101. Online Payment:Online Payment:
Issues and SolutionsIssues and Solutions
APEC OVOP Training Workshop on E-Commerce
Chinese Taipei
20-24 August 2007
Assoc Prof Margaret Tan
Deputy Director, Singapore Internet Research Centre
Nanyang Technological University, Singapore
1© 2007 The Millennium eTrust Pte Ltd
2. What is Electronic Payment?What is Electronic Payment?
Is a system that permits online payment
between parties using an electronic surrogate
of a financial tender
The electronic surrogate is backed by financial
institutions and/or trusted intermediaries
The intent is to act as an alternative form of
payment to the physical cash, cheque or other
financial tender
2© 2007 The Millennium eTrust Pte Ltd
3. Current StatusCurrent Status
ePayment opportunities are growing albeit slowly
New players are entering ePayment marketplace
Variety of ePayment mechanisms and devices -
creating state of chaos
Infrastructure for ePayment is complex and
expensive to deploy
Lack of critical mass adoption and acceptance
Online payment is hard to implement globally
3© 2007 The Millennium eTrust Pte Ltd
4. ePayment is still evolving ...ePayment is still evolving ...
New ePayment Solutions
Security
Infrastructure
Business
Realities
Authentication Models
Spa
Customer
Profiles
Payment Types
4
5. ePayment ChannelsePayment Channels
Defined as ‘touch points’ where a payment
transaction is originated or initiated
Can be executed through a variety of channels
◦ Internet based
◦ Kiosks
◦ Contactless or proximity sensors
◦ Mobile eg mobile phones, PDA
5© 2007 The Millennium eTrust Pte Ltd
6. ePayment InstrumentsePayment Instruments
Defined as the medium in which the value is
recognised in a payment transaction
Card-based such as
◦ Credit and charge cards
buy now, pay later
◦ Debit cards
buy now, pay now
◦ Cash cards, stored-valued, e-cash
buy now, prepaid or pay before
6© 2007 The Millennium eTrust Pte Ltd
7. Credit CardsCredit Cards
Most widely used
◦ banks able to leverage existing card infrastructure
◦ appears ‘defacto’ online payment
Largely unencrypted
◦ ‘card-not-present’ transactions processed without
customer & merchant authentication
Charge back risk for merchants
◦ charge-back is when customer demands a refund
◦ banks transfer liabilities of charge-backs to the
merchants
◦ merchants need to have a bond to cover such
charges
7© 2007 The Millennium eTrust Pte Ltd
8. Debit CardsDebit Cards
Direct electronic transfer of account - direct
account debiting
Uses chip/smart eWallets
Digital signature to secure access
Connected to eBanking solution
8© 2007 The Millennium eTrust Pte Ltd
9. Digital CashDigital Cash
A system of purchasing cash and storing the
credits in consumer’s computer
Computerised stored value is used as a form
of cash to be spent in small increments
A third party is involved in the payment
transactions
Examples: Beenz, Billpoint, Paypal
9© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
10. CazhCazh
A project by ABN-Amro
A debit system that creates network between
merchant and bank to allow customers pay for
the goods by direct debit of customers’ bank
account
Once customer has been authenticated by
his/her bank, he/she can authorise the bank to
pay the merchant on the goods purchase
Similar to Nets POS but in cyberspace
10© 2007 The Millennium eTrust Pte Ltd
11. Cash CardCash Card
Payment solution on a proprietary protocol that
allows payment over the Internet
A digital/virtual wallet with prepaid credit-
based/token-based payment system
Enables low-value electronic payments on the
Internet
Limited distribution, proprietary solutions
Needs to install card reader and download free
eWallet
11© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
12. eChequeeCheque
A formatted email message that consists of
payee name, amount, payment date, payer’s
account number, and payer’s bank
Digital certificate and signature are used to
secure the cheque so that the contents are not
tampered with
A signed electronic cheque is exchanged
between the parties’ financial institutions
through automated clearing house
12© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
13. Mobile WalletMobile Wallet
Relatively new space exploited by telcos and non-
financial enterprises
Provides ePurse functionality to replace card-type
payments
Aggregating micro-payments onto the mobile
phone bill
Can use mobile access device to authenticate
payer’s identity
SIM card well placed to function and control
payment process and authentication
13© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
14. Components of OnlineComponents of Online
Payment SystemPayment System
© 2007 The Millennium eTrust Pte Ltd
Online
Merchants
Consumer Payment
Clearinghouses
Payment
Enablers
• Payment
Gateways
• Merchant
Acquirers
• Shopping Cart
Vendors
• Non-bank payment
Processors
Competing
Authentication
Services
14© 2007 The Millennium eTrust Pte Ltd
15. ePayment RisksePayment Risks
Internet
Private
network
Internet
Bank
network
•Use of stolen
card
•Credit card
number or
password
stolen from
computer
•Unauthorised
access
•Information
modified in
transit
•Payment info
stolen from
merchant
•Masquerading
as legitimate
merchant
•Key info stolen
by merchant
staff
•Information
modified in
transit
•Information
stolen
Buyer Merchant
Payment
gateway
15© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
16. 60% of non-buyers said “credit card security,”
the highest factor cited.
Factors that would convert non-
buyers to buyers online?
Odyssey, 2000
58% of new Internet users said “better security,”
the 3rd
highest factor cited.
Factors that would motivate new
users to purchase online?
Jupiter Research, May 2000
68% of Internet users said “hackers getting
credit card number,” 2nd
highest concern cited
Worries and concerns regarding
online activities?
Pew Internet & Am Life
Project, June 2000
47% of Internet users said “credit card security,”
the 3rd
highest barrier cited.
Barriers to online purchasing?Greenfield Online, 2000
79% of Internet users said “credit card security,”
the number one cited barrier.
Barriers to online purchasing?Pricewaterhouse Coopers,
2000
85% of online shoppers said “secure
transactions,” the highest cited feature.
Important features of online
shopping sites?
Cyber Dialogue, 2000
88% of online shoppers said “guaranteed credit
card security”, 2nd
highest feature cited.
Features that will increase the
likelihood to buy online?
Odyssey, 2000
ResultsResultsQuestion AskedQuestion AskedSurvey BySurvey By
Research on online shopping
16© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
17. How can we secureHow can we secure
ePayment?ePayment?
The Trust Principle
◦ The parties to the transaction must trust each
other
◦ Buyer must believe that seller is legitimate
and will deliver the goods
◦ Buyer must believe that goods are as
represented and are worth the price
◦ Seller must believe that buyer is legitimate
and will pay for the goods purchased
© 2007 The Millennium eTrust Pte Ltd 17© 2007 The Millennium eTrust Pte Ltd
18. How can we secureHow can we secure
ePayment?ePayment?
The Security Principle
◦ Parties need a secure environment in which to
conduct the electronic transactions
◦ Seller needs to protect the details of the
transactions
◦ Buyer needs to be certain that his/her
information is securely handled and stored
◦ Buyer needs to be certain that information is
not stolen that it can be inappropriately used
18© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
19. ePayment SolutionsePayment Solutions
Must provide security: resistance to fraud and online
attacks
Reliable: highly available and accessible at all times
Cost effective: cost per transaction should be low even for
micro-payment
Integrated and scaleable: interoperable amongst
different systems, payment methods and multiple servers
distributed across the Internet
Convenient and easy to use: should support several
devices
Anonymity: should protect the identities of parties to the
transactions and should not monitor the sources of finance
© 2007 The Millennium eTrust Pte Ltd
19© 2007 The Millennium eTrust Pte Ltd
20. Securing ePaymentsSecuring ePayments
Identification and authenticate
◦ the ability to verify both the transacting parties
Authorisation
◦ the ability to validate the rightful owner to the
transaction
Integrity and confidentiality
◦ the ability to transmit the transaction securely
◦ the ability to store the transaction properly
Accountability
◦ The ability to provide audit trail as evidence in
dispute
Policies for sharing risks and liabilities
◦ the mechanism to settle disputes/non-repudiation
20
21. Authentication ModelsAuthentication Models
Something you have and something you know –
ATM card model
Known to the back-end (server), synchronize
with each transaction using a one time random
number – Secur-ID model
“Sign” each transaction – PKI-model
Tie into a real person – Biometrics
© 2007 The Millennium eTrust Pte Ltd
21© 2007 The Millennium eTrust Pte Ltd
22. ePayment Transaction CycleePayment Transaction Cycle
© 2007 The Millennium eTrust Pte Ltd
Buyer
Issuing
B
ank
M
erchant
A
cquiring
B
ank
V
isa/M
astercard
Bills buyer
Pays bank
Orders goods
Deliver goods
Reimburses
merchant
Voucher to
Acquiring
Bank
Transaction
voucher to
Issuing Bank
Issuing Bank
pays Visa /
Mastercard
Sends transaction voucher to
Visa / Mastercard
Visa / Mastercard reimburses
Acquiring Bank
1
2 7
45
3
6
8
9
22© 2007 The Millennium eTrust Pte Ltd
23. Secure Sockets LayerSecure Sockets Layer
(SSL)(SSL)
A security protocol to protect sensitive data
transmitted over the Internet
Uses encryption to protect the transmission of
data
When SSL session starts, server sends key to
the browser, which returns random key to the
server
Ensures that data are not tampered with or
stolen en route
© 2007 The Millennium eTrust Pte Ltd 23© 2007 The Millennium eTrust Pte Ltd
24. Secure Electronic TransferSecure Electronic Transfer
- SET- SET
Protocol by Visa and MasterCard released in
1996
3 party system - cardholder, merchant and bank
using SET-enabled systems
Uses digital certificate to ensure cardholder is
who he/she says he/she is or claims to be
Credit card details are invisible to merchants,
protected by encryption for clearing bank
© 2007 The Millennium eTrust Pte Ltd 24© 2007 The Millennium eTrust Pte Ltd
25. 3D SET (Server-based SET)3D SET (Server-based SET)
Overcome the resistance of original SET
Uses server-based implementation of SET
Reduces technology that must be deployed by
merchant and customer
◦ Merchants use ‘thin’ modules
◦ Customers use ‘slim’ digital wallets
Not inter-operable with SSL websites
© 2007 The Millennium eTrust Pte Ltd 25© 2007 The Millennium eTrust Pte Ltd
26. How 3D SET works ...How 3D SET works ...
© 2007 The Millennium eTrust Pte Ltd
Customer
AcquirerIssuer
Cardholder
Certificates
Wallet
Server
Merchant
API or URL
2. Wallet Initiates
Purchase
4. Payment Authorisation
WTLS
SSL SET SET
1. Cardholder
Authentication
3.
Payment
Request
Merchant
Certificates
Payment
Gateway
26© 2007 The Millennium eTrust Pte Ltd
27. Features of 3D SETFeatures of 3D SET
Certificate is stored in a central server of the
issuer and not at the cardholder computer
Cardholder is flexible to use certificates with
other devices
Cardholder can only use certificate issued by
the CA - a limitation
Theft of certificate is still possible from the
server-based SET - a problem
© 2007 The Millennium eTrust Pte Ltd 27© 2007 The Millennium eTrust Pte Ltd
28. Visa 3D SecureVisa 3D Secure
A model that provides authenticated payment
capabilities of all parties within the transaction
continuum or cycle
◦ Issuer - cardholders and their banks
◦ Acquirer - merchants and their banks
◦ Interoperability - communication between issuing and
acquiring organisation
The purpose is to isolate the responsibilities of
the transacting parties
© 2007 The Millennium eTrust Pte Ltd 28© 2007 The Millennium eTrust Pte Ltd
29. Visa 3D Secure - For IssuerVisa 3D Secure - For Issuer
Cardholders’ banks responsible for the
registration of cardholder, receipt and access
control of server
Communicates with 3D Secure merchant
plug-ins via Visa directory
The issuer backend card system provides
access to cardholder information
© 2007 The Millennium eTrust Pte Ltd 29© 2007 The Millennium eTrust Pte Ltd
30. Visa 3D Secure - For AcquirerVisa 3D Secure - For Acquirer
Must install a 3D Secure Merchant-plug-in (MPI)
on website that is integrated with shopping cart
system - payment gateway
Handles communications with Visa directory and
customers’ credit card issuer
System only authenticates customers to
merchant but not converse
Merchants do not store customers’ details on
their servers
© 2007 The Millennium eTrust Pte Ltd 30© 2007 The Millennium eTrust Pte Ltd
31. Authentication - MPIAuthentication - MPI
Software is installed and configured on
merchants’ machine
Merchant is responsible for looking up
transaction records during the chargeback
process and retrieving the “digital
signatures” in order to shift liability to the
cardholder
© 2007 The Millennium eTrust Pte Ltd 31© 2007 The Millennium eTrust Pte Ltd
33. Authentication - ManagedAuthentication - Managed
ServiceService
No software required to be installed on
merchants machine
Service Provider is responsible for looking up
transaction records on behalf of the
merchant during the chargeback process &
retrieving the “digital signatures” in order to
shift liability to the cardholder
© 2007 The Millennium eTrust Pte Ltd 33© 2007 The Millennium eTrust Pte Ltd
35. MasterCard Secure PaymentMasterCard Secure Payment
Application (SPA)Application (SPA)
SPA is an authenticated payment system that
involves participation of the cardholder,
cardholder’s issuer, and merchant
Cardholder needs authentication mechanism
from the issuer such as a browser plug-in or an
electronic wallet in their computers
Merchants needs plug-in from the acquirer in
shopping cart to carry hidden fields of
transaction-specific information which can be
checked with the security token
© 2007 The Millennium eTrust Pte Ltd 35© 2007 The Millennium eTrust Pte Ltd
36. Issues with AuthenticationIssues with Authentication
Verifying the identity and authenticity of party
to the transaction
Verifying that the same person/entity is
conducting the transaction
If the authentication scheme is broken, a user
can impersonate another!
The level of authentication should correspond to
the ‘value’ of the transaction
One authentication secret for all application is
dangerous - a single point of failure
© 2007 The Millennium eTrust Pte Ltd 36© 2007 The Millennium eTrust Pte Ltd
37. To Summarise ...To Summarise ...
‘Defacto’ authentication standards for ‘card-
not-present’ system
Mandates for compliance and integration -
“front-end” and “back-end”
Overcome problem of authentication and
integrity in online transactions
© 2007 The Millennium eTrust Pte Ltd 37© 2007 The Millennium eTrust Pte Ltd
38. Thank You …Thank You …
© 2007 The Millennium eTrust Pte Ltd 38© 2007 The Millennium eTrust Pte Ltd
Notes de l'éditeur 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.1 - 3.2 - Source: Achex, February 2002 3.1 - Source: Visa International, 2002 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - Source: Authentication - The missing element in online payment security, www.gpayments.com 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - 3.2 - Source: i -TransACT, 2002 3.2 - 3.2 - Source: i -TransACT, 2002 3.2 - 3.2 - 3.2 -