10

760 views
673 views

Published on

Published in: Economy & Finance, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
760
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
57
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • 3.1 -
  • 3.1 -
  • 3.1 -
  • 3.1 - 3.1 -
  • 3.1 - 3.1 -
  • 3.1 - 3.1 -
  • 3.1 - 3.1 -
  • 3.1 - 3.1 -
  • 3.1 - 3.1 -
  • 3.1 - 3.1 -
  • 3.2 - Source: Achex, February 2002
  • 3.1 - Source: Visa International, 2002
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 - Source: Authentication - The missing element in online payment security, www.gpayments.com
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 3.2 - Source: i -TransACT, 2002
  • 3.2 -
  • 3.2 - Source: i -TransACT, 2002
  • 3.2 -
  • 3.2 -
  • 3.2 -
  • 10

    1. 1. Online Payment:Online Payment: Issues and SolutionsIssues and Solutions APEC OVOP Training Workshop on E-Commerce Chinese Taipei 20-24 August 2007 Assoc Prof Margaret Tan Deputy Director, Singapore Internet Research Centre Nanyang Technological University, Singapore 1© 2007 The Millennium eTrust Pte Ltd
    2. 2. What is Electronic Payment?What is Electronic Payment? Is a system that permits online payment between parties using an electronic surrogate of a financial tender The electronic surrogate is backed by financial institutions and/or trusted intermediaries The intent is to act as an alternative form of payment to the physical cash, cheque or other financial tender 2© 2007 The Millennium eTrust Pte Ltd
    3. 3. Current StatusCurrent Status ePayment opportunities are growing albeit slowly New players are entering ePayment marketplace Variety of ePayment mechanisms and devices - creating state of chaos Infrastructure for ePayment is complex and expensive to deploy Lack of critical mass adoption and acceptance Online payment is hard to implement globally 3© 2007 The Millennium eTrust Pte Ltd
    4. 4. ePayment is still evolving ...ePayment is still evolving ... New ePayment Solutions Security Infrastructure Business Realities Authentication Models Spa Customer Profiles Payment Types 4
    5. 5. ePayment ChannelsePayment Channels Defined as ‘touch points’ where a payment transaction is originated or initiated Can be executed through a variety of channels ◦ Internet based ◦ Kiosks ◦ Contactless or proximity sensors ◦ Mobile eg mobile phones, PDA 5© 2007 The Millennium eTrust Pte Ltd
    6. 6. ePayment InstrumentsePayment Instruments Defined as the medium in which the value is recognised in a payment transaction Card-based such as ◦ Credit and charge cards  buy now, pay later ◦ Debit cards  buy now, pay now ◦ Cash cards, stored-valued, e-cash  buy now, prepaid or pay before 6© 2007 The Millennium eTrust Pte Ltd
    7. 7. Credit CardsCredit Cards Most widely used ◦ banks able to leverage existing card infrastructure ◦ appears ‘defacto’ online payment Largely unencrypted ◦ ‘card-not-present’ transactions processed without customer & merchant authentication Charge back risk for merchants ◦ charge-back is when customer demands a refund ◦ banks transfer liabilities of charge-backs to the merchants ◦ merchants need to have a bond to cover such charges 7© 2007 The Millennium eTrust Pte Ltd
    8. 8. Debit CardsDebit Cards Direct electronic transfer of account - direct account debiting Uses chip/smart eWallets Digital signature to secure access Connected to eBanking solution 8© 2007 The Millennium eTrust Pte Ltd
    9. 9. Digital CashDigital Cash A system of purchasing cash and storing the credits in consumer’s computer Computerised stored value is used as a form of cash to be spent in small increments A third party is involved in the payment transactions Examples: Beenz, Billpoint, Paypal 9© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    10. 10. CazhCazh A project by ABN-Amro A debit system that creates network between merchant and bank to allow customers pay for the goods by direct debit of customers’ bank account Once customer has been authenticated by his/her bank, he/she can authorise the bank to pay the merchant on the goods purchase Similar to Nets POS but in cyberspace 10© 2007 The Millennium eTrust Pte Ltd
    11. 11. Cash CardCash Card Payment solution on a proprietary protocol that allows payment over the Internet A digital/virtual wallet with prepaid credit- based/token-based payment system Enables low-value electronic payments on the Internet Limited distribution, proprietary solutions Needs to install card reader and download free eWallet 11© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    12. 12. eChequeeCheque A formatted email message that consists of payee name, amount, payment date, payer’s account number, and payer’s bank Digital certificate and signature are used to secure the cheque so that the contents are not tampered with A signed electronic cheque is exchanged between the parties’ financial institutions through automated clearing house 12© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    13. 13. Mobile WalletMobile Wallet Relatively new space exploited by telcos and non- financial enterprises Provides ePurse functionality to replace card-type payments Aggregating micro-payments onto the mobile phone bill Can use mobile access device to authenticate payer’s identity SIM card well placed to function and control payment process and authentication 13© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    14. 14. Components of OnlineComponents of Online Payment SystemPayment System © 2007 The Millennium eTrust Pte Ltd Online Merchants Consumer Payment Clearinghouses Payment Enablers • Payment Gateways • Merchant Acquirers • Shopping Cart Vendors • Non-bank payment Processors Competing Authentication Services 14© 2007 The Millennium eTrust Pte Ltd
    15. 15. ePayment RisksePayment Risks Internet Private network Internet Bank network •Use of stolen card •Credit card number or password stolen from computer •Unauthorised access •Information modified in transit •Payment info stolen from merchant •Masquerading as legitimate merchant •Key info stolen by merchant staff •Information modified in transit •Information stolen Buyer Merchant Payment gateway 15© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    16. 16. 60% of non-buyers said “credit card security,” the highest factor cited. Factors that would convert non- buyers to buyers online? Odyssey, 2000 58% of new Internet users said “better security,” the 3rd highest factor cited. Factors that would motivate new users to purchase online? Jupiter Research, May 2000 68% of Internet users said “hackers getting credit card number,” 2nd highest concern cited Worries and concerns regarding online activities? Pew Internet & Am Life Project, June 2000 47% of Internet users said “credit card security,” the 3rd highest barrier cited. Barriers to online purchasing?Greenfield Online, 2000 79% of Internet users said “credit card security,” the number one cited barrier. Barriers to online purchasing?Pricewaterhouse Coopers, 2000 85% of online shoppers said “secure transactions,” the highest cited feature. Important features of online shopping sites? Cyber Dialogue, 2000 88% of online shoppers said “guaranteed credit card security”, 2nd highest feature cited. Features that will increase the likelihood to buy online? Odyssey, 2000 ResultsResultsQuestion AskedQuestion AskedSurvey BySurvey By Research on online shopping 16© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    17. 17. How can we secureHow can we secure ePayment?ePayment? The Trust Principle ◦ The parties to the transaction must trust each other ◦ Buyer must believe that seller is legitimate and will deliver the goods ◦ Buyer must believe that goods are as represented and are worth the price ◦ Seller must believe that buyer is legitimate and will pay for the goods purchased © 2007 The Millennium eTrust Pte Ltd 17© 2007 The Millennium eTrust Pte Ltd
    18. 18. How can we secureHow can we secure ePayment?ePayment? The Security Principle ◦ Parties need a secure environment in which to conduct the electronic transactions ◦ Seller needs to protect the details of the transactions ◦ Buyer needs to be certain that his/her information is securely handled and stored ◦ Buyer needs to be certain that information is not stolen that it can be inappropriately used 18© 2007 The Millennium eTrust Pte Ltd© 2007 The Millennium eTrust Pte Ltd
    19. 19. ePayment SolutionsePayment Solutions  Must provide security: resistance to fraud and online attacks  Reliable: highly available and accessible at all times  Cost effective: cost per transaction should be low even for micro-payment  Integrated and scaleable: interoperable amongst different systems, payment methods and multiple servers distributed across the Internet  Convenient and easy to use: should support several devices  Anonymity: should protect the identities of parties to the transactions and should not monitor the sources of finance © 2007 The Millennium eTrust Pte Ltd 19© 2007 The Millennium eTrust Pte Ltd
    20. 20. Securing ePaymentsSecuring ePayments Identification and authenticate ◦ the ability to verify both the transacting parties Authorisation ◦ the ability to validate the rightful owner to the transaction Integrity and confidentiality ◦ the ability to transmit the transaction securely ◦ the ability to store the transaction properly Accountability ◦ The ability to provide audit trail as evidence in dispute Policies for sharing risks and liabilities ◦ the mechanism to settle disputes/non-repudiation 20
    21. 21. Authentication ModelsAuthentication Models Something you have and something you know – ATM card model Known to the back-end (server), synchronize with each transaction using a one time random number – Secur-ID model “Sign” each transaction – PKI-model Tie into a real person – Biometrics © 2007 The Millennium eTrust Pte Ltd 21© 2007 The Millennium eTrust Pte Ltd
    22. 22. ePayment Transaction CycleePayment Transaction Cycle © 2007 The Millennium eTrust Pte Ltd Buyer Issuing B ank M erchant A cquiring B ank V isa/M astercard Bills buyer Pays bank Orders goods Deliver goods Reimburses merchant Voucher to Acquiring Bank Transaction voucher to Issuing Bank Issuing Bank pays Visa / Mastercard Sends transaction voucher to Visa / Mastercard Visa / Mastercard reimburses Acquiring Bank 1 2 7 45 3 6 8 9 22© 2007 The Millennium eTrust Pte Ltd
    23. 23. Secure Sockets LayerSecure Sockets Layer (SSL)(SSL) A security protocol to protect sensitive data transmitted over the Internet Uses encryption to protect the transmission of data When SSL session starts, server sends key to the browser, which returns random key to the server Ensures that data are not tampered with or stolen en route © 2007 The Millennium eTrust Pte Ltd 23© 2007 The Millennium eTrust Pte Ltd
    24. 24. Secure Electronic TransferSecure Electronic Transfer - SET- SET Protocol by Visa and MasterCard released in 1996 3 party system - cardholder, merchant and bank using SET-enabled systems Uses digital certificate to ensure cardholder is who he/she says he/she is or claims to be Credit card details are invisible to merchants, protected by encryption for clearing bank © 2007 The Millennium eTrust Pte Ltd 24© 2007 The Millennium eTrust Pte Ltd
    25. 25. 3D SET (Server-based SET)3D SET (Server-based SET) Overcome the resistance of original SET Uses server-based implementation of SET Reduces technology that must be deployed by merchant and customer ◦ Merchants use ‘thin’ modules ◦ Customers use ‘slim’ digital wallets Not inter-operable with SSL websites © 2007 The Millennium eTrust Pte Ltd 25© 2007 The Millennium eTrust Pte Ltd
    26. 26. How 3D SET works ...How 3D SET works ... © 2007 The Millennium eTrust Pte Ltd Customer AcquirerIssuer Cardholder Certificates Wallet Server Merchant API or URL 2. Wallet Initiates Purchase 4. Payment Authorisation WTLS SSL SET SET 1. Cardholder Authentication 3. Payment Request Merchant Certificates Payment Gateway 26© 2007 The Millennium eTrust Pte Ltd
    27. 27. Features of 3D SETFeatures of 3D SET Certificate is stored in a central server of the issuer and not at the cardholder computer Cardholder is flexible to use certificates with other devices Cardholder can only use certificate issued by the CA - a limitation Theft of certificate is still possible from the server-based SET - a problem © 2007 The Millennium eTrust Pte Ltd 27© 2007 The Millennium eTrust Pte Ltd
    28. 28. Visa 3D SecureVisa 3D Secure A model that provides authenticated payment capabilities of all parties within the transaction continuum or cycle ◦ Issuer - cardholders and their banks ◦ Acquirer - merchants and their banks ◦ Interoperability - communication between issuing and acquiring organisation The purpose is to isolate the responsibilities of the transacting parties © 2007 The Millennium eTrust Pte Ltd 28© 2007 The Millennium eTrust Pte Ltd
    29. 29. Visa 3D Secure - For IssuerVisa 3D Secure - For Issuer Cardholders’ banks responsible for the registration of cardholder, receipt and access control of server Communicates with 3D Secure merchant plug-ins via Visa directory The issuer backend card system provides access to cardholder information © 2007 The Millennium eTrust Pte Ltd 29© 2007 The Millennium eTrust Pte Ltd
    30. 30. Visa 3D Secure - For AcquirerVisa 3D Secure - For Acquirer Must install a 3D Secure Merchant-plug-in (MPI) on website that is integrated with shopping cart system - payment gateway Handles communications with Visa directory and customers’ credit card issuer System only authenticates customers to merchant but not converse Merchants do not store customers’ details on their servers © 2007 The Millennium eTrust Pte Ltd 30© 2007 The Millennium eTrust Pte Ltd
    31. 31. Authentication - MPIAuthentication - MPI Software is installed and configured on merchants’ machine Merchant is responsible for looking up transaction records during the chargeback process and retrieving the “digital signatures” in order to shift liability to the cardholder © 2007 The Millennium eTrust Pte Ltd 31© 2007 The Millennium eTrust Pte Ltd
    32. 32. Merchant with MPIMerchant with MPI © 2007 The Millennium eTrust Pte Ltd 32© 2007 The Millennium eTrust Pte Ltd
    33. 33. Authentication - ManagedAuthentication - Managed ServiceService  No software required to be installed on merchants machine  Service Provider is responsible for looking up transaction records on behalf of the merchant during the chargeback process & retrieving the “digital signatures” in order to shift liability to the cardholder © 2007 The Millennium eTrust Pte Ltd 33© 2007 The Millennium eTrust Pte Ltd
    34. 34. Authentication ManagedAuthentication Managed ServiceService © 2007 The Millennium eTrust Pte Ltd 34© 2007 The Millennium eTrust Pte Ltd
    35. 35. MasterCard Secure PaymentMasterCard Secure Payment Application (SPA)Application (SPA) SPA is an authenticated payment system that involves participation of the cardholder, cardholder’s issuer, and merchant Cardholder needs authentication mechanism from the issuer such as a browser plug-in or an electronic wallet in their computers Merchants needs plug-in from the acquirer in shopping cart to carry hidden fields of transaction-specific information which can be checked with the security token © 2007 The Millennium eTrust Pte Ltd 35© 2007 The Millennium eTrust Pte Ltd
    36. 36. Issues with AuthenticationIssues with Authentication Verifying the identity and authenticity of party to the transaction Verifying that the same person/entity is conducting the transaction If the authentication scheme is broken, a user can impersonate another! The level of authentication should correspond to the ‘value’ of the transaction One authentication secret for all application is dangerous - a single point of failure © 2007 The Millennium eTrust Pte Ltd 36© 2007 The Millennium eTrust Pte Ltd
    37. 37. To Summarise ...To Summarise ... ‘Defacto’ authentication standards for ‘card- not-present’ system Mandates for compliance and integration - “front-end” and “back-end” Overcome problem of authentication and integrity in online transactions © 2007 The Millennium eTrust Pte Ltd 37© 2007 The Millennium eTrust Pte Ltd
    38. 38. Thank You …Thank You … © 2007 The Millennium eTrust Pte Ltd 38© 2007 The Millennium eTrust Pte Ltd

    ×