Payment Systems and
Security
Richard Warner
The Internet and Financial System

The financial system is increasingly dependent on
the Internet for communication and data transfer


Hence, attacks on the Internet can affect the financial
system
All sorts of entities—not just financial
institutions—transfer money electronically

Traditional reporting points may be circumvented,
making regulation more difficult
Issues Discussed



The credit card system
Credit card fraud
Electronic transfers by entities not
traditionally regarded as financial institutions
The Credit Card System


Currently, the main form of payment in
business to consumer transactions in ecommerce is by credit card
A picture of the credit card system is essential
background for our issues.
The Basic Credit Card Transaction
Authorization request
Record of charge
Purchase / CC #
Merchant
Payment
Record of charge
Issuing bank
Payment
Merchant bank
National
switch
Card holder
Authorization
Advantages



One key advantage of the credit card system
is its charge-back procedures for dispute
resolution
This provides effective, efficient dispute
resolution for participants in the credit card
system
Alternatives to the credit card system will
need some dispute resolution procedures
Advantages

The legal framework that regulates credit card
transaction is



well understood
provides good consumer protection
facilitates the worldwide use of credit cards
The legal framework







EFTA and Regulation E
State EFTAs
Uniform Commercial Code
Regulation CC promulgated under Expedited Funds
Availability Act, NACHA operating rules, and
Regulation J
Truth in Lending Act
Fair Credit Reporting Act
Equal Credit Opportunity Act as implemented in
Regulation B
Electronic Fund Transfer Act and
Regulation E


Passed in 1978 to provide a basic framework for
consumer protection in EFT systems
To whom does it apply? To any “financial institution”
– this is (under Regulation E) any “bank, savings
association, credit union, or any other person that
directly or indirectly holds an account belonging to a
consumer, or that issues an access device and agrees
with a consumer to provide electronic fund transfer
services”
EFTA

To be subject to the EFTA, a transaction must
have three components:



A transfer of funds
Initiated by electronic means
A debit or credit to a consumer account held
directly or indirectly by a financial institution
Regulation: Electronic Fund Transfer
Act and Regulation E

What is an electronic fund transfer? “Any
transfer of funds that is initiated through an
electronic terminal, telephone, computer, or
magnetic tape for the purpose of ordering,
instructing, or authorizing a financial
institution to debit or credit an account.”
Regulation E


The EFTA applies only to consumer “accounts”
– what is an account?
An account is a demand deposit account, savings
account, or other consumer asset account held
directly or indirectly by a financial institution
and established primarily for personal, family,
or household purposes
Six EFTA Requirements






Restricts unsolicited issuance of account access
devices
Requires disclosures of terms and conditions
Requires notice of changes
Requires transaction receipts and periodic
statements
Establishes error resolution procedures
Limits consumer liability to $50
Processing Costs


The extensive processing makes the credit
card system is the among the most costly
forms of payment for retailers
The processing also helps control fraud
Alternative to Credit Card System?


In the early days of e-commerce, most
assumed that some alternative to the credit
card system was necessary.
Two reasons:


To allow private parties to accept credit card payments
(on eBay, for example);
To handle low value payments.
They Were Wrong



To a considerable extent, they were wrong.
Companies appeared that would handle credit
card transactions for private parties, and
Low value transactions are handled by
waiting until a large batch of them can be
processed in a single transaction.
The Current Focus: Security


Suppose a web site or network accepts credit
card payments. Payment information is sent
over a web site to its servers, and it stores
credit card numbers those servers.
What security measures are in order?
Avoiding Negligence

Is it negligent not to have:




A firewall;
A network intrusion detection system;
SSL for communication;
Encrypted credit card numbers?
Foreseeabilty


One owes a duty of reasonable care to another
person only if one’s conduct creates a
foreseeable risk to that person.
A foreseeable risk is a risk which a reasonable
person would anticipate

The hacker risk is one a reasonable person would
anticipate
Firewalls?


Benefit: A firewall analyzes data arriving at a
network or web site and blocks access of
suspicious data.
Cost: Firewall hardware and software must
be purchased; personnel must know how to
configure the firewall.

In addition, they do not work perfectly.
Network Intrusion Detection


Benefit: analyzes traffic on the network to
detect suspicious activity
Cost: hardware and software must be
purchased; personnel must know how to
configure the system.

In addition, they do not work perfectly.
SSL Communication




SSL (Secure Socket Layer) cryptographically
protects messages traveling over the Internet.
It protects against forgery, modification, and
eavesdropping (sniffing).
A digital certificate verifies the identity of the ecommerce server.
The server provides a symmetric key for the duration
of the session.
SSL Communication


This is an industry standard for
communication involving the transfer of
financial information.
The industry has decided the benefits
outweigh the costs. Given that fact, it is
highly likely a court will hold it is negligent
not to employ this technology.
Encrypted Data


This is an industry standard for sites that store
sensitive financial information.
As with SSL communication, the industry has
decided the benefits outweigh the costs, and it
is highly likely a court will hold it is negligent
not to employ this technology.
Credit Card Fraud

Credit card numbers can be obtained in a variety of
ways.



Skimming is the latest and most effective technology.
Use of credit cards on the Internet is relatively safe.
What the Internet does is make it easy to transfer
stolen numbers around the world.
“Chip and Pin” Cards



A “chip” card--a smart card—contains a
microchip with digital certificate technology
on it.
The PIN is a number known to the cardholder
and not recorded on the card itself.
When the cardholder uses the card, the
certificate verifies identity and matches the
identity to the PIN.
Non-Bank Electronic Transfers


All sorts of entities electronically transfer
money.
How should they be regulated?

Concerns include:




Consumer protection;
Money laundering ;
Tax evasion;
Terrorism.
A Hypothetical


To attract people to his site, Fred offers rebates.
Each time a customer buys from him, 1% of the
purchase price is credited to a special account in the
customer’s name. Once the amount reaches $10,
customers can request that amount in cash, use the
amount to buy more items from Fred, or simply
continue to let the amount increase through further
purchases.
With what laws must Fred comply?
Money Services Act



The USA has encouraged experimentation
with non-credit card payment systems by nontraditional financial institutions
The result: a variety of non-banks transfer
small amounts of money
The statutory response has been the Money
Services Act
Money Services Act



A license is required for anyone engaging in money
transmission.
Money transmission = issuing payment instruments,
receiving money or monetary value for transmission
Payment instruments = check, draft, money order,
traveler’s check, or other instrument for the
transmission of money or monetary value, whether
or not negotiable
Money Services Act



Money = a medium of exchange authorized or
adopted by a government
Monetary value = a medium of exchange,
whether redeemable or not
The Act imposes reserve requirements,
recording keeping, and reporting requirements
USA PATRIOT Act


To increase the effective administration of the
Acts requirements, it prohibits unlicensed
money transmission. (373(a – b))
“Money transmission” is defined very
broadly. (373(b)(C))

This may affect many e-commerce sites.
Financial Institutions


Under the Act, “financial institutions” are subject to
a variety of regulations.
Such institutions include: insured banks,
commercial banks, trust companies, private bankers,
an agency or branch of a foreign bank in the US, any
credit union, thrift institution, broker or dealer
registered with the SEC, a broker or dealer in
securities or commodities (registered or not), . . .
Financial Institutions

An investment banker or investment company, a
currency exchange, an issuer, redeemer, or cashier of
travelers checks, checks money orders or similar
instruments, credit card system operators, insurance
companies, dealers in precious metals, stones or
jewels, a pawn broker; a loan or finance company; a
travel agency, a licensed sender of money or any
other person who engages as a business in
Financial Institutions

the transmission of funds, formally or
informally; a telegraph company; a business
engaged in vehicle sales (including
automobile, airplane, and boat sales); persons
involved in real estate closings and
settlements; the United States Postal Service;
casinos, and certain government agencies.