Selecting and securing payment systems
The final section in this module looks at the options businesses have for receiving payments for goods and services across the Internet. There are many risks in achieving secure payments online.
From a retailer or online banks perspective the main risks is Identify theft – that the ‘customer’ is impersonating someone else and will not pay for the goods ordered or will access someone elses bank account.
From a customers perspective the risks are:
1. Their credit card details may be stolen from merchant’s server.
2. The merchant are not who they claim.
To avoid these types of problems online businesses develop secure systems. Before we look at the the principles on which these secure systems are based, we need to review the standard terminology for the different parties involved in the transaction:
· Purchaser. These are the consumers buying the goods.
· Merchant. These are the retailers.
· Certification Authority (CA). This is a body that issues digital certificates that confirm the identity of purchasers and merchants.
· Bank. These are traditional banks.
· Electronic token issuer. A virtual bank that issues digital currency
The basic requirements for security systems from these different parties to the transaction are as follows:
1. Authentication – are parties to the transaction who they claim to be?
2. Privacy and confidentiality – is transaction data protected? The consumer may want to make an anonymous purchase. Are all non-essential traces of a transaction removed from the public network and all intermediary records eliminated? Can the transaction be intercepted?
3. Integrity – checks that the message sent is complete i.e. that it isn’t corrupted.
4. Non-repudiability – ensures sender cannot deny sending message.
5. Availability – how can threats to the continuity and performance of the system be eliminated?
Digital signatures
A method of identifying individuals or companies using public key encryption.
Digital signatures can be used to create secure systems by using what is known as public key encryption to achieve authentication: i.e. the merchant and purchaser can prove they are genuine. The purchaser’s digital signature is encrypted before sending a message using their private key and on receipt, the public key of the purchaser is used to decrypt the digital signature. This proves the customer is genuine. Digital signatures are not widely used currently due to the difficulty of setting up transactions, but will become more widespread as the public-key infrastructure (PKI) stabilises and use of certificate authorities increases.
Public key encryption
Using this technique a customer can place an order with a merchant by automatically looking up the public key of the merchant (available to everyone) and then using this key to encrypt the message containing their order. The scrambled message is then sent across the Internet and on receipt by the merchant is read using the merchant’s private-key. In this way only the merchant who has the only copy of the private-key can read the order. In the reverse case the merchant could confirm the customer’s identity by reading identity information such as a digital signature encrypted with the private key of the customer using their public key.
In order for digital signatures and public-key encryption to be effective for businesses and consumers it is necessary to be sure that the public key intended for decryption of a document actually belongs to the person you believe is sending you the document. The developing solution to this problem is the issuance by a trusted third party (TTP) of a message containing owner identification information and a copy of the public key of that person. The TTPs are usually referred to as Certificate Authorities (CAs) and various bodies such as banks and the Post Office are likely to fulfil this role.
What then is practical for e-commerce. The reality is that most consumer e-commerce transactions do not use digital signatures.
Secure Sockets Layer Protocol (SSL)
SSL is a security protocol, originally developed by Netscape, but now supported by all browsers such as Microsoft Internet Explorer. (It is gradually being superseded by an extension of the principles, known as Transport Layer Security (TLS)). SSL is used in the majority of B2C e-commerce transactions involving credit cards since it is easy for the customer to use without the need to download additional software or a certificate. The merchant is authenticated since it uses a public key certificate from a company such as Verisign. This means that the buyer can be sure the merchant is genuine. The merchant cannot, however be sure that the buyer is genuine.
When a customer enters a secure checkout area of an e-commerce site SSL is used and the customer is prompted that ‘you are about to view information over a secure connection’ and a key symbol is used to denote this security. When encryption is occurring they will see that the web address prefix in the browser changes from ‘http://’ to ‘https://’ and a padlock appears at the bottom of the browser window.
Secure Electronic Transactions (SET) is a significant security protocol based on digital certificates that has been developed by a consortium led by Mastercard and Visa and allows parties to a transaction to confirm each other’s identity. By employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and conversely allows the merchant to verify that the credit card is being used by its owner. (This is the key difference from SSL). It also requires that each purchase request includes a digital signature, further identifying the cardholder to the retailer. The digital signature and the merchant’s digital certificate provide a certain level of trust.
Despite being launched in the late 1990s, SET is not widely used due to the difficulty of exchanging keys. For a customer to have their own key, they need to install a secure software wallet such as Microsoft Wallet on their PC that contains their private key. The transaction verification process is also slower than SSL and the merchant must use special SET software on their server.
Micropayments
Throughout the nineteen nineties there were many attempts to develop alternative payment systems to credit cards. These focused on those for micropayments or electronic coinage such as downloading an online newspaper, for which the overhead and fee of using a credit card was too high.
Many of these initiatives such as Digicash or eCash failed in their original form since they did not gain wide enough acceptance and credit cards became widely used for larger payments. There was simply no great requirement for micropayments. Despite this some alternative payment systems such as Paypal (www.paypal.com) have become popular. These enable small businesses or individuals who cannot afford the overhead of processing credit cards to accept payment online. It has also been widely used by eBay users.
Business to Business transactions
The Open Buying on the Internet organisation (OBI, www.openbuy.org) created by the Internet Purchasing Roundtable is intended to ensure that different e-commerce systems can talk to each other. It is backed by, among others, 3M, Ford, Mastercard, Visa and Microsoft. The OBI standard identifies specific steps in the existing purchasing process, and provides standard communications elements - - so buyers and sellers can perform the more complex transactions required for B2B e-commerce: Steps already addressed by OBI standards are:
1. Order request
2. Purchase order
3. Purchase order acknowledgment
4. Advance ship notification
5. Order status
6. [Invoice] - in development
7. [Payment transaction type] - in development
Electronic or Digital Funds Transfer
Electronic Funds Transfer (EFT) is a used to transfer money direct from one bank account to another without any need for traditional money. En example of an EFT approach is Direct Deposit (http://www.directdeposit.org), another in the UK is BACS (http://www.bacs.co.uk) in which payroll is deposited straight into an employee's bank account. However EFT refers to any transfer of funds initiated through an electronic terminal, including credit card.
Electronic Data Interchange and Internet EDI
Transactional e-commerce predates PCs and the World Wide Web by some margin. In the 1960s, Electronic Data Interchange (EDI) over secure private networks became established modes of intra and inter company transaction. The idea of standardised document exchange can be traced back to the 1948 Berlin Airlift, where a standard form was required for efficient management of items flown to Berlin from many locations.
The UK department of Trade and Industry defined EDI as:
‘Electronic data interchange (EDI) is the computer-to-computer exchange of structured data, sent in a form that allows for automatic processing with no manual intervention. This is usually carried out over specialist EDI networks’
According to a 1999 IDC report, revenues for EDI and Financial EDI services stood at $1.1 billion in 1999 and are forecast to reach over $2 billion by 2003. EDI is developing through new standards and integration with Internet technologies to achieve Internet EDI. The report predicts that Internet EDI's share of EDI revenues will climb from 12% to 41% over the same period. The volume of Internet EDI is increasing rapidly and revision of EDI standards to be compatible with XML (XML/EDI standards proposed by the XML EDI group (www.xmledi.com)) should guarantee its continued use. The use of XML by B2B exchanges such as CommerceOne and Microsoft Biznet is essentially an extension of EDI.
Internet EDI
Use of EDI data standards delivered across non proprietary IP networks
Financial EDI
Aspect of electronic payment mechanism involving transfer of funds from the bank of a buyer to a seller. One form of EFT.
Virtual Added Network (VAN)
A secure wide-area network that uses proprietary rather than Internet technology
Virtual Private Networks (VPN)
A secure, encrypted (tunnelled) connection between two points using the Internet, typically created by ISPs for organisations wanting to conduct secure Internet trading
Internet EDI enables EDI to be implemented at lower costs since rather than using proprietary, so-called value added networks (VANs) it uses the same EDI standard documents such as that for a purchase order illustrated below, but using lower cost transmission techniques through Virtual Private Networks (VPNs) or the public Internet. Reported cost savings are up to 90% (EDI Insider, 1996). EDI Insider estimated that this cost differential would cause an increase from the 80,000 companies in the United States using EDI in 1996 to hundreds of thousands. Internet EDI also includes EDI structured documents being exchanged by e-mail or in a more automated form using FTP.