO)
Merchants are protected from certain
chargeback
reasons
during
card-present
transactions. Card-present transactions require
evidence that the card was present during the
transaction. In the U.S., this means that the
complete magnetic data was present in a swipe
terminal transaction or that the merchant can
produce a physical imprint of the card along with
a signature during chargeback proceedings. In
France, the smart card signature must be
produced.
Skimming fraud occurs when the magnetic
data is stolen and placed on a fake card. It is
more difficult to alter the physical card than the
magnetic stripe, so clerks are required to enter the
last 4 digits of the card to reduce risk.
Chargebacks typically cost issuers and
acquirers $25 to $75 to process. So while they
may not have to bear the actual cost of the cardnot-present charge, they must minimize disputes
to remain profitable.
U.S. MOTO merchants use address
verification service (AVS) to verify the credit
card billing address as a preliminary check. Some
jewelry and electronics merchants will only ship
to the card billing address to reduce risk. One
cardholder had several shipments of jewelry and
electronics show up on her credit card statement.
The goods had been shipped to the billing
address, but apparently the thief was watching the
shipper’s tracking site and routinely picked up the
goods before the client returned home from work
[4].
Merchants with excessive numbers or
percentages of chargebacks face steep fines,
despite the fact that internet merchants have no
means to authenticate a cardholder online. Only
the financial institution that issued a particular
credit card can vouch for the identity and
authority of a user of a particular card. Until
card-issuing institutions do their part to
authenticate cardholders, internet merchants
remain vulnerable to cardholder fraud and
chargeback fines.
Merchant fraud occurs when merchants
authorize and capture fraudulent charges against
credit card numbers without cardholder
authorization. Consider the case where a person
sets up a corporation, opens merchant accounts
with several credit card brands, announces he has
the latest gaming console before everyone else,
collects a thousand credit card numbers, receives
money from those cards into his checking
account, withdraws the money, and flees the
country before the cardholders dispute the
transactions. There are checks in place to prevent
such a runaway case, but this is an acquirer’s
worst nightmare.
Factoring is the term often used in the credit
card world to describe a scenario where a
merchant account is shared between more than
one merchant. Consider the previous fraud
scenario, but where the fraudster conned a
separate “merchant” into collecting funds for the
fake purchases. After the fraudster collects the
deposited funds from the merchant and flees the
country, the merchant, not the acquirer, will be
liable for the losses.
Merchants are often victims of blackmail
when hackers steal credit card number databases.
CD Universe was one of the first publicized cases
of such attempted fraud. Customer relationships
were severely damaged when CD Universe was
forced to email thousands of customers to disclose
the theft.
1.3. SSL Security
While SSL is used to protect numbers in
transit, many merchants do very little to encrypt
their data store. Even SSL private keys might be
discovered based on an attack articulated by
nCipher. In this attack, a CGI program running
with the same user as the web server scans the
web server memory or a system dump for the
private key [5].
Aside from the nCipher attack, almost all
SSL servers use software-based private keys
stored on disk with a hardcoded key in a stash file
to permit unattended server restart. Any hacker
who manages to access these files can easily
determine the key. This is particularly troubling
given the high percentage of insider attacks
claimed in numerous trade press articles.
A hacker in possession of the SSL private
key who is also capable of eavesdropping on SSL
sessions could decrypt credit card information. A
hacker who is also capable of changing the DNS
listing of the server could successfully
impersonate the server to obtain credit card
information.
Holes in shopping cart software or
improperly secured shopping cart software files
provide additional means for hackers to obtain
credit card numbers.
1.4. Merchant Fees
Merchants pay a one to five percent fee per
credit card transaction.
This fee covers
transaction verification, cardholder billing,
dispute processing, cardholder loyalty rewards,
and fraud. Obviously, a competing payment
system that could reduce overhead is poised to
have some financial advantages over the status
quo.
If, for example, the Automated
Clearinghouse (ACH) network could develop an
online account-holder authentication system that
was inexpensive to implement, resulted in no
transaction disputes or failures, while incurring
little more than the existing pennies-pertransaction checking account debit fee, then it
would threaten the online credit card dominance.
However, there are many inhibitors to
success, even for inexpensive payment options.
The primary inhibitor is that merchants want to
offer the payment options that consumers desire
to use, and in many cases the consumers want to
use an option that rewards them with loyalty
premiums such as frequent flyer miles or rebates.
Merchants are hesitant to directly pass the credit
card fees onto the consumer because shoppers
tend to choose merchants who do not surcharge.
As long as the market will bear consumers’
choosing
payment options that are more
expensive to merchants, less expensive payment
options will languish.
Many government agencies offer to collect
taxes, fines, and fees online via credit cards, but
they typically surcharge the three percent
merchant fee. While some citizens may pay a
dollar to quickly pay a parking ticket online, most
are going to pay vehicle or real estate property
taxes with a check to avoid enormous surcharges.
1.5. Debit Transactions
Credit card brands are also leveraging their
way into debit transactions. Formerly, PIN-based
ATM cards were the only cards linked to a
checking account. VISA and MasterCard have
produced signature-based debit cards that incur a
much higher merchant fee because the risk model
is equivalent to credit cards. Banks like these
cards because they produce more revenue. In
fact, some banks have started charging the
consumer $1.50 for usage of a PIN-based ATM
card at the point of sale to encourage signaturebased debit. Because PIN-based transactions
require two factors of authentication, they have a
much lower fraud rate than signature transactions.
Wal-Mart started what has now become a
class action lawsuit to recover the discrepancy in
fees between these two types of debit. Merchants
were forced to take signature debit transactions if
they took MasterCard and VISA, which the
merchants claim was monopolistic and unfair.
The growth of signature-based debit at the
expense of PIN-based debit results in higher
merchant overhead and an increase in fraud,
which increase the price of goods to consumers.
1.6. Cardholder Authentication
Issuers have no desire to pay for the
infrastructure to authenticate internet cardholders
or for any increased liability incurred if the
authentication system is defeated. The reduction
of chargeback costs is the only current incentive
for issuer adoption of cardholder authentication.
Until issuers have adequate motivation, many
cardholder authentication schemes will fail to gain
traction.
The goal is to make all transactions “card
present” by authenticating cardholders and having
them validate the proposed purchase.
The
challenge is that the solution must offer the right
benefit to the right parties with the right timing.
2. Attempted Solutions
To keep from repeating mistakes of the past,
it is important to study why previously attempted
solutions have failed.
2.1. SET Secure Electronic Transaction™
The first attempted solution for reducing
internet credit card fraud was SET. While this
was an elegant solution that met all of the stated
requirements and was available from a large
number of interoperable vendors, it proved to be
too burdensome and did not have buy-in from the
necessary parties.
Why SET Failed…
Banks resisted liability. Card-issuing
banks are quite happy with the status
quo, since direct losses are borne by the
merchant. SET has been successful in
geographies where the government has
threatened to reduce overall fraud
through regulation to correct this
imbalance of power.
Lacked member support. VISA and
MasterCard are associations of financial
institutions who issue credit cards and
acquire transactions from merchants.
The associations had good intentions that
fit their mission when they created SET,
but they never truly had buy-in from
their stakeholders for the final solution.
Merchants didn’t care about losses at the
time SET needed momentum.
They
were focused on market share.
Merchants have no power. With only a
handful of domestic credit card brands
from which to choose in a given
geography and cardholders who only
hold one or two brands in their wallet,
merchants must choose the dominant
brands or lose sales.
Banks and Brands gain revenue from
chargeback penalties. Not only are
direct losses borne by merchants, but
many of the larger internet merchants
pay penalties on the order of tens of
thousands of dollars per month because
they exceed certain chargeback limits
imposed by the brands.
Banks and Brands make money selling
fraud services and data. In an odd twist
of fate, the lack of security inherent in
internet credit card transactions creates
an opportunity to sell fraud analysis of
cards and transactions.
Insecure alternatives were not corrected.
SET would have looked very attractive if
credit card brands had required
appropriate security measures for nonSET transactions.
For example, if
merchants had been required to harden
their storage of credit card numbers and
provide the same level of protection for
their SSL credentials as with their SET
credentials, then SET would have
appeared to be an incremental step.
Scope of SET protocol was too large.
The
protocol
met
some strict
requirements regarding the protection of
credit card numbers. While meeting
these requirements, there were some
fairly burdensome messages and
interactions between the merchant and
acquiring institution. In hindsight, these
would have been better left out of the
scope by using other tactics such as
surrogate card numbers.
Certificate
Management
was
burdensome. SET was one of the first
mature adopters of public key
infrastructure (PKI). In hindsight, SET
may have been easier to deploy and
manage if cardholder public keys were
registered at the issuer rather than
requiring
cardholder
certificates.
Likewise, surrogate card numbers that
would be useless without cardholder
signatures would have obviated merchant
and payment gateway certificates.
2.2. Surrogate Card Numbers
American Express failed to gain traction in its
“Private Payments” initiative, which was a
surrogate card number scheme. It also tried to use
a server-based wallet in conjunction with its free
card readers for the Amex Blue card, which it
ceased operating in 2001 after the failure of
Globeset (the technology provider of the wallet).
Other card providers have also attempted
surrogate card number schemes. These require
software on the cardholder’s machine to substitute
the temporary card number into merchant
shopping forms along with software changes at
the issuer. Ease of use and difficulty working
with surrogate numbers during returns and
repudiation as well as the marginal cardholder
authentication protection offered by these
schemes give them a very short-term benefit.
Often the benefit does not provide adequate return
on investment.
3. Emerging Solutions
Due to SET’s failure to gain traction, VISA
and MasterCard have each come up with their
own schemes. At one time, there was a plan by
both parties to allow either scheme to be chosen
by
participants
to
provide
cardholder
authentication. However, this agreement did not
work out [6]. As a result, online merchants will
be forced to support a cardholder authentication
protocol for every brand.
Both schemes accomplish their primary goal
of authenticating cardholders during approval of a
transaction. Each approach has advantages and
disadvantages. The schemes have been described
in enough detail to understand in articles and on
the brand web sites. However, the complete
specifications have not been made public, which
means that some of the more meaningful analysis
of potential weaknesses and performance
implications cannot be published at this time.
3.1. VISA Initiative
Verified By VISA™ works without the need
for any program installed on the cardholder’s
computer.
1. The cardholder enters the VISA card
number and expiration, along with other
information asked today.
2. The merchant queries to see if the
cardholder participates.
3. If so, the user is presented with a web
page from his or her card issuer asking
for the password to approve the
transaction.
4. A digitally signed message is sent to the
merchant, which validates that the issuer
approves and that the merchant is
afforded some transaction protection.
5. The authorization and capture proceeds
normally, though some additional
information to track the transaction will
be sent. [7]
3.2. MasterCard Initiative
MasterCard Secure Payment Application
(SPA) requires a small client piece of software to
be installed on the merchant system.
1. The merchant form has particular field
names
2. The MasterCard client detects the field
names and asks the user to login to the
server-based wallet where he or she is
prompted to approve the transaction
based on the merchant and transaction
information.
3. A token is generated to by the serverbased wallet and is entered by the client
into the web form along with the real or
surrogate card number.
4. The authorization includes the token. If
the authorization succeeds, then the
token is deemed good and the transaction
is guaranteed.8
3.3. Comparison
The MasterCard scheme is much easier to
implement and deploy from a merchant and issuer
point of view. It requires no certificates and no
special documents or digital signatures. It does
require cardholder software as well as changes to
the traditional card authorization process.
Both schemes permit smart cards or other
authentication technology to be used by the issuer.
Depending on how the VISA smart card support
is implemented, VISA may also find itself
requiring program installation on the client.
As for mobile support, VISA has a private
specification that purports to support mobile
scenarios, though whether WIM or other
authentication technologies are supported is
unclear.
The VISA scheme could be implemented
without transmitting any data in the traditional
card authorization, but it requires many messages
between VISA, the cardholder, and the merchant.
In addition, the messages are in XML format and
many are digitally signed, which might
overwhelm some merchant servers.
The MasterCard scheme boils down to the
transmission of a token to the merchant. Thus, it
is suitable for non-browser communications
provided that the client application piece can be
satisfied in non-browser environments. The
VISA scheme is fairly tightly bound to browser
redirection.
One potential weakness in the VISA scheme
is the possibility of a “man-in-the-middle” attack.
If an attacker were able to modify the redirection
given to the cardholder by the merchant, then the
cardholder could be redirected through a site
controlled by the attacker. The attacker could
impersonate the issuer to the cardholder and the
impersonate cardholder to the issuer.
The
cardholder would have to notice that the issuer
site was not legitimate to detect this attack. If the
attack is successful, then the transaction succeeds
and the user would not detect that the attacker
gleaned the account password. The attacker then
uses the password to shop at other sites. The card
issuer would bear liability in this scenario.
4. Payment Technologies To Watch
4.1. ACH
ACH is used for payroll deposits and many
business-to-business and recurring consumer-tobusiness payments in the United States. There is
effort underway to expand this outside the U.S.
There are networks similar to ACH in many
countries. ACH transactions are inexpensive and
efficient.
Firms such as BankServ currently offer ACH
transactions that behave like credit card
transactions. The consumer enters a checking
account number during checkout and money is
pulled from the consumer’s account via ACH. In
this form, the chargeback risks mimic those of
credit cards.
The ACH network currently supports a
consumer push model, but there is no pervasive
solution that would redirect an account holder to
his bank to initiate the push. As soon as ACH
solves
the
problem
of
accountholder
authentication or bank redirection and reduces
transaction time to 24 hours, it will prove to be a
formidable adversary to the credit card status quo.
Some predict that ACH will surpass credit
card usage online within 5 years.
the wireless carriers will have to develop and
manage the merchant relationships. However, if
WIM can be used to eliminate repudiation and if
wireless providers can learn how to manage credit
risk beyond basic liability for phone calls, then
wireless providers have a credible opportunity for
efficient low and medium value credit
transactions.
In addition, they have an
opportunity to tap a community of unbanked
individuals by leveraging prepay accounts to pay
for goods and, quite possibly, to pay bills.
4.2. Mobile Phones
4.3. PayBox
There are many varieties of mobile devices
capable of performing various flavors of
payments. The penetration of mobile phones
throughout various socioeconomic groups is
staggering. Many phones are capable of wireless
internet browsing and 2 way text messaging.
As soon as the Wireless Identity Module
(WIM) permits users to digitally sign transactions
with the likes of a smart card, users could
leverage this representation of their identity to
sign transactions. Users could enroll their WIM
with a financial provider to grant transactions
signed by a WIM key to authenticate the
transaction.
WIM could also be leveraged for Bluetoothbased vending machine or other low-value
transactions when a cellular signal is not
available.
There is much debate in the wireless and
financial industries over who owns the WIM
credential and whether the wireless provider can
take a cut of transactions for financial use of the
credential.
There are also branding
considerations. VISA, MasterCard, Citibank, and
other financial institutions want users to see their
logo on the piece of plastic used to perform the
transaction. As a result, there is also debate over
whether a second smart card slot should be
provided in phones.
There are many standards organizations
looking at how to leverage mobile phones in
payment scenarios. They each have staked out
various types of transactions or parts of the
payment lifecycle, such as message format, digital
signing, credential management, etc. Examples of
such standards bodies include WAP Forum,
DoCoMo, MeT, GMCIG, mSign, and Mobey.
Another trend by wireless providers is to
permit a variety of mobile phone scenarios to
result in charges that appear on the user’s phone
bill. Non-phone charges will often appear on a
separate bill due to customer sensitivity about
phone service costs. The primary inhibitor is that
One primitive way to perform payments with
GSM phones is for a consumer to enroll his or her
phone number and credit card number with a
merchant, vending machine organization, or
payment service provider such as Paybox. With a
quick scan of a barcode at a vending machine or
by entering the number in by hand into a machine
or web form, a payment server calls the phone and
the user confirms with a touch-tone PIN. The
call-establishment security built in to GSM makes
this a fairly secure process as long as the phone
number mapping and user authentication is
correct. No account information is transmitted
over the phone.
Paybox claims to have over 2 percent of the
German market. Paybox charges users $4.50 per
year along with a 3 percent transaction fee
charged to the merchant. Both the cardholder and
merchant must be enrolled. Deutsche Bank owns
half of Paybox, but is considering adding partners
in other countries to facilitate payments in each
country [9].
4.4. Qpass
Qpass seeks to minimize the investment by
wireless carriers by providing technology to
manage the financial transactions and merchant
relationships.
Consumers use their wireless
device to access fee-based content and purchase
goods. Qpass allows consumers to choose to pay
for small dollar goods and content with their
wireless account and high dollar goods with credit
or debit cards.
4.5. PayPal
Paypal permits person-to-person payments.
Each user registers an email address which is used
by others to route payments. The email address
and a logon password secure a user’s “account”.
An account can be funded by a credit card or by a
bank account. This form of credit card funding is
a type of factoring, but VISA and MasterCard
have permitted it to continue (likely because
PayPal does a decent job of authenticating
cardholders). Paypal passed an important U.S.
FDIC investigation to see if it broke federal
banking laws since it holds member funds. It is
still being investigated by states and by other
countries. PayPal is primarily used by online
auctions by individuals too small to hold a credit
card merchant account. However, even larger
merchants use it because Paypal charges much
less for credit card transaction fees than is charged
by Internet payment service providers.
4.6. Microsoft Passport
Microsoft is attempting to leverage its
authentication technology for a variety of
applications, including single-sign-on amongst
unrelated companies. Microsoft appears to be
targeting the authentication of online banking as
well as credit cardholder authentication to
leverage their operating system dominance as a
means to take a share of transaction revenue.
Microsoft offered $100 to anyone who would use
the Passport Wallet to complete a purchase in
December of 2001.
Until various cardholder authentication
schemes reign, there will be a place for fraud
screen services. These services analyze various
streams of data to judge the likelihood that a
given transaction will fail. Some services collect
data from merchants, much like TeleCheck does
for checking accounts. Others buy data from the
card brands. Very few of the fraud screens
operate on useful real-time data. Thus, the overall
effectiveness is questionable if most issuers can
freeze suspect accounts in the first 12 hours,
which would cause authorizations to fail anyway.
Much like the checking account screening
services, credit card fraud services can also insure
transactions. However, most merchants deem this
too expensive for their operations.
Data collected for these services include
billing and shipping address data, source IP
address, types of goods, etc. Preliminary checks
on whether the IP address is in the locale of the
card’s billing address, how easily the goods can
be fenced, and whether the goods are being
shipped to a bad neighborhood, provide the most
value for these fraud score algorithms. Many
retailers have in-house fraud detection
departments that analyze these types of statistics.
4.9. Authentication via Credit Check
4.7. RFID Tags
There are a variety of radio frequency
identification tags in use today. These tags use
contactless technology to convey a user identity to
the payment system. Eavesdropping is possible
because this passive approach employs no active
cryptography nor does it typically employ PINs or
other secondary authentication factors.
One early success story is the New York EZPass system that permits commuters to have road
and bridge tolls deducted from their account.
Recent successful adoptions are in the retail
point of sale area, such as Mobil’s SpeedPass to
pay at the pump and in the store. Speedpass
claims to have over 5 million users. The tag fits
on a user’s keychain, costs Mobil about $2 each,
and is free to users. Customers can even purchase
a tag built into a Timex watch. Each purchase
results in a debit to a credit card or checking
account.
Implementers of these systems claim that the
transaction time is greatly reduced and that
customer loyalty has increased [10].
4.8. Fraud Screening Services
Equifax started a rather novel service for
cardholder authentication when purchasing high
dollar goods, which BankServ and others now
support. At checkout, the cardholder is asked
some information that the fraudster is unlikely to
know, such as the monthly mortgage payment, or
last months credit card bill, etc. The consumer’s
answers and the current credit card number being
used are compared to data in the credit report.
Mismatches result in a denied transaction.
The cost and inconvenience of this service
makes it unlikely that it will be used for most
typical transactions, but it is an interesting way
for a credit-reporting agency to increase revenue
while insuring credit card transactions.
5. Conclusion
Credit cards are the payment method to beat
in today’s internet commerce environment. More
efficient payment systems pose a long-term threat,
but there are no clear leaders given political
power and customer loyalty considerations.
The
world
needs
one
cardholder
authentication technology, not one per brand or
one per country.
Merchants bear the direct losses of most
internet card fraud. Since issuers are currently
only responsible for losses due to cardholder nonpayment that occurs, they are unwilling to assume
liability for authenticated payments and are
unwilling to pay the infrastructure required to
perform cardholder authentication.
Mobile technologies lend some promise for
cardholder authentication and for very pervasive
payment solutions.
There is no free ride. Consumers and
stockholders, not sellers or banks, ultimately pay
for credit card fraud through increased cost of
merchandise, credit card fees, and devaluation of
stock.
It is in everyone’s best interest to
understand and eliminate payment system fraud.
6. Reference Material
“Protecting Commercial Secure Web Servers
From Key-Finding Threats”
http://www.ncipher.com/products/rscs/downloads/
whitepapers/pcsws.pdf
[1] “Visa to evaporate merchant liability”, Cards
International, March 22, 2002, p8, Lafferty
Publications Ltd
[2] Bennett, Robert A., “I didn't do it”, USBanker,
12 Dec 2001, P48-52
[3] Ullman, Ellen, “Denied”, Ziff Davis Smart
Business, May 1, 2002
[4] Conversation between Mark Peters and a
friend who is a local banker, 2001
[5] “Protecting Commercial Secure Web Servers
From Key-Finding Threats”, nCipher Inc.,
November 1999,
http://www.ncipher.com/products/rscs/downloads/
whitepapers/pcsws.pdf
[6] Bennett, pp48-52
[7] “Visa to evaporate merchant liability”, Cards
International, March 22, 2002, p8, Lafferty
Publications Ltd
[8] “VISA 3D Secure vs. MasterCard SPA”,
http://www.gpayments.com/pdfs/GPayments_3D_vs_SPA_Whitepaper.pdf
[9] Bright, Julian, “Paying By Numbers”,
Communications International, Nov, 2001, p66,
EMAP Media Ltd.
[10] “Credit, Debit or Speedpass?” Card
Technology, v2, n9, September 2001, p18,
Thomson Financial Inc.