Online  Payments Using  Information  Cards
Upcoming SlideShare
Loading in...5
×
 

Online Payments Using Information Cards

on

  • 6,658 views

Online Payments Using Information Cards

Online Payments Using Information Cards

Statistics

Views

Total Views
6,658
Views on SlideShare
6,561
Embed Views
97

Actions

Likes
1
Downloads
359
Comments
0

5 Embeds 97

http://itickr.com 30
http://kredikart.org 30
http://blog.facilelogin.com 27
http://www.slideshare.net 9
http://www.lmodules.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Online  Payments Using  Information  Cards Online Payments Using Information Cards Presentation Transcript

  • Online Payments using Information Cards Your Questions Answered Sid Sidner, ACI Worldwide
  • Who the heck is ACI?
    • 30 years of delivering software to the payment card industry
      • Payment engines and back office software
    • In 2006, ACI customers processed over 70 billion transactions
      • About half the plastic in the world goes through our software
      • Bank of America did 21.7 million on 23 Dec 2005
    • ACI’s customers include the largest banks, retailers, and payment networks in the world
    • ACI is one of the world leaders in EMV smartcard products
    • ACI also sells wholesale banking software
  • Why is Sid Sidner talking about this?
    • During my 9 years at ACI
      • ACI Virtual Wallet (for SET)
      • Mobile Banking
        • National Bank of Greece
        • Movipay in Spain
      • BankPass in Italy
      • 3D-Secure
        • Verified by Visa
        • MasterCard SecureCode
      • Liberty Alliance participant
    • My day job is the director of product security
    • But I love poking holes in new payment ideas!
    • I haven’t been able to find the hole in this one (yet…)
  • What’s in it for ACI?
    • More clicks!
    • We also have an obligation as a long-time PCI thought leader to move the industry forward
    • We will not patent this and in fact published it on a blog to prove it.
    • We make money the old fashioned way: we build software and get it work at our customers
      • “ Always strive to lower your talk-to-do ratio.”
  • What are the problems with e-commerce?
    • Increasing fraud
      • MasterCard: Card Not Present fraud, up 52% , 2006 vs 2005
      • The PCI Data Security Standard and compliance activities are severely tasking merchants
    • Consumer perceptions of insecurity
    • Privacy
      • Consumer data is everywhere, including billing addresses and phone numbers
    • The hassle of entering payment data
      • The click path for checkout is long
      • Too bad we can’t just swipe a card
  • How do the payment networks work? Consumer Merchant Payment Networks Issuer Authorization flow Settlement flow Acquirer
  • Who are the real players? * ACI provides software * * * * * * * * * * * * * * * * Visa – 2006
  • What’s the history of e-commerce?
    • Plain old virtual POS terminal
      • Consumer enters data; merchant sends to an Internet gateway provider
    • Secure Electronic Transactions
      • Perfect security
      • PKI for merchants, networks, and consumers
      • Required a SET wallet
    • 3D-Secure
      • “Son of SET”
      • Lighter weight
      • Uses browser redirects – no wallet required
  • What did SET look like?
  • How about the 3D-Secure architecture?
  • What’s wrong with 3D-Secure?
    • The card brands tried!
      • Lower interchange rate
      • Risk shift to the issuer for fraud
    • Poor merchant adoption
      • It made the click path longer
    • Poor issuer adoption
      • Implementing an ACS was hard if done internally
      • Out-sourcing had data risk
      • Burnt from their SET experience
    • Poor consumer adoption
      • Hard to understand
      • Poor merchant & issuer adoption
    • Other methods still accepted
  • How do Information Cards work? Identity Provider Relying Party User User Identity Selector Identity Selector Get a Card Use a Card
  • What’s your big idea, ACI? Bank Merchant User User Identity Selector Identity Selector Get a Card Use a Card
  • So what?
  • Isn’t this just like authentication?
    • Yes, from an architectural standpoint
      • Just a few little tweaks…
    • But, the Information Card Issuer is a payment brand, not a specific issuer
      • E.g. The same for all Visa card issuer Information Cards
      • E.g. Different for Visa and PayPal
    • And, the Information Card claims from the merchant include variable data
      • The transaction details
    • The claims returned from the issuer include
      • a one-time use pseudo card number for privacy
      • and a strong cryptographic token with the transaction details
    • There is no impact to the PCI networks – these look just like 3D-Secure transactions
  • What does a Payment Information Card look like?
    • <Issuer> http://paymentcard.vista.com </Issuer>
    • <SupportedClaimTypeList
      • <SupportedClaimType
      • Uri=&quot; http://paymentcard.vista.com/ account &quot;>
      • <DisplayTag>Account Number</DisplayTag>
      • </SupportedClaimType>
      • <SupportedClaimType
      • Uri=&quot; http://paymentcard.vista.com/ VV &quot;>
      • <DisplayTag>Verification Value</DisplayTag>
      • </SupportedClaimType>
      • <SupportedClaimType
      • Uri=&quot; http://paymentcard.vista.com/ expiry &quot;>
      • <DisplayTag>Expiration Date</DisplayTag>
      • </SupportedClaimType>
      • <SupportedClaimType
      • Uri=&quot; http://paymentcard.vista.com/ trandata? &quot;>
      • <DisplayTag>Transaction Details</DisplayTag>
      • </SupportedClaimType>
    • </SupportedClaimTypeList>
  • What changes are required to the protocol?
    • Variable data in claims
      • Identity Selector: Match claims only up through the question mark in the claim URL
      • Information Card: http://paymentcard.vista.com/trandata?
      • Merchant: http://paymentcard.vista.com/trandata?COMPRESSED_AND_BASE-64_ENCODED_REQUEST
    • Allow multiple issuers in the WS-SecurityPolicy element
      • So that merchant can indicate which payment types are accepted at their store
    • Kim and Mike @ MFST are aware of this and plan to include it in “version 2”
  • How does this rate, privacy-wise?
    • The consumer no longer has to enter billing address and phone number
    • The issuer can return a one-time use pseudo card number to the merchant
      • The routing prefix gets it to the issuer
      • This range not allowed on plastic
    • All the consumer has revealed is what issuer they use
    • Identity theft is thwarted
    • This is a Bob Blakley Identity Oracle
      • Q: Is the customer good for the money?
      • A: Yes, show me this token and you’ll get paid
  • Why is this better than 3D-Secure?
      • More secure
      • Easier
      • Lower fees; lower risk
      • More transactions!
      • Shorter click path
      • No storage of live card numbers (PCI DSS 3.4 Data Storage)
      • Lower fraud
      • Brand awareness
      • More transactions!
  • Anything else you’d like to say?
    • This would work well in mobile and set-top boxes
      • Information Cards reduce the number of UI gestures
      • Cards should be replicated among devices
    • Payment Information Cards for authentication with liability
      • A new transaction type could be defined for the PCI networks
      • Card Verify with a specified risk liability (Best Effort, $50, $5000, $50000)
      • The IdP (the Bank) guarantees the authentication, up to the liability amount
      • The more the risk, the higher the fee
      • This is an idea of another day...
  • Is there an identity metasystem here? IdP RP
  • Can you show me this live?
    • ACI partnered with Ping Identity to construct a demo, a proof of concept for the show (See it in booth #404!, 5:45 pm & 8 am)
      • Ping Identity did the Information Card parts
      • ACI did the banking part
    • We validated Kim’s vision – there is a very clean separation between the application and the mechanics
      • ACI: issuer, claims, token data
      • Ping Identity: endpoints, token types, crypto
      • Neither needs to know anything about the other
    • Our big disappointment – it looks too simple! :O)
      • Request a card from ACIBank
      • Shop at Starbuzz Web Coffee and pay with your card
  • What does it take to make this happen?
    • Adoption of Information Cards
      • Will consumers adopt it for authentication?
      • Will it catch on in non-Windows contexts? (Mac, Linux, Mobile, Set-top)
    • Small change to the identity selectors
      • Multiple issuers & variable claims
    • Adoption by the payment providers (PCI, PayPal, BillMeLater, ClickToBuy, NACHA) and issuers (30,000)
      • Standards, branding, contracts, marketing, fees
    • Adoption by merchants (1 million)
      • What is it? What’s in it for me?
    • Adoption by consumers (1 billion)
      • What is it? What’s in it for me?
    Deputy Dawg
  • How do I find out more?
    • See it!
      • Ping Identity, Booth #404
    • Read about it!
      • http://tootallsid.blogspot.com/2006/12/infocard-and-e-commerce.html
    • Talk to me!
      • [email_address]