Electronic Payment

1
Electronic Payment

• Henry C. Co
• Technology and Operations Management,
• California Polytechnic and State University

2
Introduction

• History
• Exchange of goods/services conducted face to face
  between 2 parties dated back to before the
  beginning of recorded history.
• As trade became more complicated, abstracted
  representation of values were devised
• Cash
• Checks
• Money orders
• Credit cards
• Online use of credit cards
• Smartcard
• Electronic Money

3
Problems

• Traditional means of payments
• Counterfeit
• Forged signature
• Bounced checks
• Electronic money has same problems
• Easy to copy
• Digital signature can be reproduced by anybody
  who knows the secret cryptographic signing key.
• The buyers name is associated with payment
  lack of anonymity.

4
The Credit Card

• Internet payment method of choice.

5
Credit Card

• Advantages
• Allows credit
• People can buy more than they can afford
• Widespread but lack
• Anonymity
• Security
• Inability to reach everyone
• In the United States, about 40 of the population
  does not have a credit card.

6

• Payment Size
• Macropayments involve large payments from about
  10 USD onwards.
• Small payments are from 0.1 USD or higher.
• Micropayments can involve fractions of Cents.
• Credit cards too expensive for small/micro
  payments
• Fixed charge of 2-4.5 (higher on internet)
• The most expensive e-Payment mechanism
• MasterCard 0.29 2 of transaction value
• A 100 charge costs the merchant 2.29
• This cost reflects the security problems

7
Security Problems

• Security problems
• All info is exposed to the merchant
• There is a greater threat over the Internet where
  merchants can be located anywhere
• All purchases are traceable

8
Credit Card Processing
SOURCE PAYMENT PROCESSING INC.
9
NetBill

• Pre-funded using a credit card to purchase goods

10
Electronic Goods (e.g. music)
NetBill 1. Client Requests Price
Quote 2. Service Provider Makes Offer 3. Client
Accepts Offer 4. Goods delivered encrypted 5.
Receipt acknowledged 6. Transaction submitted 7.
Transaction approved 8. Key delivered
SOURCE MARVIN SIRBU
11
e-Payment Ideas

• Want to move money over the Internet
• But money does not move over the Internet yet

12
Problems

• Problem
• Banks not set up for instantaneous transactions
• Security
• Poor interaction among payment mechanismscredit
  card, bank account, payables systems, procurement
• System design problems
• Keep transaction costs low
• Scale to huge number of transactions (100 billion
  per day)
• Bank systems (SWIFT, FedWire) do not talk to the
  Internet

Source Michael Shamos (shamos_at_cs.cmu.edu)
13
Requirements

• Money atomicity no money is lost or created in a
  transfer
• Goods atomicity money and goods are exchanged
  atomically(both or none)
• Non-repudiation No party can deny its role in
  the transaction Digital signatures
• Desirable Properties
• Universally accepted
• Transferable electronically
• Divisible into change (pay for 10 item with
  100 bill)
• Forge-proof, Theft-proof
• Private (no one except parties know the amount)
• Anonymous (no one can identify the payor)
• Work off-line (no need for on-line verification)

14
Examples of e-Payments

15
The Participants

• Payer makes the payment. (customer or buyer).
• Payee receivies the payment. (merchant or
  seller).
• Issuer is the third party of the payer, (bank or
  service-provider of the payer).
• Acquirer is the third party of the payee,
  (bank/service-provider of the payer).

• Broker is both issuer and acquirer (when a
  protocol requires a single third party to be
  shared by payer and payee).
• Observer is usually an uninvolved third party
  used in the privacy analysis of a payment system.
  Observer has information about the transaction.

16

• Certification
• A registration and certification authority for
  the management of authentication and symmetric
  keys like Kerberos or public keys certification
• Arbiter
• To resolves disputes.
• Trusted Third Parties
• Notaries
• To enforce payment receipt notifications,
  clearings or witnessing of transactions.

17
Electronic Payment Systems

• Trusted Third Party
• Notational Fund Transfer
• Digital Currency

18
Trusted Third Party

• Third party maintains all sensitive information
  (such as bank account and credit card numbers)
  for its clients (both buyers and sellers).
• No real financial transaction is done online.
• Information about payment confirmation and
  clearing is transmitted along with order
  information
• No sensitive information is transmitted.

19

• The primary example of this type is First Virtual
  (http//www.fv.com/). In this type of system, the
  information need not be encrypted since financial
  transactions are done completely off-line.

20
Notational Fund Transfer

• In credit card or check transactions, sensitive
  information is being exchanged.
• For example, you give your credit card to a
  merchant, who sends the card number through phone
  line and receives confirmation.
• Banks meanwhile receive the same information and
  adjust buyer's and merchant's accounts
  accordingly.
• The information being transmitted online in this
  case is encrypted for security.
• The primary example is the use of digital credit
  cards (e.g. CyberCash (www.cybercash.com) and
  VISA/MasterCard's SET-based transactions).

21

• The Internet may be more secure than phone lines
  for this same old payment methods. (Can you
  encrypt your voice when you give your credit card
  number over the phone? Can you be sure who the
  other person is?)

22
Digital Currency

• An encrypted serial number representing real
  money and is convertible to real money (e.g. US
  dollar) if desired.

23

• Digital money is created against existing money.
  In the long run, digital money may be created on
  its own if users accept it on its face value,
  which will be determined by how dependable its
  issuers are. All monies are only as good as their
  issuers.
• Very flexible Can be made to behave like
  e-checks or anonymous cash as situation warrants.

24
Secure Credit Card

• Direct use of the existing credit card
  infrastructure, like SET.

25
Secure Credit Card Presentation

• Most important point in using a credit card for
  payments through the Internet is the secure
  transmission of the credit card data.
• Payer transmits the credit card data or their
  equivalent to the payee who submits them in turn
  to the acquirer for online validation.
• Acquirer resolves the actual payment via the
  established financial networks.
• The drawback Unsuitability for micropayments.

26
Smart Card

• A Smart Card (a term suggested by John Meckley)
  is similar to a credit card with a magnetic
  strip, but contains more information and can be
  programmed for different applications, and can be
  updated to add new applications after they are
  issued.

27
Smart Card

• An electronic device about the size of a credit
  card that contains an embedded integrated circuit
  (program and memory)
• Uses
• Storing digital cash
• Storing information giving hospitals or doctors
  personal data without filling out a form
• Generating network IDs by storing X.509
  certificates, private keys and RSA
  crypto-engines  establishing your identity when
  logging on to an Internet access provider or to
  an online bank
• Specialized Applications such as SIM (Subscriber
  Information Modules) in GSM wireless telephones
  -- a SIM contains all the generic information
  required to access the telephone network 

28
How Smart Cards Work

• A Smart Card is similar to a credit card with a
  magnetic strip, but contains more information and
  can be programmed for different applications, and
  can be updated to add new applications after they
  are issued.
• Smart cards come either with just memory chip,
  which are just storage devices and can not
  process information, or with processing
  abilities. 

29

• Smart cards can be typically classified into
  broad categories based on how they communicate
  with another device
• Contact - Direct Communication - the card must be
  inserted into a smart card reader which connects
  to a conductive module on the card
• Connectionless - antenna or other electromagnetic
  interface is imbedded in the card
• Hybrid cards are dual chip cards with each chip
  containing its respective contact or
  connectionless interface the chips are not
  connected to each other in the card
• Combo cards have a single ship with both contact
  and connectionless interfaces.
• Power for the smart card may be supplied either
  by an embedded battery or by a microwave
  frequency -- the card needs to be within 2 to 3
  inches of the card reader.

30
Smart Card Structure
Contacts
Contacts (8)
SOURCE SMART CARD FORUM
31
Smart Card Applications

• Applications
• Ticketless travel Seoul bus system 4M cards, 1B
  transactions since 1996
• Authentication, ID
• Medical records
• Ecash
• Store loyalty programs
• Personal profiles
• Government Licenses
• Mall parking . . .

32

• May emerge as the ultimate interface device for
  the mobile digital economy.
• It will hold your cash, ID information, house and
  office keys, subway tokens, all types of
  preference files (for house temperature setting,
  driver seat setting, etc.) and other information.
  
• You will exchange these information and digital
  products with other people, transact business,
  present to police officers, check into a hotel or
  a sports arena, and all other things yet to be
  imagined.

33
Smart Card Future
Source David TemoshokOffice of Federal
Electronic Commerce, GSA
Access Control
ID
Portable Data File
Phone
Computer/Internet Security
EBT/E-Cash
Payment/ Purchase
Public Transit
Travel
Medical Records
34

• At this time, over a billion smart cards are in
  use, primarily in Europe.  Because the current
  infrastructure in the US is designed for credit
  cards with magnetic strips, there has been a
  slower rate of adoption of smart cards in the
  US.  The use of Smart Cards in Europe received
  its initial boost from the French government in
  1985 when it purchased 16 million cards for use
  by its then state-owned bank. 
• There are two industry standard groups dealing
  with issues related to Smart Cards
• Personal Computer / Smart Card (http//www.smartca
  rdsys.com/)- interface between programming and PC
  hardware in a smart card, representing Microsoft,
  IBM, Bull, Schlumberger, and other interested
  companies. Smart Card Industry Association
  (http//www.scia.org/)
• OpenCard - a smart card operating systems
  JavaCard and MultiOS

35
Smart Card Standards

• OpenCard Framework is supported by Sun
  Microsystems, IBM, Oracle, Netscape. It is a
  standard for NCs, emphasizes portability and
  personalization, and adopts Java.
• Personal Computer Smart Card (PCSC) Workgroup
  Standard is proposed by Microsoft and supported
  by Schlumberger Electronic Technologies.
• Suns Java Card API, endorsed by Citibank, Visa,
  First Union National Bank, VeriFone.
• Motorola formed a Smart Card Systems Business
  unit for contactless cards using radio.

36
Digicash and eCash
37
Digicash Concept
Merchant
1. Consumer buys Digicash from Bank 2. Bank sends
Digicash bits to consumer 3. Consumer sends
Digicash to merchant 4. Merchant checks with Bank
that Digicash is valid (not already spent) 5.
Bank verifies that Digicash is valid 6. Parties
complete transaction Consumer still has
(invalid) Digicash Anonymous Complex transaction
(checking with Bank) Atomicity a problem
5
4
Bank
3
2
1
Consumer
38
ALICE SEND UNSIGNED BLINDED COINS TO THE BANK
Withdrawal (Minting)
WALLET SOFTWARE
ALICE BUYS DIGITAL COINS FROM A BANK
BANK SIGNS COINS, SENDS THEM BACK. ALICE
UNBLINDS THEM
BOB VERIFIES COINS NOT SPENT
ALICE PAYS BOB
Spending
BOB DEPOSITS
CINDY VERIFIES COINS NOT SPENT
ALICE TRANSFERS COINS TO CINDY
PersonalTransfer
CINDY GETS COINS BACK
39
e-Checks

• A sequence of bits that encode a value.

40
e-Check

• Checks paper carrier of information
• e-Checks a sequence of bits that encode a value
• Same information as paper checks
• Same legal framework as paper checks
• Used in any and all remote transactions
• Exchanged directly between parties
• Enhance checking accounts capabilities
• Why aren't people using it?
• Not as widespread/quick as credit cards
• Doesnt provide total anonymity

41
Digital Signature
42
NetCash/NetCheque

• Works just like e-check.
• An electronic form of currency that provides
  anonymous digital payments over an unsecured
  network.

43
Micropayment

• If transaction costs can be made low enough to
  handle even sub-dollar payments, why should
  digital product sellers be limited to accepting
  credit card payments and other large-scale
  payment methods?

44
Aggregation

• Used when individual transactions are too small
  for credit card (e.g. 2.00)
• Consumer and Merchant sign up with Aggregator
• Consumer makes purchase. Merchant notifies
  Aggregator.
• Aggregator keeps Consumers account. When amount
  owed is large enough (or every month), charges to
  Consumers credit card
• Aggregator sends money (less fees) to Merchant
• QPASS, CyberCash, GlobeID

45
Micropayments Technology Providers

• Mondex http//www.mondex.com/
• NetBill  http//www.netbill.com/
• NetCheque http//www.isi.edu/gost/info/NetCheque/
• NTSys http//www.ntsys.fr/
• OpenMarket http//www.openmarket.com/
• Pay2See http//www.pay2see.com/
• SOX http//www.systemics.com/docs/sox/index.html
• Trivnet http//www.trivnet.com/
• The Ultimus Solution http//www.sidrac.com/
• Wave Systems Corp http//www.wavesys.com/

• Clickshare http//www.clickshare.com/home/
• CyberCash CyberCoin http//www.cybercash.com/
• DigiCash http//www.digicash.com/
• E-Money http//www.emoney.net/
• Enition http//www.enition.com/
• GC-Tech http//www.gctec.com/
• Internet Dollar http//internetdollar.com/
• Jalda http//www.jalda.com/home/
• Micro Payments http//www.hrl.il.ibm.com/mpay/
• Micropayments Transfer Protocol
  http//www.w3.org/TR/WD-mptp-951122
• Millicent http//www.millicent.digital.com/