Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure payment systems


Published on

Published in: Technology
  • Be the first to comment

Secure payment systems

  2. 2. OUTLINE <ul><li>Why is security such an issue? </li></ul><ul><li>Physical security </li></ul><ul><li>IT Security Basics – Firewalls </li></ul><ul><li>Public Key Cryptography </li></ul><ul><li>SSL – Secure Socket Layer </li></ul><ul><li>SET – Secure Electronic Transactions </li></ul>
  3. 3. WHY IS SECURITY AN ISSUE? <ul><li>The Internet lets you travel outside of your network and others travel in – Those travelers are not all friendly! </li></ul><ul><li>Critical and private information can be snooped — sniffed </li></ul><ul><li>Information can be deleted or destroyed </li></ul><ul><li>The Internet provides an opportunity for anonymous and rapid theft of lots of money </li></ul>
  4. 4. AGENDA <ul><li>Electronic Commerce </li></ul><ul><li>Underlying Technologies </li></ul><ul><ul><li>Cryptography </li></ul></ul><ul><ul><li>Network Security Protocols </li></ul></ul><ul><li>Electronic Payment Systems </li></ul><ul><ul><li>Credit card-based methods </li></ul></ul><ul><ul><li>Electronic Cheques </li></ul></ul><ul><ul><li>Anonymous payment </li></ul></ul><ul><ul><li>Micropayments </li></ul></ul><ul><ul><li>SmartCards </li></ul></ul>
  6. 6. E-COMMERCE PROBLEMS Snooper Unreliable Merchant Unknown customer
  7. 7. E-COMMERCE RISKS <ul><li>Customer's risks </li></ul><ul><ul><li>Stolen credentials or password </li></ul></ul><ul><ul><li>Dishonest merchant </li></ul></ul><ul><ul><li>Disputes over transaction </li></ul></ul><ul><ul><li>Inappropriate use of transaction details </li></ul></ul><ul><li>Merchant’s risk </li></ul><ul><ul><li>Forged or copied instruments </li></ul></ul><ul><ul><li>Disputed charges </li></ul></ul><ul><ul><li>Insufficient funds in customer’s account </li></ul></ul><ul><ul><li>Unauthorized redistribution of purchased items </li></ul></ul><ul><li>Main issue: Secure payment scheme </li></ul>
  8. 8. WHY IS THE INTERNET INSECURE? <ul><li>Host security </li></ul><ul><ul><li>Client </li></ul></ul><ul><ul><li>Server (multi-user) </li></ul></ul><ul><li>Transmission security </li></ul><ul><ul><li>Passive sniffing </li></ul></ul><ul><ul><li>Active spoofing and masquerading </li></ul></ul><ul><ul><li>Denial of service </li></ul></ul><ul><li>Active content </li></ul><ul><ul><li>Java, Javascript, ActiveX, DCOM </li></ul></ul>A B C Eavesdropping Denial of service A B C Interception A B C Replay/fabrication A B C S S S C C
  9. 9. FIVE MAJOR REQUIREMENTS OF A SECURE TRANSACTION <ul><li>Privacy – how to ensure information has not been captured by a third party </li></ul><ul><li>Integrity – how to ensure the information has not been altered in transit </li></ul><ul><li>Authentication – how to ensure the identity of the sender and receiver </li></ul><ul><li>Authorization – how to ensure a user has the authority to access / update information </li></ul><ul><li>Non-repudiation – how do you legally prove that a message was sent or received </li></ul>
  10. 10. E-COMMERCE SECURITY <ul><li>Authorization, Access Control: </li></ul><ul><ul><li>protect intranet from hordes: Firewalls </li></ul></ul><ul><li>Confidentiality, Data Integrity: </li></ul><ul><ul><li>protect contents against snoopers: Encryption </li></ul></ul><ul><li>Authentication: </li></ul><ul><ul><li>both parties prove identity before starting transaction: Digital certificates </li></ul></ul><ul><li>Non-repudiation: </li></ul><ul><ul><li>proof that the document originated by you & you only: Digital signature </li></ul></ul>
  11. 11. WHAT IS ENCRYPTION? <ul><li>A way to transform a message so that only the sender and recipient can read, see, or understand it </li></ul><ul><li>Plaintext (cleartext): the message that is being protected </li></ul><ul><li>Encrypt (encipher): transform a plaintext into ciphertext </li></ul><ul><li>Encryption: a mathematical procedure that scrambles data so that it is extremely difficult for anyone other than authorized recipients to recover the original message </li></ul><ul><li>Key: a series of electronic signals stored on a PC’s hard disk or transmitted as blips of data over transmission lines </li></ul>
  12. 12. PUBLIC-KEY INFRASTRUCTURE (PKI) <ul><li>Creates the ability to authenticate users, maintain privacy, ensure data integrity, and process transactions without the risk of repudiation </li></ul><ul><li>PKI satisfies four security needs </li></ul><ul><ul><li>Authentication - identifies or verifies that the senders of messages are, in fact, who they claim to be </li></ul></ul><ul><ul><li>Integrity - verifies that neither the purchase amount not the goods bought are changed or lost during transmission </li></ul></ul><ul><ul><li>Nonrepudiation - prevents sender and vendor in a transaction of communication activity from later falsely denying that the transaction occurred </li></ul></ul><ul><ul><li>Privacy - shields communications from unauthorized viewing or access </li></ul></ul>
  13. 13. BASIC ENCRYPTION ALGORITHM <ul><li>Both sender and receiver have to know the rules used to transform the original message or transaction into its coded form </li></ul><ul><li>A set of rules for encoding and decoding messages is called a cipher (or cyper) </li></ul><ul><li>A message can be decrypted only if the decryption key matches the encryption key </li></ul><ul><li>A 6-bit key allows for only 64 possible numeric combinations(2 6 ) </li></ul><ul><li>The standard 56-bit DES encryption code can be cracked on a high-speed computer in a few hours </li></ul><ul><li>100 bit key has 2 100 possible keys </li></ul>
  14. 14. CLASSES OF ALGORITHMS <ul><li>Secret-key (symmetric) encryption : encryption system in which sender and receiver possess the same key; the key used to encrypt a message also can be used to decrypt it </li></ul><ul><li>Stream cipher : a symmetric algorithm that encrypts a single bit of plaintext at a time </li></ul><ul><li>Block cipher : a symmetric algorithm that encrypts a number of bits as a single unit </li></ul><ul><li>Public-key (asymmetric) encryption : encoding/decoding using two mathematically related keys or key-pairs; one public key and one private key </li></ul><ul><li>Key-pairs can be used in two ways: </li></ul><ul><ul><li>To provide message confidentiality </li></ul></ul><ul><ul><li>To prove the authenticity of the message originator </li></ul></ul>
  16. 16. AUTHENTICATION AND TRUST <ul><li>Digital Signature is a special signature for signing electronic correspondence, produced by encrypting the message digest with the sender’s private key </li></ul><ul><li>Authentication is verifying that a message or document, in fact, comes from the claimed sender </li></ul><ul><li>Hash function is a formula that converts a message of a given length into a string of digits called a message digest </li></ul><ul><li>Cryptographic hash functions are generally used to construct the message digest </li></ul>
  18. 18. DIGITAL CERTIFICATES <ul><li>Digital certificates are the heart of secure online transactions </li></ul><ul><li>A digital certificate is a software program that can be installed in a browser </li></ul><ul><li>Your digital certificate identifies you to Web sites equipped to check it automatically </li></ul><ul><li>Digital certificate is an electronic document issued by a certificate authority to establish a merchant’s identity </li></ul><ul><li>Certificate authority (CA) is a trusted entity that issues and revokes public-key certificates and manages key-pairs </li></ul>
  20. 20. FOUR CLASSES OF DIGITAL CERTIFICATES <ul><li>Class 1 certificates contain minimum checks on the user’s background </li></ul><ul><li>Class 2 certificates check for information like real name, Social Security number, and the date of birth </li></ul><ul><li>Class 3 certificates are the strongest type </li></ul><ul><li>Class 4 certificates are the most thorough </li></ul>
  21. 21. ENCRYPTION (SHARED KEY) - Sender and receiver agree on a key K - No one else knows K - K is used to derive encryption key EK & decryption key DK - Sender computes and sends EK (Message) - Receiver computes DK ( EK (Message)) - Example: DES: Data Encryption Standard m : message k : shared key
  22. 22. PUBLIC KEY ENCRYPTION <ul><li>Separate public key pk and private key sk </li></ul><ul><li>Private key is kept secret by receiver </li></ul><ul><li>Dsk ( Epk (mesg)) = mesg and vice versa </li></ul><ul><li>Knowing Ke gives no clue about Kd </li></ul>m : message sk : private secret key pk : public key
  23. 23. DIGITAL SIGNATURE Sign: sign(sk,m) = Dsk (m) Verify: Epk (sign(sk,m)) = m Sign on small hash function to reduce cost
  24. 24. SIGNED AND SECRET MESSAGES sign(sk1, m) Encrypt(pk2) m Decrypt(sk2) Verify-sign Encrypt(pk1) Epk2 ( Dsk1 (m)) pk1 pk2 First sign, then encrypt: order is important.
  25. 25. DIGITAL CERTIFICATES Register public key Download public key How to establish authenticity of public key?
  27. 27. SECURITY AND HTTPS <ul><li>Certificate is an entity’s public key plus other identification (name, CA signature) </li></ul><ul><li>SSL – Secure Socket Layer </li></ul><ul><ul><li>Lies between TCP/IP and HTTP and performs encryption </li></ul></ul><ul><li>HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443) </li></ul>
  28. 28. SECURITY THROUGH HTTPS Browser Database Server Client 1 Server A URL HTTP TCP/IP HTTP Server App. Server index.html Bank Server Dedicated prog.jsp HTTPS port = 80 port = 443
  29. 29. S-HTTP: SECURE HTTP <ul><li>Application level security (HTTP specific) </li></ul><ul><li>&quot;Content-Privacy-Domain&quot; header: </li></ul><ul><ul><li>Allows use of digital signatures &/ encryption </li></ul></ul><ul><ul><li>Various encryption options </li></ul></ul><ul><li>Server-Browser negotiate </li></ul><ul><ul><li>Property: cryptographic scheme to be used </li></ul></ul><ul><ul><li>Value: specific algorithm to be used </li></ul></ul><ul><ul><li>Direction: One way/Two way security </li></ul></ul>
  30. 30. SSL: SECURE SOCKET LAYER <ul><li>Application protocol independent </li></ul><ul><li>Provides connection security as: </li></ul><ul><ul><li>Connection is private: Encryption is used after an initial handshake to define secret (symmetric) key </li></ul></ul><ul><ul><li>Peer's identity can be authenticated using public (asymmetric) key </li></ul></ul><ul><ul><li>Connection is reliable: Message transport includes a message integrity check (hash) </li></ul></ul><ul><li>SSL Handshake protocol: </li></ul><ul><ul><li>Allows server and client to authenticate each other and negotiate a encryption key </li></ul></ul>
  31. 31. SSL – SECURE SOCKET LAYER <ul><li>Client makes HTTPS connection to server </li></ul><ul><li>Server sends back SSL version and certificate </li></ul><ul><li>Client checks if certificate from CA </li></ul><ul><li>Client creates session “premaster secret”, encrypts it and sends it to server and creates “master secret” </li></ul><ul><li>Server uses its private key to decrypt “premaster secret” and create the same “master secret” </li></ul><ul><li>The master secret is used by both to create session keys for encryption and decryption </li></ul>
  32. 32. SSL HANDSHAKE PROTOCOL <ul><li>1. Client &quot;Hello&quot;: challenge data, cipher specs </li></ul><ul><li>2. Server &quot;Hello&quot;: connection ID, public key certificate, cipher specs </li></ul><ul><li>3. Client &quot;session-key&quot;: encrypted with server's public key </li></ul><ul><li>4. Client &quot;finish&quot;: connection ID signed with client's private key </li></ul><ul><li>5. Server &quot;verify&quot;: client's challenge data signed with server's private key </li></ul><ul><li>6. Server &quot;finish&quot;: session ID signed with server's private key </li></ul><ul><li>Session IDs and encryption options cached to avoid renegotiation for reconnection </li></ul>
  33. 33. MAJOR ARCHITECTURAL COMPONENTS OF THE WEB Internet Browser Database Server Client 1 Server A Server B Bank Server URL HTTP TCP/IP Browser Client 2 HTTP Server App. Server index.html Bank Server prog.jsp
  34. 34. REQUIREMENTS FOR INTERNET-BASED PAYMENTS <ul><li>Electronic payments are financial transactions made without the use of paper documents such as cash or checks </li></ul><ul><li>Internet-based Payment Systems Models </li></ul><ul><ul><li>Electronic currency is the network equivalent of cash </li></ul></ul><ul><ul><li>Credit and debit cards are the electronic equivalent of checks </li></ul></ul><ul><li>Properties important to an electronic payment system: </li></ul><ul><ul><li>Acceptability </li></ul></ul><ul><ul><li>Ease of integration </li></ul></ul><ul><ul><li>Customer base </li></ul></ul><ul><ul><li>Ease of use and ease of access </li></ul></ul>
  35. 35. PAYMENT SYSTEM TYPES <ul><li>Electronic Cheques </li></ul><ul><ul><li>- NetCheque </li></ul></ul><ul><li>Anonymous payments </li></ul><ul><ul><li>- Digicash - CAFE </li></ul></ul><ul><li>Micropayments </li></ul><ul><li>Credit card-based methods </li></ul><ul><ul><li>Credit card over SSL - First Virtual -SET </li></ul></ul><ul><li>SmartCards </li></ul>
  36. 36. ELECTRONIC CHEQUES <ul><li>Leverages the check payments system, a core competency of the banking industry. </li></ul><ul><li>Fits within current business practices </li></ul><ul><li>Works like a paper check does but in pure electronic form, with fewer manual steps. </li></ul><ul><li>Can be used by all bank customers who have checking accounts </li></ul><ul><li>Different from Electronic fund transfers </li></ul>
  37. 37. HOW DOES ECHECK WORK? <ul><li>Exactly same way as paper </li></ul><ul><li>Check writer &quot;writes&quot; the echeck using one of many types of electronic devices </li></ul><ul><li>” Gives&quot; the echeck to the payee electronically. </li></ul><ul><li>Payee &quot;deposits&quot; echeck, receives credit, </li></ul><ul><li>Payee's bank &quot;clears&quot; the echeck to the paying bank. </li></ul><ul><li>Paying bank validates the echeck and &quot;charges&quot; the check writer's account for the check. </li></ul>
  38. 38. ANONYMOUS PAYMENTS 1. Withdraw money: cyrpographically encoded tokens 2. Transform so merchant can check validity but identity hidden 3. Send token after adding merchant’s identity 4. Check validity and send goods 5. Deposit token at bank. If double spent reveal identity and notify police customer merchant
  39. 39. PROBLEMS WITH THE PROTOCOL <ul><li>Not money atomic: if crash after 3, money lost </li></ul><ul><ul><li>if money actually sent to merchant: returning to bank will alert police </li></ul></ul><ul><ul><li>if money not sent: not sending will lead to loss </li></ul></ul><ul><li>High cost of cryptographic transformations: not suitable for micropayments </li></ul><ul><li>Examples: Digicash </li></ul>
  40. 40. MICROPAYMENTS ON HYPERLINKS <ul><li>HTML extended to have pricing details with each link: displayed when user around the link </li></ul><ul><li>On clicking, browser talks to E-Wallet that initiates payment to webserver of the source site </li></ul><ul><li>Payment for content providers </li></ul><ul><li>Attempt to reduce overhead per transaction </li></ul>
  41. 41. MICROPAYMENTS: NETBILL <ul><li>Customer & merchant have account with NetBill server </li></ul><ul><li>Protocol: </li></ul><ul><ul><li>Customer request quote from merchant, gets quote and accepts </li></ul></ul><ul><ul><li>Merchant sends goods encrypted by key K </li></ul></ul><ul><ul><li>Customer prepares & signs Electronic Purchase Order having <price, crypto-checksum of goods> </li></ul></ul><ul><ul><li>Merchant countersigns EPO, signs K and sends both to NetBill server </li></ul></ul><ul><ul><li>NetBill verifies signatures and transfers funds, stores K and crypto-checksum and </li></ul></ul><ul><ul><li>NetBill sends receipt to merchant and K to customer </li></ul></ul>
  43. 43. PAYING WITH CREDIT CARDS <ul><li>A merchant must accept credit cards </li></ul><ul><li>You must first open a merchant account with your bank </li></ul><ul><li>Charges the merchant pays for online transactions are equivalent to the charges for phoning in the transaction </li></ul><ul><li>The Web merchant needs some form of secure and encrypted line, usually (SSL) </li></ul><ul><li>The merchant needs a shopping cart program that allows users to collect their purchases </li></ul>
  44. 44. ENCRYPTED CREDIT CARD PAYMENT <ul><li>Set secure communication channel between buyer and seller </li></ul><ul><li>Send credit card number to merchant encrypted using merchant’s public key </li></ul><ul><li>Problems: merchant fraud, no customer signature </li></ul><ul><li>Ensures money but no goods atomicity </li></ul><ul><li>Not suitable for microtransactions </li></ul>
  45. 45. FIRST VIRTUAL <ul><li>Customer assigned virtual PIN by phone </li></ul><ul><li>Customer uses PIN to make purchases </li></ul><ul><li>Merchant contacts First virtual </li></ul><ul><li>First virtual send email to customer </li></ul><ul><li>If customer confirms, payment made to merchant </li></ul><ul><li>Not goods atomic since customer can refuse to pay </li></ul><ul><li>Not suitable for small transactions </li></ul><ul><li>Flood customer’s mailbox, delay merchant </li></ul>
  46. 46. CYBERCASH <ul><li>Customer opens account with cybercash, gives credit card number and gets a PIN </li></ul><ul><li>Special software on customer side sends PIN, signature, transaction amount to merchant </li></ul><ul><li>Merchant forwards to cybercash server that completes credit card transaction </li></ul><ul><li>Pros: credit card # not shown to server, fast </li></ul><ul><li>Cons: not for microtransactions </li></ul>
  48. 48. SECURE ELECTRONIC TRANSACTION (SET) PROTOCOL <ul><li>Jointly designed by MasterCard and Visa with backing of Microsoft, Netscape, IBM, GTE, SAIC, and others </li></ul><ul><li>Designed to provide security for card payments as they travel on the Internet </li></ul><ul><ul><li>Contrasted with Secure Socket Layers (SSL) protocol, SET validates consumers and merchants in addition to providing secure transmission </li></ul></ul><ul><li>SET specification </li></ul><ul><ul><li>Uses public key cryptography and digital certificates for validating both consumers and merchants </li></ul></ul><ul><ul><li>Provides privacy, data integrity, user and merchant authentication, and consumer nonrepudiation </li></ul></ul>
  49. 49. SET PROTOCOL <ul><li>Extremely secure </li></ul><ul><ul><li>Fraud reduced since all parties are authenticated </li></ul></ul><ul><ul><li>Requires all parties to have certificates </li></ul></ul><ul><li>So far has received lukewarm reception </li></ul><ul><li>80 percent of SET activities are in Europe and Asian countries </li></ul><ul><li>Problems with SET </li></ul><ul><ul><li>Not easy to implement </li></ul></ul><ul><ul><li>Not as inexpensive as expected </li></ul></ul><ul><ul><li>Expensive to integrated with legacy applications </li></ul></ul><ul><ul><li>Not tried and tested, and often not needed </li></ul></ul><ul><ul><li>Scalability is still in question </li></ul></ul>
  50. 50. THE SET PROTOCOL The SET protocol coordinates the activities of the customer, merchant, merchant’s bank, and card issuer. [Source: Stein]
  51. 51. SET USES A HIERARCHY OF TRUST All parties hold certificates signed directly or indirectly by a certifying authority. [Source: Stein]
  52. 52. SET PAYMENT TRANSACTIONS <ul><li>SET-protected payments work like this: </li></ul><ul><ul><li>Consumer makes purchase by sending encrypted financial information along with digital certificate </li></ul></ul><ul><ul><li>Merchant’s website transfers the information to a payment card processing center while a Certification Authority certifies digital certificate belongs to sender </li></ul></ul><ul><ul><li>Payment card-processing center routes transaction to credit card issuer for approval </li></ul></ul><ul><ul><li>Merchant receives approval and credit card is charged </li></ul></ul><ul><ul><li>Merchant ships merchandise and adds transaction amount for deposit into merchant’s account </li></ul></ul>
  54. 54. SMART CARDS <ul><li>Uses for Smart Cards </li></ul><ul><ul><li>Provides users with the ability to make a purchase </li></ul></ul><ul><ul><li>Holds cash, ID information, and a key to a house or an office </li></ul></ul><ul><ul><li>Three categories of applications </li></ul></ul><ul><ul><ul><li>Authenticate an individual’s claim of personal identification </li></ul></ul></ul><ul><ul><ul><li>Authorization for things like drug prescription fulfillment and voting purposes </li></ul></ul></ul><ul><ul><ul><li>Transaction processing </li></ul></ul></ul><ul><ul><li>Provides encryption and decryption of messages to ensure security, integrity, and confidentiality </li></ul></ul><ul><ul><li>Acts as a carrier of value </li></ul></ul>
  55. 55. SMART CARD APPLICATIONS <ul><li>Government </li></ul><ul><li>Identification </li></ul><ul><li>Health care </li></ul><ul><li>Loyalty </li></ul><ul><li>Telecommunications </li></ul><ul><li>Transportation </li></ul><ul><li>Financial </li></ul>
  56. 56. SMART CARDS <ul><li>Magnetic stripe </li></ul><ul><ul><li>140 bytes, cost $0.20-0.75 </li></ul></ul><ul><li>Memory cards </li></ul><ul><ul><li>1-4 KB memory, no processor, cost $1.00-2.50 </li></ul></ul><ul><li>Optical memory cards </li></ul><ul><ul><li>4 megabytes read-only (CD-like), cost $7.00-12.00 </li></ul></ul><ul><li>Microprocessor cards </li></ul><ul><ul><li>Embedded microprocessor </li></ul></ul><ul><ul><ul><li>(OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM </li></ul></ul></ul><ul><ul><ul><li>Equivalent power to IBM XT PC, cost $7.00-15.00 </li></ul></ul></ul><ul><ul><ul><li>32-bit processors now available </li></ul></ul></ul>
  57. 57. SMART CARDS <ul><li>Plastic card containing an embedded microchip </li></ul><ul><li>Available for over 10 years </li></ul><ul><li>So far not successful in U.S., but popular in Europe, Australia, and Japan </li></ul><ul><li>Unsuccessful in U.S. partly because few card readers available </li></ul><ul><li>Smart cards gradually reappearing in U.S.; success depends on: </li></ul><ul><ul><li>Critical mass of smart cards that support applications </li></ul></ul><ul><ul><li>Compatibility between smart cards, card-reader devices, and applications </li></ul></ul>
  58. 58. SMART CARD APPLICATIONS <ul><li>Ticketless travel </li></ul><ul><ul><li>Seoul bus system: 4M cards, 1B transactions since 1996 </li></ul></ul><ul><ul><li>Planned the SF Bay Area system </li></ul></ul><ul><li>Authentication, ID </li></ul><ul><li>Medical records </li></ul><ul><li>Ecash </li></ul><ul><li>Store loyalty programs </li></ul><ul><li>Personal profiles </li></ul><ul><li>Government </li></ul><ul><ul><li>Licenses </li></ul></ul><ul><li>Mall parking </li></ul><ul><li>. . . </li></ul>
  59. 59. ADVANTAGES AND DISADVANTAGES OF SMART CARDS <ul><li>Advantages: </li></ul><ul><ul><li>Atomic, debt-free transactions </li></ul></ul><ul><ul><li>Feasible for very small transactions (information commerce) </li></ul></ul><ul><ul><li>(Potentially) anonymous </li></ul></ul><ul><ul><li>Security of physical storage </li></ul></ul><ul><ul><li>(Potentially) currency-neutral </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>Low maximum transaction limit (not suitable for B2B or most B2C) </li></ul></ul><ul><ul><li>High Infrastructure costs (not suitable for C2C) </li></ul></ul><ul><ul><li>Single physical point of failure (the card) </li></ul></ul><ul><ul><li>Not (yet) widely used </li></ul></ul>
  60. 60. MONDEX SMART CARD <ul><li>Holds and dispenses electronic cash (Smart-card based, stored-value card) </li></ul><ul><li>Developed by MasterCard International </li></ul><ul><li>Requires specific card reader, called Mondex terminal, for merchant or customer to use card over Internet </li></ul><ul><li>Supports micropayments as small as 3c and works both online and off-line at stores or over the telephone </li></ul><ul><li>Secret chip-to-chip transfer protocol </li></ul><ul><li>Value is not in strings alone; must be on Mondex card </li></ul><ul><li>Loaded through ATM </li></ul><ul><ul><li>ATM does not know transfer protocol; connects with secure device at bank </li></ul></ul>
  61. 61. Mondex Smart Card Processing
  62. 62. MONDEX TRANSACTION <ul><li>Here's what happens &quot;behind the scenes&quot; during a Mondex transaction between a consumer and merchant. Placing the card in a Mondex terminal starts the transaction process: </li></ul><ul><ul><li>Information from the customer's chip is validated by the merchant's chip. Similarly, the merchant's card is validated by the customer's card. </li></ul></ul><ul><ul><li>The merchant's card requests payment and transmits a &quot;digital signature&quot; with the request. Both cards check the authenticity of each other's message. The customer's card checks the digital signature and, if satisfied, sends acknowledgement, again with a digital signature. </li></ul></ul><ul><ul><li>Only after the purchase amount has been deducted from the customer's card is the value added to the merchant's card. The digital signature from this card is checked by the customer's card and if confirmed, the transaction is complete.      </li></ul></ul>
  63. 63. MONDEX SMART CARD <ul><li>Disadvantages </li></ul><ul><ul><li>Card carries real cash in electronic form, creating the possibility of theft </li></ul></ul><ul><ul><li>No deferred payment as with credit cards -cash is dispensed immediately </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Active and dormant security software </li></ul></ul><ul><ul><ul><li>Security methods constantly changing </li></ul></ul></ul><ul><ul><ul><li>ITSEC E6 level (military) </li></ul></ul></ul><ul><ul><li>VTP (Value Transfer Protocol) </li></ul></ul><ul><ul><ul><li>Globally unique card numbers </li></ul></ul></ul><ul><ul><ul><li>Globally unique transaction numbers </li></ul></ul></ul><ul><ul><ul><li>Challenge-response user identification </li></ul></ul></ul><ul><ul><ul><li>Digital signatures </li></ul></ul></ul><ul><ul><li>MULTOS operating system </li></ul></ul><ul><ul><ul><li>firewalls on the chip </li></ul></ul></ul>
  64. 64. DIGICASH, E-CASH AND E-WALLET <ul><li>Digital cash leaves no audit trail </li></ul><ul><li>From a regulatory point of view, digital cash is not any different from any other kind of electronic financial payment medium </li></ul><ul><li> combines e-mail and the credit card network to send real cash </li></ul><ul><li>E-wallet is an electronic payment system that operates like a carrier of e-cash and information in the same way a real-world wallet functions </li></ul><ul><li>’s 1-Click system, </li></ul>
  65. 65. Creating a new global standard for online payments 10/07/04
  66. 66. HOW PAYPAL WORKS Senders Visa/MC, Amex, Discover Bank Account Debit Card (e.g., Switch-Solo in UK) Stored Value Account Bank Account PayPal Debit MasterCard Paper Check Another PayPal account Stored Value Account Receivers eCheck
  67. 67. WHY PAYPAL WORKS FOR BUYERS <ul><li>Free to use </li></ul><ul><li>Pay anyone with a credit card or bank account: “online wallet” </li></ul><ul><li>Fast, secure payment – 1 week -> 1 minute </li></ul><ul><li>Stores financial information securely to maintains user privacy </li></ul><ul><li>Works cross-border </li></ul>eCommerce P2P/remittances Importance PP competitiveness Cost Convenience Rewards/loyalty points Security Network
  68. 68. WHY PAYPAL WORKS FOR SELLERS <ul><li>Enables credit card acceptance </li></ul><ul><li>Faster payment = faster inventory turn </li></ul><ul><li>Easy to sign up </li></ul><ul><li>No setup, monthly or gateway fees </li></ul><ul><li>Competitive price with no minimum time commitment </li></ul><ul><li>Fraud protection – 25 bp vs. 110 bp </li></ul>
  69. 69. COMPLEMENTARY MISSIONS The world’s online marketplace The world’s online payments standard Powering Online Commerce
  70. 70. SYMBIOTIC RELATIONSHIP WITH EBAY <ul><li>Increases velocity of trade </li></ul><ul><li>Enhances trust & safety </li></ul><ul><li>Enables innovation </li></ul><ul><li>Provides the aggregation point for small business </li></ul><ul><li>Drives critical mass of buyers & sellers </li></ul><ul><li>Solved counter-party problem </li></ul>
  71. 71. CHAPTER SUMMARY <ul><li>Electronic currency, credit cards, debit cards, and smart cards are the four main models for Internet-based payment systems </li></ul><ul><li>Payment systems via the Internet include CyberCash and First Virtual </li></ul><ul><li>Secure Electronic Transactions (SET) is a standard for handling transactions on the Internet </li></ul><ul><li>There are three types of electronic payment media </li></ul><ul><ul><li>Trusted third party </li></ul></ul><ul><ul><li>Notational fund transfer-related type </li></ul></ul><ul><ul><li>Digital cash or electronic money </li></ul></ul>
  72. 72. CHAPTER SUMMARY ( CONT’D ) <ul><li>A smart card is a card with a built-in chip capable of storing information in its memory </li></ul><ul><li>One alternative method of payment is digital cash </li></ul><ul><li>EFT is a computer-based system that facilitates the electronic transfer of money or the processing of financial transactions between financial institutions </li></ul><ul><li>Cryptography is the future of privacy and represents the future of money, banking, and finance </li></ul>