No Slide Title - Prof. CK Michael Tse

advertisement
Payment and Cash Standards
Content
1. Credit-Card Transactions
2. Digital Currency, E-Wallets, Smart Cards
3. Secure Electronic Transactions (SET)
4. Online Banking
Introduction
• The electronic transfer of funds is key to
conducting e-business successfully
• Discussion includes:
– How individuals and organizations perform monetary
transactions on the Internet
– Payments by credit card, cash, and check; payments to
businesses; peer-to-peer payments; banking and bill
paying
– Companies who are developing online payment
technology
– Products, software, and services that these companies
produce
Introduction (cont.)
• Secure e-transactions crucial to e-commerce
– Internet and wireless monetary transactions
•
•
•
•
•
Credit-card transactions
Digital cash
Electronic wallets
Smart cards
Micropayments
– Payment transaction organizations and standards
Online Transaction Standards
• Standards: guidelines for technologies, formats or
processes
– Approved by standards committee
– Or widely adopted by an industry without formal
process
• Online transaction standards
– Security protocols to ensure safe transactions
• SSL which uses public-key cryptography
– Open Financial Exchange organization
• Internet standard for exchanging financial information
Credit-Card Transactions
• Customers fear credit-card fraud
– Credit cards have been developed to accommodate
online and offline payments
• The Prodigy Internet Mastercard guarantees online fraud
protection
• To accept credit-card payments, a merchant must
have a merchant account with a bank
– Specialized Internet merchant accounts have been
established to handle online credit-card transactions
• Transactions are processed by banks or third-party services
• Traditional merchant accounts accept only POS
(point-of-sale) transactions
– Those that occur when you present your credit card at a
store
Credit-Card Transactions (cont.)
• Companies enable merchants to accept credit-card
payments online.
– These companies have established business
relationships with financial institutions that will accept
online credit-card payments for merchant clients.
– CyberCash and iCat
Anatomy of an Online Credit-Card Transactions
• Merchant account with bank
– Traditionally only accept point-of-sale transactions: presence of
credit-card at store
– Internet merchant accounts accept card-not-present transactions:
information exchange without card presence
• An online credit-card transaction
– Buyer submits credit-card, shipping and billing information
– Merchant submits information to acquiring bank (merchant’s
bank)
– Buyer’s account verified by issuing bank (buyer’s bank)
– Merchant receives verification
– Product shipped and payment issued
Anatomy of an Online Credit-Card Transactions (cont.)
3
Credit Card
Association
2 Credit Card
Information
Merchant
1 Makes purchase at
online store. Credit card
information is received
by the e-store.
Acquiring Bank
4 Information
Verified
5
Issuing Bank
3
Basic steps in an online credit-card transaction.
Cardholder
credit
card
Merchant
Payment authorization,
payment data
Card Brand Company
payment data
account debit data
payment data
amount transfer
Issuer Bank
Acquirer Bank
Cardholder
Account
Merchant
Account
Credit Card Procedure
9
Digital Currency (eCash)
• Digital cash
– Stored electronically, used to make online electronic
payments
– Digital cash accounts are similar to traditional bank accounts
– Digital cash used with other payment technologies (digital
wallets)
– Alleviates some security fears online credit-card transactions
– Digital cash allows those with no credit cards to shop online
– Merchants accepting digital-cash payments avoid credit-card
transaction fees
– eCash Technologies, Inc. is a secure digital-cash provider that
allows you to withdraw funds from your traditional bank
account
Digital Currency (cont.)
• Gift cash, often sold as points, can be redeemed at
leading shopping sites
– An effective way of giving those without credit cards,
the ability to make purchases on the Web
• Points-based rewards
– Points are acquired for completing specified tasks
including visiting Web sites, registering or buying
products
– Points can then be redeemed
eCash Idea
• Electronic cash is token money in the form of bits,
except unlike token money it can be copied.
• Bank issues character strings containing:
– denomination
– serial number
– bank ID + encryption of the above
• First person to return string to bank gets the
money
eCash Flow
ALICE SEND UNSIGNED
BLINDED COINS TO THE BANK
WALLET
SOFTWARE
Withdrawal:
ALICE BUYS DIGITAL
COINS FROM A BANK
BANK SIGNS COINS, SENDS THEM BACK. ALICE UNBLINDS THEM
BOB VERIFIES COINS
NOT SPENT
ALICE PAYS BOB
Spending:
BOB DEPOSITS
Personal
Transfer:
CINDY VERIFIES COINS
NOT SPENT
CINDY GETS COINS BACK
ALICE TRANSFERS COINS TO CINDY
E-Wallets
• Electronic wallets:
– Keep track of billing and shipping information
– Hold e-checks, e-cash and credit-card information for
multiple cards
– Visa, MBNA and Entrypoint.com offer e-wallets
• Standardization
– Some vendors accept only specific e-wallets
– 1999, Electric Commerce Modeling Language (ECML)
• Standardized payment presentation
• Many vendors adopted it
Smart Cards
• Smart card processors hold more information than
credit card magnetic strips
– Store credit-card numbers, contact information, etc.
– Contact smart cards
• Placed in smart-card reader for information transfer
– Contactless smart cards
• Antenna enables information transfer
• Faster than contact smart card
• Security
– Password protection
– Security designations assigned to information
– Encryption
Smart Cards (cont.)
• Visa Cash smart card
– Disposable and reloadable cards
– Internet purchases, expressway tolls and parking fees
• Smart Card Industry Association (SCIA)
www.scia.org
Smart Card Example -- Mondex
•
•
•
•
•
•
Smart-card-based, stored-value card (SVC)
Subsidiary of MasterCard
NatWest (National Westminister Bank, UK) et al.
Secret chip-to-chip transfer protocol
Value is not in strings alone; must be on Mondex card
Loaded through ATM
– ATM does not know transfer protocol; connects with secure device
at bank
• Spending at merchants having a Mondex value transfer
terminal
Other Examples
• Octopus
–
–
–
–
MTR, KCR, KMB, First Bus, Ferry, Minibus
PolyU Canteen
7-11
Softdrink Vending Machine
• HK Identity Card (in near future)
– Library Card
– Driving Licence
– Other Personal Information, e.g., Health Record
Micropayments
• Merchants pay fee for each credit-card transaction
• Micropayments
– Payments that generally do not exceed $10, allows
companies offering nominally priced products to profit
• To offer micropayments, some companies form
strategic partnerships with utility companies
– eCharge enables companies to offer this option to
customers
• eCharge uses ANI (Automatic Number Identification) to verify
the identity of the customer and the purchases they make
Alternative Payment Options
• Outside US, many opt for prepaid cards instead of
cash or credit cards
– Wireless-payment cards enable transactions with POS
devices
– Convenience and grocery stores can add monetary
value to some pre-paid accounts
– Examples include CashX (www.cashx.com) and
Vodago
Alternative Payment Options (cont.)
• Non-electronic payment methods
– Cash-on-delivery (COD): payment upon item’s delivery
– Debit cards: deduct directly from checking account
– Automatic Teller Machine (ATM): withdraw cash
• Online payments without credit cards
– AmeriNet (www.debit-it.com): allows checking account
number as form of payment
– Online currency: Cybergold (www.cybergold.com) and
RocketCash (www.RocketCash.com)
Secure Electronic Transactions (SET)
• SET is an open technical standard for the commerce
industry developed by Visa and MasterCard as a way
to facilitate secure payment card transactions over the
Internet.
• Digital Certificates create a trust chain throughout the
transaction, verifying cardholder and merchant
validity, a process unparalleled by other Internet
security solutions.
• Introduced jointly by VISA, Mastercard, IBM,
Microsoft, Netscape, RSA, SAIC, Terisa and Verisign
in 1997.
Secure Electronic Transactions (cont.)
• Merchant doesn’t see card no.
• Uses Internet to reach acquirer
• High credit card transaction cost
Secure
“tunnel”
through the
Internet
Internet
Credit Card
Acquirer
Consumer
Issuer bills Consumer
Credit Card
Issuer
Secure Electronic Transactions (cont.)
• Requires both consumer and merchant to have digital
certificates
• Merchant never sees any payment information -- it is passed to
the acquirer
• Bank never sees any order information, only payment
information
SET Overview
• Customer gets a credit card from an issuing bank
• Customer obtains a digital certificate (online)
• Merchant gets certificate from acquiring bank with
merchant's public key and the bank's public key
• Customer places an order over the Web (now we need a
payment protocol). SET is invoked
• Customer's browser confirms from the merchant's certificate
that the merchant is valid
• Browser sends:
– order information encrypted with the merchant's public key
– payment information encrypted with the bank's public key
– information to prevent the payment from being used with another
order.
SET Overview (cont.)
• Merchant verifies customer’s certificate
• Merchant sends a payment message to acquiring bank,
encrypted with bank’s public key, containing:
– customer's payment information (which merchant can’t read)
– merchant's certificate
• Bank verifies the merchant and the message using
merchant’s digital signature on its certificate and verifies the
payment info
• Banks sends authorization to the merchant (with bank’s
digital signature). Merchant can now fill the order.
SET Message Flow
SET messages come in pairs:
Request
followed by
Response
Appropriate cryptography
is applied to message
wrappers
Customer asks Merchant
for digital certificates
Customer makes
purchase request
Merchant asks Acquirer
for authorization
[Merchant asks Acquirer
to reverse authorization]
Customer asks Merchant
for transaction status
Merchant asks Acquirer
to capture payment
Online Banking
• Internet-only banks
– Offer convenience and lower rates to their customers
– Establishing a physical presence
• The hybrid bank model
– Going online has become important for the survival and
growth of small local banks
– Smaller banks will usually partner with third-party
service providers to make the transition to the Internet
Example: Hang Seng e-Banking
• Try main.hangseng.com
–
–
–
–
–
–
–
Account Information
Transfer
Foreign Currency
Remittance
Pay Bill
Time Deposit
Stock Purchase
Main References
• e-Business & e-Commerce: How to Program, 1/e, by H.M.
Deitel, P.J. Deitel and T.R, Nieto, Prentice Hall, 2000
• Cryptography and Network Security, 2/e, by William
Stallings, Prentice Hall, 2000
• Electronic Commerce: A Managerial Perspective, 1/e, by
Efraim Turban, Jae Lee, David King and H.Michael Chung,
Prentice Hall, 2000
Download