Payment Methods Prepared By William Cheung COMP3610 (Fall 2001) CS, HKBU
Payment Methods2 Payment Methods Overview Good Exchange Private VAN Internet Cash Check Credit / Debit Cards Electronic/Digital Cash Credit Accounts Direct Debit
Payment Methods3 Cash Cheque Direct debit (~ Autopay) Credit card Debit card (~EPS) Credit accounts Depends on transaction types - C2C, B2C or B2B
Payment Methods4 Terminology Invoicing (Seller to Buyer) –electronic invoice, e.g., , on-line view of an account Clearance (Buyer to Bank) –transmission of payment order Settlement (Bank) –recording debit (Buyer) and credit (Seller) positions for involved parties. Collections (Bank) –At a particular time, buyer account is debited and seller one is credited.
Payment Methods5 M AB 3. Mark down Credit M Credit Card Payment 0. Purchase using credit card - Open an account - Issue a credit card - Open an account - Provide POS devices 1. Authorization Merchant Customer Issuing Bank Acquiring Bank Payment Service Provider (e.g. Visa) private network e.g., PSTN, X.25 private network private network (e.g. VisaNet) 2. Clearing-A: Submit transactions 4. Clearing-B 6. Billing 7. Payment 5. Settlement Fund Transfer
Payment Methods6 Credit Card Payment private network e.g., PSTN, X.25 POS in physical store BANK Cardholder Present transactions What is the difference? Cardholder Not Present transactions - mail order - phone order - on-line order What should be the next step? Should they all follow the same step?
Payment Methods7 Credit Card Payment private network e.g., PSTN, X.25 POS in physical store BANK Cardholder Present transactions Cardholder Not Present transactions - mail order - phone order - on-line order Manual Input Automated Gateway 1. Protocols 2. Security (Encryption) (Authentication) What are the issues?
Payment Methods8 SET for Payment via Internet Developed jointly by Visa and MasterCard. Strong encryption and authentication of all the parties in a credit card transaction: –the buyer (cardholder) –the merchant –the acquiring bank … with the help of a certificate authority
Payment Methods9 SET for Payment via Internet Emerging standard for handling credit card transaction on the Internet. –Confidentiality of payment information (How?) –Integrity of transmitted data (How?) –cardholder authentication (How?) –merchant authentication (How?) –authorization and settlement of credit card transactions (How does it compare to the conventional system? What are the differences?)
Payment Methods10 SET Software Components Merchant Customer Issuing Bank Acquiring Bank Payment Service Provider (e.g. Visa) - Open an account - Install wallet program - Open an account - Set up Merchant Server private network private network Merchant Server Payment Gateway E-Wallet Certificate Authority Internet
Payment Methods11
Payment Methods12 SET for Payment via Internet Buyer/Cardholder –open an account in the issuing bank, which supports SET. –obtain a digital certificate from a recognized CA, which can be used in the SET transactions.
Payment Methods13 SET for Payment via Internet Merchant –open an account in the acquiring bank, which supports SET. –Install a merchant server for handling the SET transaction from cardholder to the payment gateway. –Obtain a digital certificate from a CA which supports SET - with the trademark (SET™).
Payment Methods14 SET for Payment via Internet Payment Gateway (Bank) –Install a payment gateway server for handling the SET transaction, connecting the internet with the private financial network. (That’s why it is called gateway) –Obtain a digital certificate from a CA which supports SET - with the trademark (SET™).
Payment Methods15 SET for Payment via Internet Certificate Authorities –A third party organization not involved in any entities involved in the SET transaction. –Issues certificates to buyers, merchants, payment gateway involved in SET transactions.
Payment Methods16 SET Transaction - Send “Pay by SET” E-Wallet in cardholder computer Mer-cert Merchant Server Car-cert Payment Gateway Gat-cert - Assign Transaction ID - Generate Response (ID) - Sign Response (Mer-pri) - Send signed Response - Send Mer-cert + Gat-cert - Verify Mer-signature - Verify Mer-cert - Create Order info. (OI) - Create Payment info. (PI) - Create Dual Signature of..OI + PI - Generate session key (K) - Encrypt PI using K - Encrypt cardholder’s..account info (AI) and K..by Gat_pub in Gat-cert - Send OI + E K (PI)...+ E Gat_pub (AI + K) +...
Payment Methods17 SET Transaction E-Wallet in cardholder computer Mer-cert Merchant Server Car-cert Payment Gateway Gat-cert - … - Send OI + E K (PI) …..+ E Gat_pub (AI + K) …..+ Dual Signature …..+ Digest of PI. + Car-cert - Verify Car-cert - Verify the dual signature..(how?) - Forward E K (PI) …..+ E Gat_pub (AI + K) …..+ Dual Signature …..+ Digest of OI - Obtain AI + PI (How?) - Verify the dual signature - Authorize AI + PI (How?) - Send authorization result - Process OI - Create Purchase Response - Sign & send the response - Verify Mer-cert - Verify Mer-signature
Payment Methods18 Dual Signature DUAL SIGNATURE CREATION (cardholder side) Step 1: Pass OI and PI to a hash function separately to generate two digests. Step 2: Concatenate the two digests. Step 3: Pass them to the hash function again to generate a dual digest. Step 4: Encrypt the dual digest by the cardholder private key to generate the DUAL SIGNATURE. Step 5: Send the DUAL SIGNATURE as well as the digest of PI to the merchant.
Payment Methods19 Dual Signature DUAL SIGNATURE VERIFICATION BY MERCHANT (The merchant has OI in plain text) Step 1: Decrypt the DUAL SIGNATURE by cardholder public key to obtain the received dual digest (digest-1). Step 2: Pass the received OI to hash function to generate the digest of OI. Step 3: Concatenate the digest of OI with the received digest of PI and pass it to the hash function to regenerate the dual digest (digest-2). Step 4: Compare to see whether digest-1 and digest-2 are the same. Step 5: Send the Payment Gateway the dual signature and the digest of OI.
Payment Methods20 Dual Signature DUAL SIGNATURE VERIFICATION BY PAYMENT GATEWAY Step 1: Decrypt the DUAL SIGNATURE by cardholder public key to obtain the received dual digest (digest-3 = digest-1). Step 2: After some steps to get back the PI (see you note) and generate the digest of PI Step 3: Concatenate the digest of PI with the received digest of OI and pass it to the hash function to regenerate the dual digest (digest-4). Step 4: Compare to see whether digest-3 and digest-4 are the same. Step 5: Start the authorization process and send back the result to the merchant
Payment Methods21 Dual Signature INTREPRETATION With this design, both the merchant and the bank can guarantee the integrity of the OI AND PI while OI is only revealed to the merchant and PI is only revealed to the bank only.
Payment Methods22 Micropayment Instruments Mainly two categories: –For shopping in physical stores (smart-card based products) Why is it useful? –For on-line shopping (digital representation of monetary values) Why is it useful?
Payment Methods23 Smart Cards Examples: Mondex, Visa Cash Contact vs Contactless Disposable vs Reloadable Single-purpose vs General-purpose –electronic cash –digital certificate –electronic authentication
Payment Methods24 Smart Card About the size of a plastic credit card compose of –a computing unit –memory units (ROM and RAM) –interface to the outside world –components for cryptographic operations –some are programmable Readers are required
Payment Methods25 On-line Micropayment Small-valued transactions - a few cents or less Why do we care? –Revenue source for intangible goods What should be the most distinct characteristic of micropayment systems compared with credit card payment? How does the on-line publisher get revenue nowadays and what does the micropayment alternative imply?
Payment Methods26 Micropayment Systems centralized notational (e.g., NetBill) - centralized fund transfer distributed notational (e.g., Mondex) - distributed fund transfer centralized token (e.g., DigiCash) - centralized token transfer distributed token (e.g., PayWord, MiniPay) - distributed token
Payment Methods27 Developed by Carnegie Mellon University. Provides payment as well as digital good delivery. All the transactions are atomic. Customer: install MoneyTool (prefunded using a credit card) Merchant: install Product Server NetBill
Payment Methods28 NetBill Server CustomerMerchant
Payment Methods29 How NetBill works? Merchant sends encrypted goods to you. Money Tool on your machine verifies that the goods were received intact and sends verification of this to the merchant's server. Merchant sends your verification message, your account information, & the decryption key to the NetBill server. The NetBill server verifies that there is money in your account to pay for the goods. If there is, it transfers the funds, stores the decryption key, and sends a report back to the merchant's server. Merchant sends the decryption key to your Money Tool uses to decrypt the goods.
Payment Methods30
Payment Methods31 eCash (formerly called Digicash) –Developed by David Chaum for on-line shopping. –Both customer and merchant need accounts in some bank issuing eCash as well as specialized software ( eCash Purse and eCash Merchant Purse) –Bank requires a server which can issue eCash. –Two technologies are adopted for producing eCash Blind Signature: for anonymity Double Spending Detection
Payment Methods32 A eCash request signed by Alice Verify and remove Alice’s signature, Debit Alice’s account Send a digital note signed by bank Divide the random number from note number Multiple a random number to note number and request it Achieve Anonymity !!
Payment Methods33 PayWord It is a credit-based (What does it mean?). Adopted in Micropayment Transfer Protocol (MPTP) - a working draft released by W3C. User need to establish an account in a broker, who will issue the user a specific certificate with both broker and user information. Step 1: User generates n “tokens” by randomly picking a number w n and using a hash function h() to generate {w 0,w 1,…w n } s.t. w i-1 = h(w i ) Step 2: User send merchant the certificate and {w 0 } as “commitment” Step 3: User will use the (w 1,1), (w 2,2), … as token for subsequent payment, one at a time. Step 4: Merchant first verifies the certificate (signature verification) and each (w i,i) can be verified by the previous token w i-1 (hash fnt.). Step 5: At the end of the day, the broker receives the “commitment” as well as the largest index token from the merchant for settlement.
Payment Methods34 PayWord One-way function W(i) W(i-1) w(n)w(n-1) w(2) w(1). 1st token 2nd token 3rd token..... w(0) User Merchant
Payment Methods35 Micropayment by Aggregation: Pre-pay or Post-pay Pre-pay strategies (debit account) –charged in advance and then debit later Post-pay strategies (credit account) –aggregate the charges and bill the customer later Considerations –Risks involved –Aggregation at client side or server side (wallet or account)? Can be used for different shops?
Payment Methods36 How about the Financial Network SWIFT (international) –The Society for Worldwide Interbank Financial Telecommunication –a global (private) system for financial messages –nearly real-time gross settlement system Fedwire (US-based; domestic transaction) –Real-time gross settlement system CHIPS (US-based; foreign transaction) –Clearing House Interbank Payments System –not real-time; settlement occurs at the end of the day. Mission Critical IS
Payment Methods37 References Norris M., West S., and Gaughan K., eBusiness Essentials (Chapter 4), Wiley, 2000 W. Archibald, Using SET for Secure Electronic Commerce, Prentice Hall, 1998 eCash: (2/11/00) MPTP: (2/11/00)