Secure Electronic Payment Systems

1
Secure Electronic Payment Systems

• K778 2006 Fall Topic Presentation
• Junlian Xiang
• Oct 3, 2006

2
Outline

• Why use e-payment?
• Overview of E-Payment systems
• B2C
• B2B
• Tradeoffs of e-payment systems
• Security Concerns
• Fighting for Security
• Brief Case Study - Paypal

3
Why use e-payment?

• Some macro trends are visible
• The web becomes the primary information source
• Web services becomes a main business transaction
  platform
• Electronic marketplaces are a fact of life and
  are becoming more prevalent every day.
• E-business becomes almost a rule for the success
  companies
• Mobile applications spread over
• The emergence of electronic payment systems for
  the growth of e-business.

Source Georgescu, Mircea and Georgescu, Iuliana
Eugenia, "The Emergence of Electronic Payment
Systems for the Growth of E-Business" .
International Symposium Economics and Management
of Transformation, 2004
4
Why use e-payment?

• We use e-payment because of the intensive demand
  of e-business
• Business-to-business and business-to-consumer
  e-commerce transactions surpass 7 trillion
  annually by 2005. (Georgescu, 2004)
• If You Can't Get Paid, You Can't Survive!
• Ease and efficiency
• Time and Cost Saving
• More and more secure, user-friendly and
  low-priced e-payment solutions are provided

5
Overview of E-Payment Systems
Demands on e-payment systems

• Special demands of customers
• Ease of use
• Anonymity
• Low cost
• Portability
• Widespread use among merchants
• Special demands of merchants
• Indisputability
• Low transaction costs
• Widespread use among customers

• General
• Security
• Authorization
• Authentication
• Privacy
• Integrity
• Theft
• Data corruption
• Totality

Source E-payments modern complement to
traditional payment systems, E-Conomics No. 44,
2004 http//www.dbresearch.com/PROD/DBR_INTERNET_E
N-PROD/PROD0000000000079835.pdf
6
Overview of E-Payment Systems

• 1 Business to Customer (B2C)
• Credit cards are dominant form of e-payment,
  accounting for around 80 of online payments in
  2002
• Other forms of electronic payment include
• Digital cash
• Online stored value systems
• Digital accumulating balance payment systems
• Digital credit accounts
• Digital checking
• Mobile payment

7
How an Online Credit Transaction Works
Source Kenneth C. Laudon, Carol Guercio Traver,
E-commerce business. technology. society. 2nd
Edition. 2002.
8
Limitations of Credit Cards

• Security
• Neither merchant nor consumer can be fully
  authenticated
• Cost
• For merchants, around 3.5 of purchase price plus
  transaction fee of 20-30 cents per transaction
• Social equity
• Many people do not have access to credit cards
  (young adults, plus almost 100 million other
  adult Americans who cannot afford cards or are
  considered poor risk)

9
Digital Wallets

• Concept of digital wallet relevant to many of the
  new digital payment systems
• Seeks to emulate the functionality of traditional
  wallet
• Most important functions
• Authenticate consumer through use of digital
  certificates or other encryption methods
• Store and transfer value
• Secure payment process from consumer to merchant
• Two major categories
• Client-based digital wallets Gator.com,
  MasterCard Wallet
• Server-based digital wallets MSN Wallet

10
Digital Cash

• One of the first forms of alternative payment
  systems
• Not really cash
• Rather, are forms of value storage and value
  exchange that have limited convertibility into
  other forms of value, and require intermediaries
  to convert
• Many of early examples have disappear concepts
  survive as part of P2P payment systems
• A variation is gift cash which is earned as
  points.

11
Online Stored Value Systems

• Permit consumers to make instant, online payments
  to merchants and other individuals based on value
  stored in an online account
• Rely on value stored in a consumers bank,
  checking or credit card account

12
Smart Cards as Stored Value Systems

• Another kind of stored value system based on
  credit-card sized plastic cards that have
  embedded chips that store personal information
• Two types
• Contact
• Contactless
• Examples Mondex, American Express Blue

13
Digital Accumulating Balance Payment Systems

• Allows users to make micropayments and purchases
  on the Web, accumulating a debit balance for
  which they are billed at the end of the month
• Examples Qpass and iPin

14
Digital Credit Card Payment Systems

• Extend the functionality of existing credit cards
  for use as online shopping payment tools
• Focus specifically on making use of credit cards
  safer and more convenient for online merchants
  and consumers
• Example eCharge

15
How a Digital Credit Card Payment Systems Works
eCharge
Source Kenneth C. Laudon, Carol Guercio Traver,
E-commerce business. technology. society. 2nd
Edition. 2002.
16
Digital Checking Payment Systems

• Extend the functionality of existing checking
  accounts for use as online shopping payment tools
• eCheck requires significant investment in new
  infrastructure
• Examples eCheck, Achex (MoneyZap)

17
Digital Checking Payment Systems
Source Kenneth C. Laudon, Carol Guercio Traver,
E-commerce business. technology. society. 2nd
Edition. 2002.
18
How Digital Checking Works eCheck
Source Kenneth C. Laudon, Carol Guercio Traver,
E-commerce business. technology. society. 2nd
Edition. 2002.
19
2 Business to Business (B2B)

• The Association for Financial Professionals (AFP)
  in June 2004 surveyed members to learn more about
  their use of electronic methods to send and
  receive business-to-business payments. Key
  results of the survey
• Most business-to-business (B2B) payments continue
  to be made by check.
• Organizations appear to be more willing to
  migrate from checks to electronic payments today
  than they were four years ago.
• Forty-five percent of financial professionals
  report that their organization has integrated its
  A/P and/or A/R system with its electronic
  payments system.

Source www.AFPonline.org
20
2 Business to Business (B2B)

• Primary payment methods
• The four major barriers to B2B E-Payments
• Shortage of IT resources
• Accounting systems that are not integrated with
  electronic payment systems
• The lack of a single standard format for
  remittance information
• Trading partners who cannot send or receive
  e-payments with sufficient remittance information

Source www.AFPonline.org
21
2 Business to Business (B2B)

• One solution B2B EBPP
• Electronic bill presentment and payment (EBPP) is
  a process that enables bills to be created,
  delivered, and paid over the Internet. The
  service has applications for many industries,
  from financial service providers to
  telecommunications companies and utilities.
• Between 2005 and 2010, the number of electronic
  bill presentment and payment (EBPP) users will
  grow by 75 to roughly 47 million households.

Source EBPP Forecast 2005 To 2010, by Catherine
Graeber, October 4, 2005 http//www.forrester.com/
Research/Document/Excerpt/0,7211,36327,00.html
22
2 Business to Business (B2B)

• Adoption rates in the B2C EBPP market are not as
  strong as originally anticipated
• But the B2B side of the business is quite
  promising.
• The potential for cost savings is very
  significant in the B2B market, compared to those
  for the B2C.

Source http//www.celent.com/PressReleases/200106
22/B2BEBPP.htm
23
Overview of E-Payment Systems

• Some Trade-offs
• 1 Privacy versus traceability
• A conflict exists between the wish for privacy
  and anonymity and the possibility and desire of
  regulators and intermediaries to be able to trace
  any transaction in the economy.
• Traditional intermediaries (credit card
  companies, banks, etc.) emphasize the desire by
  consumers to be able to trace their own
  transactions.
• Some systems, like David Chaums DigiCash, have
  been designed with emphasis on privacy and
  anonymity.

24
Overview of E-Payment Systems

• Some Trade-offs
• 2 On-line versus off-line
• This trade-off to be made is between the need to
  verify the transactions on-line vs. the ability
  to trust a transaction without the presence of an
  on-line third party.
• Offline
• Makes electronic money the most alike true
  physical cash
• More convenient
• Cheaper
• On-line
• The easiest manner to solve the double spending
  problem a transaction is approved and cleared on
  the spot.
• It provides the ability to trace the transactions.

25
Overview of E-Payment Systems

• Some Trade-offs
• 3 Hardware versus software
• Advantages of hardware (e.g. smart card)
• It can help to solve the double spending problem
  in an off-line environment.
• Flexible at a very low cost per transaction. It
  is therefore perfectly adapted to tiny and medium
  value transactions.
• Disadvantages of hardware
• Non durability (so, not adapted to large
  transaction)
• It requires the spread of specific pieces of
  hardware (card readers) and its acceptance by
  consumers.

26
Overview of E-Payment Systems

• Some Trade-offs
• 4 Transparency versus explicitness
• On the one hand users may want transparent money
  transaction algorithms, the real money
  transactions are hidden from the user.
• But on the other hand the users want to be in the
  control-loop of all the money transactions. They
  want to be sure that they only pay what they have
  asked for and they do not want to spend any money
  without being notified.

27
Security Concerns ()

• Integrity
• The ability to ensure that information being
  displayed, transmitted or received over the
  Internet, has not been altered in any way by an
  unauthorized party.
• Non-repudiation
• The ability to ensure that payers/payees do not
  deny their online actions
• Authenticity (authorization and authentication)
• The ability to identify the identity of a person
  or entity with whom you are dealing on the
  Internet

28
Security Concerns ()

• Privacy
• The ability to control the use of information a
  customer provides about himself/herself to an
  merchant
• Confidentiality
• The ability to ensure that messages and data are
  available only to those who are authorized to
  view them, only for the purposes claimed at that
  time

29
Security Concerns ()

• The Security Environment for organizations
• AFP conducted a survey in February 2005 to throw
  light on the nature and frequency of fraudulent
  payment attacks that its members organizations
  experienced during 2004.

Source www.AFPonline.org
30
Security Concerns ()

• Key findings of the Payments Fraud and Control
  Survey include
• Fifty-five percent of survey respondents
  indicate that their organization was a victim of
  payments fraud in 2004.
• Nearly three-quarters of organizations with
  annual revenues greater than 1 billion
  experienced fraud compared to 37 percent of
  smaller organizations.
• For organizations that were victims of payments
  fraud in 2004, the median dollar amount of the
  fraud was 26,600.

Source www.AFPonline.org
31
Security Concerns ()

• Key findings of the Payments Fraud and Control
  Survey include
• Organizations use a variety of internal and
  bank-provided services to guard against payments
  fraud.
• Seventy-nine percent of organizations indicate
  that they stopped at least one incident of
  payments fraud in 2004.
• Ninety-one percent of larger organizations report
  that they stopped at least one incident of
  payments fraud compared to 67 percent of smaller
  organizations.

Source www.AFPonline.org
32
Security Concerns ()

• From customers perspective
• As global research (2005) sponsored by Visa
  shows, the protection of personal and private
  information is a major concern of consumers.
• 70 of consumers agree that the benefits of
  protecting their personal or financial
  information from being lost or stolen outweigh
  the inconvenience or cost.
• E-mail addresses sold to third parties
• Fear about personal or financial information
  being stolen
• E-mail scams known as phishing or spoofing

33
Security Concerns ()

• The survey also shows
• Concern tends to be highest among
• Individuals who are from emerging economies
• Lower income individuals
• Individuals who do not use their payment cards
  regularly, and
• Victims of identity theft.
• Consumers in emerging economies are more
  concerned than those in developed economies about
  data security issues.

34
Security Concerns
Source http//corporate.visa.com/pd/pdf/Consumer_
Global_Research_Backgrounder.pdf
35
Fighting for Security ()

• Technologically
• Three key points of vulnerability through the
  payment chain
• Client
• Server
• Communications channel
• Technologies for security
• Protecting Internet communications (encryption)
• Securing channels of communication (SSL, S-HTTP,
  VPNs, SET)
• Protecting networks (firewalls)
• Protecting servers and clients

36
Fighting for Security ()

• Protocols for secure e-Payment systems
• SET
• Secure Electronic Transaction provides a tunnel
  to process electronic payments for e-commerce
  purchases.
• S-HTTP
• This Internet security protocol is an extension
  of the Hypertext Transfer Protocol. It allows
  Internet users to conduct secure transaction for
  online purchases or information distribution.
• SSL/TLS
• This Internet security protocol is an extension
  of the Hypertext Transfer Protocol. It allows
  Internet users to conduct secure transaction for
  online purchases or information distribution.

37
Fighting for Security ()

• Protocols for secure e-Payment systems
• PCT
• The Private Communication Technology (PCT)
  protocol provides privacy between two
  communicating applications and authenticates at
  least one of the two to the other.
• iKP
• iKP is an IBM proposal for a family of public key
  protocols supporting secure presentation of
  credit card information
• The iKP technology is designed to allow customers
  to order goods, services, or information over the
  Internet, while relying on existing secure
  financial networks to implement the necessary
  payments.

38
Fighting for Security ()

• As a whole, data security is a shared
  responsibility - from banks to merchants to
  consumers, all stakeholders have a role to play
  in data security
• Consumers believe that no one person or entity is
  responsible for protecting the safety and
  security of their personal information. In fact,
  close to half (47) of global respondents believe
  protection is more of an international issue than
  a national (36) or a local issue (16).
• Several potential data security initiatives made
  consumers feel much more secure

Source http//corporate.visa.com/pd/pdf/Consumer_
Global_Research_Backgrounder.pdf
39
Fighting for Security ()
Source http//corporate.visa.com/pd/pdf/Consumer_
Global_Research_Backgrounder.pdf
40
Fighting for Security ()

• Tips for customers to avoid becoming a victim of
  Phishing and Spoofing
• Banks and Financial Institutions will NEVER send
  you a email and prompt you to provide personal
  information or request you to access your
  account.
• Never attempt to go to your bank or financial
  institutions web site using a link in a email.
• Be suspicious of any email with urgent requests
  for personal financial information. Always
  confirm such request with your financial
  institution.

Source http//www.us-banks.net/phishing/tips.html

41
Fighting for Security ()

• Tips to avoid becoming a victim of Phishing and
  Spoofing
• Most sites on the net start with "http". Secure
  sites start with "https". Never give your
  personal or account information to a site unless
  you are certain you are in the right place.
• Monitor your credit report to make sure the
  information on file is accurate. An increasingly
  important reason to check your credit report is
  identity theft.

Source http//www.us-banks.net/phishing/tips.html

42
Brief Case Study

• What is PayPal?
• With PayPal, you have an online account that
  makes it easy to send money from a variety of
  sources (like your credit card or bank account)
  to a variety of recipients (such as an online
  store or your landlord) without sharing your
  financial information.
• So the online store or your landlord never sees
  your credit card number or your banking
  information.

https//www.paypal.com/us/cgi-bin/webscr?cmdxpt/c
ps/general/NewConsumerWorks-outside
43
Brief Case Study

• Paypal is popular
• PayPal is used by an overwhelming majority of
  respondents (over 94)
• Some concerns from PayPals customers
• PayPal fees
• Levels of customer service at PayPal
• Concern over a lack of competition, with some
  mentions of Google as a possible alternative
• Security and spoof emails
• Dissatisfaction with PayPal's dispute resolution
• PayPal accessibility issues

Source AuctionBytes Releases Results of Online
Payment Survey, By Ina Steiner, February 05,
2006. (http//AuctionBytes.com)
44
Brief Case Study

• Main channel the money in the email
• A new pay method Mobile Payment
• Click here

45
(No Transcript)