Payment Systems and Security Richard Warner The Internet and Financial System The financial system is increasingly dependent on the Internet for communication and data transfer Hence, attacks on the Internet can affect the financial system All sorts of entities—not just financial institutions—transfer money electronically Traditional reporting points may be circumvented, making regulation more difficult Issues Discussed The credit card system Credit card fraud Electronic transfers by entities not traditionally regarded as financial institutions The Credit Card System Currently, the main form of payment in business to consumer transactions in ecommerce is by credit card A picture of the credit card system is essential background for our issues. The Basic Credit Card Transaction Authorization request Record of charge Purchase / CC # Merchant Payment Record of charge Issuing bank Payment Merchant bank National switch Card holder Authorization Advantages One key advantage of the credit card system is its charge-back procedures for dispute resolution This provides effective, efficient dispute resolution for participants in the credit card system Alternatives to the credit card system will need some dispute resolution procedures Advantages The legal framework that regulates credit card transaction is well understood provides good consumer protection facilitates the worldwide use of credit cards The legal framework EFTA and Regulation E State EFTAs Uniform Commercial Code Regulation CC promulgated under Expedited Funds Availability Act, NACHA operating rules, and Regulation J Truth in Lending Act Fair Credit Reporting Act Equal Credit Opportunity Act as implemented in Regulation B Electronic Fund Transfer Act and Regulation E Passed in 1978 to provide a basic framework for consumer protection in EFT systems To whom does it apply? To any “financial institution” – this is (under Regulation E) any “bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services” EFTA To be subject to the EFTA, a transaction must have three components: A transfer of funds Initiated by electronic means A debit or credit to a consumer account held directly or indirectly by a financial institution Regulation: Electronic Fund Transfer Act and Regulation E What is an electronic fund transfer? “Any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit an account.” Regulation E The EFTA applies only to consumer “accounts” – what is an account? An account is a demand deposit account, savings account, or other consumer asset account held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes Six EFTA Requirements Restricts unsolicited issuance of account access devices Requires disclosures of terms and conditions Requires notice of changes Requires transaction receipts and periodic statements Establishes error resolution procedures Limits consumer liability to $50 Processing Costs The extensive processing makes the credit card system is the among the most costly forms of payment for retailers The processing also helps control fraud Alternative to Credit Card System? In the early days of e-commerce, most assumed that some alternative to the credit card system was necessary. Two reasons: To allow private parties to accept credit card payments (on eBay, for example); To handle low value payments. They Were Wrong To a considerable extent, they were wrong. Companies appeared that would handle credit card transactions for private parties, and Low value transactions are handled by waiting until a large batch of them can be processed in a single transaction. The Current Focus: Security Suppose a web site or network accepts credit card payments. Payment information is sent over a web site to its servers, and it stores credit card numbers those servers. What security measures are in order? Avoiding Negligence Is it negligent not to have: A firewall; A network intrusion detection system; SSL for communication; Encrypted credit card numbers? Foreseeabilty One owes a duty of reasonable care to another person only if one’s conduct creates a foreseeable risk to that person. A foreseeable risk is a risk which a reasonable person would anticipate The hacker risk is one a reasonable person would anticipate Firewalls? Benefit: A firewall analyzes data arriving at a network or web site and blocks access of suspicious data. Cost: Firewall hardware and software must be purchased; personnel must know how to configure the firewall. In addition, they do not work perfectly. Network Intrusion Detection Benefit: analyzes traffic on the network to detect suspicious activity Cost: hardware and software must be purchased; personnel must know how to configure the system. In addition, they do not work perfectly. SSL Communication SSL (Secure Socket Layer) cryptographically protects messages traveling over the Internet. It protects against forgery, modification, and eavesdropping (sniffing). A digital certificate verifies the identity of the ecommerce server. The server provides a symmetric key for the duration of the session. SSL Communication This is an industry standard for communication involving the transfer of financial information. The industry has decided the benefits outweigh the costs. Given that fact, it is highly likely a court will hold it is negligent not to employ this technology. Encrypted Data This is an industry standard for sites that store sensitive financial information. As with SSL communication, the industry has decided the benefits outweigh the costs, and it is highly likely a court will hold it is negligent not to employ this technology. Credit Card Fraud Credit card numbers can be obtained in a variety of ways. Skimming is the latest and most effective technology. Use of credit cards on the Internet is relatively safe. What the Internet does is make it easy to transfer stolen numbers around the world. “Chip and Pin” Cards A “chip” card--a smart card—contains a microchip with digital certificate technology on it. The PIN is a number known to the cardholder and not recorded on the card itself. When the cardholder uses the card, the certificate verifies identity and matches the identity to the PIN. Non-Bank Electronic Transfers All sorts of entities electronically transfer money. How should they be regulated? Concerns include: Consumer protection; Money laundering ; Tax evasion; Terrorism. A Hypothetical To attract people to his site, Fred offers rebates. Each time a customer buys from him, 1% of the purchase price is credited to a special account in the customer’s name. Once the amount reaches $10, customers can request that amount in cash, use the amount to buy more items from Fred, or simply continue to let the amount increase through further purchases. With what laws must Fred comply? Money Services Act The USA has encouraged experimentation with non-credit card payment systems by nontraditional financial institutions The result: a variety of non-banks transfer small amounts of money The statutory response has been the Money Services Act Money Services Act A license is required for anyone engaging in money transmission. Money transmission = issuing payment instruments, receiving money or monetary value for transmission Payment instruments = check, draft, money order, traveler’s check, or other instrument for the transmission of money or monetary value, whether or not negotiable Money Services Act Money = a medium of exchange authorized or adopted by a government Monetary value = a medium of exchange, whether redeemable or not The Act imposes reserve requirements, recording keeping, and reporting requirements USA PATRIOT Act To increase the effective administration of the Acts requirements, it prohibits unlicensed money transmission. (373(a – b)) “Money transmission” is defined very broadly. (373(b)(C)) This may affect many e-commerce sites. Financial Institutions Under the Act, “financial institutions” are subject to a variety of regulations. Such institutions include: insured banks, commercial banks, trust companies, private bankers, an agency or branch of a foreign bank in the US, any credit union, thrift institution, broker or dealer registered with the SEC, a broker or dealer in securities or commodities (registered or not), . . . Financial Institutions An investment banker or investment company, a currency exchange, an issuer, redeemer, or cashier of travelers checks, checks money orders or similar instruments, credit card system operators, insurance companies, dealers in precious metals, stones or jewels, a pawn broker; a loan or finance company; a travel agency, a licensed sender of money or any other person who engages as a business in Financial Institutions the transmission of funds, formally or informally; a telegraph company; a business engaged in vehicle sales (including automobile, airplane, and boat sales); persons involved in real estate closings and settlements; the United States Postal Service; casinos, and certain government agencies.