Electronic Payment Fundamentals: When Tech Embracing Payment Industry

Image courtesy of energyprojectresources.org

WORKSHOP AGENDA
October 2015
Image courtesy of waystobuildabusinessonline.com
e-Payment Fundamentals 3

1. Understanding Electronic Payment
System and its Environment
2. Navigating How E-Payment Works
3. Valuing E-Cash Systems and its
Opportunities
4. Comprehending E-Cash and its
Implementation
5. Identifying Challenges of E-Cash
6. Understanding E-Payment Risks
October 2015 e-Payment Fundamentals 4
Day 1 and Day 2

UNDERSTANDING
E-PAYMENT SYSTEM AND ITS
ENVIRONMENT

What Electronic Payment System is
A financial exchange takes place online
between buyers and sellers in the form of
digital financial instrument such as
encrypted credit card numbers, electronic
cheques or digital cash backed by a bank or
an intermediary.
In short, EPS is a system helping the user to make online
payment for their shopping or other activities.

EPS Advantages
• Decreasing technology cost
Technology used in the networks is
decreasing day by day.
• Reduced operational and processing cost
Processing cost of various commerce
activities becomes very less (as
saving both paper and time.
• Increasing number of e-commerce sites

Use of E-Payment: U.S. Data

Types of E-Payments
October 2015 e-Payment Fundamentals
Payment
Cards
Electronic
Funds
Transfer (EFT)
E-Cash
Systems
E-Wallets E-Check
Micro Payment
Systems
9

 A system allows a person to pay for goods or
services by transmitting a number from one
computer to another
 Like serial numbers on real currency notes, E-
Cash numbers are unique
 Issued by a bank and represents a specified
sum of real money
 Anonymous and reusable
 In Indonesia, 80% transactions is still cash
 Examples: Mandiri e-cash, BBM Money, T-
Cash, Dompetku, MYNT, XL Tunai.
Understanding E-Cash

 Another payment scheme that operates like
a carrier of e-cash and other information.
 The aim is to give shoppers a single,
simple, and secure way of carrying
currency electronically.
 Trust is the basis of the e-wallet as a form
of electronic payment.
 Such examples are Microsoft .NET
Passport, Yahoo! Wallet, PayPass Wallet,
and DokuWalet.
Understanding E-Wallet

1.Decide on an online site where you would like
to shop.
2.Sign-up or download a wallet from the
merchant’s website or from other website.
3.Fill out personal information such as your credit
card number, name, address and phone
number, and where merchandise should be
shipped.
4.When you are ready to buy, click on the wallet
button, the buying process is fully executed.
Using E-Wallet

Smart Cards
Any pocket-sized card with embedded
integrated circuits which can process data
As known as Chip Card, ICC Card
Flazz, Toll Mandiri, Starbucks Card, etc
Contact
Have a contact area of 1cm comprising
several gold-plated contact pads
These pads provide electrical
connectivity when inserted into a reader

Smart Cards (cont’d)
Contactless
Communicates
with and is
powered through
RFID
Require only
proximity to
antenna to
communicate

Navigating Smart Cards
• Magnetic stripe
• 140 bytes
• Memory cards
• 1-4 KB memory, no processor
• Optical memory cards
• 4 megabytes read-only (CD-like)
• Microprocessor cards
• Embedded microprocessor
• (OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM
• Equivalent power to IBM XT PC
• 32-bit processors now available

Navigating Smart Cards (cont’d)
• Available for over 10 years
• So far not successful in U.S., but popular in
Europe, Australia, and Japan
• Smart cards gradually reappearing in U.S.;
success depends on:
• Critical mass of smart cards that support
applications
• Compatibility between smart cards, card-reader
devices, and applications

Nuts and Bolts
• Advantages
1.Atomic, debt-free transactions
2.Feasible for certain value of transactions
3.(Potentially) anonymous
4.Security of physical storage
5.(Potentially) currency-neutral
• Disadvantages
1.Low maximum transaction limit (not suitable for B2B or
most B2C)
2.High infrastructure costs (not suitable for C2C)
3.Not (yet) widely used

Mondex Smart Card
• Holds and dispenses electronic cash
(Smart-card based, stored-value card)
• Developed by MasterCard International
• Requires specific card reader, called Mondex
terminal, for merchant or customer to use card
over Internet
• Supports micro-payments and works both online
and off-line at stores or over the telephone
• Secret chip-to-chip transfer protocol

Credit Cards
• EMV deployment is still
in progress
• Turns every gadget
including Internet of
Things devices into a
credit card?
• Car keys, power bank
and fitness trackers can
also be used to make
credit card payments
• Video

Credit Cards

Electronic Credit Cards
• Credit-card-sized device
holds other credit cards
• Swap from card to card
• Even store gift cards inside
its ultra-thin innards
• Uses low-power Bluetooth
to connect to our iOS
device coupled with a
standard credit-card reader
• Holds up to eight cards
• EMV-NFC ready
• Video 1 and 2
Image courtesy of Techcrunch

Image courtesy of Flint
Video

Nuts and Bolts
• Used for the majority of Internet purchases
• Has a preset spending limit in particular
• Currently convenient method
• Expensive e-payment mechanism
• MasterCard: $0.29 + 2% of transaction value
• Disadvantages
• Does not work for small amount (too
expensive)

NAVIGATING
HOW E-PAYMENT WORKS

Elements of e-Payment
 Client Software
Use of web browser for browsing encrypted
information
 Merchant Server Software
Some solution providers design custom application
software for the merchant, while others integrate
functions with the web server
 Payment by the Customer
Customer can make payment using a credit card, buy
e-cash from a participating bank, or through an
automated clearing house (ACH)

Elements of e-Payment (cont’d)
 Payment to merchant
In debit based transaction, merchant gets payment
immediately, from customer’s bank in his account, through
ACH, through a bank transfer
 Transaction Cost
Cost per transaction varies for credit and debit transactions
and with the service provider
 Risk
In most of the solution provided, the risk is the merchant for
fraudulent transactions

SET Protocol
 Secure Electronic Transaction is jointly designed by
MasterCard and Visa with backing of Microsoft,
Netscape, IBM, GTE, SAIC, and others
 Designed to provide security for card payments as they
travel on Internet
 Contrasted with Secure Socket Layers (SSL) protocol, SET
validates consumers and merchants in addition to providing
secure transmission
 SET specification
 Uses public key cryptography and digital certificates for
validating both consumers and merchants
 Provides privacy, data integrity, user and merchant
authentication, and consumer nonrepudiation

How SET Works

EPS Security Requirements
• Authentication (only authorized individual
or group does and is allowed for the
transaction)
• Integrity (money doesn’t change during the
transfer)
• Non-Repudiation (No party can deny its role
in the transaction)
• Privacy (money and good are exchanged
atomically)
• Safety (money is not lost during a transfer)

Secure EPS Infrastructure
• Authentication
• Many tools available to confirm the authenticity of a user.
• Passwords and ID numbers are used mostly
• Public Key Cryptography
• Use one public and one private to encrypt and decrypt data
• Sender can then encrypt the message with the public key
and receiver can use the private key to decrypt the message.
• Digital Signature
• An electronic one use to authenticate the identity of the
sender of a message

Secure EPS Infrastructure (cont’d)
• Secure Sockets Layer (SSL)
• Commonly used protocol for managing the security of a
message transmission
• Uses the public-and-private key encryption system
• Program layer located between HTTP and TCP
• Certificate
• The issuer verified the identity of the individual
• Symantec Certificates
• GeoTrust

Payment Gateways
A system that provides and authorizes
payments
Protects payment and credit cards details
encrypting sensitive information.
Make sure information passes securely
between customer and merchant and also
between merchant and payment processor
Let us know whether a charge is approved
by cardholder’s bank, and then submits
charge to the bank for settlement

How Payment Gateways Work

Payment Service Provider
• As known as Payment Processor
• A system that connects cardholder’s bank
with merchant’s bank, and card brands
(e.g. Visa, Mastercard, Discover, etc.)
• Take money from cardholder’s bank
account and deliver it to merchant’s bank
account
• More than 900 payment providers in the
world (300 offer services for Europe and
North-America)

Payment Service Provider (cont’d)

Using Payments Cards Online
Payment card
Electronic card that contains information
and used for payment purposes
Three forms
• Credit cards
• Charge cards
• Debit cards
37

Processing Credit Cards Online
Authorization
Determines whether a buyer’s card is active
and whether the customer has sufficient funds
Settlement
Transferring money from the buyer’s to the
merchant’s account
38

Processing Credit Cards Online (cont’d)
Payment service provider (PSP)
A third-party service connecting a
merchant’s EC systems to the appropriate
acquirers.
PSPs must be registered with the various
card associations they support
39

Payments Cards Online: Stakeholders
• Acquiring bank
• Credit card association
• Customer
• Issuing bank
• Merchant
• Payment processing service
• Processor
40

Fraudulent Credit Card Transactions
Address Verification System
(AVS)
Detects fraud by comparing the
address entered on a Web page
with the address information on
file with cardholder’s issuing
bank
41

Fraudulent Credit Card Transactions (cont’d)
Card Verification Number (CVN)
Detects fraud by comparing the
verification number printed on the
signature strip on the back of the card
with the information on file with the
cardholder’s issuing bank
42

Fraudulent Credit Card Transactions (cont’d)
Additional tools used to combat fraud
include:
• Manual review
• Fraud screens and decision models
• Negative files
• Card association payer authentication
services
43

Smart Cards
As known as Stored-Value Cards
Contact Card
A smart card containing a small gold
plate on the face that when inserted in
a smart card reader makes contact
and passes data to and from the
embedded microchip

Contactless (Proximity) Card
A smart card containing a small gold
plate on the face that when inserted in
a smart card reader makes contact
and passes data to and from the
embedded microchip

Smart Card Reader
Activates and reads the contents of the chip on a
smart card, usually passing the information on to a
host system
Smart Card Operating System
Special system that handles file management,
security, input/output (I/O), and command execution
and provides an application programming interface
(API) for a smart card

Application of Smart Cards
• Retail Purchases
E-Purse
Smart card application that loads money
from a card holder’s bank account onto the
smart card’s chip
Common Electronic Purse Specification
(CEPS)
Standards governing the operation and
interoperability of e-purse offerings
• Transit Fares
• E-Identification
47

Application of Smart Cards (cont’d)
Transit Fares
To eliminate the inconvenience of multiple
types of tickets used in public transportation,
most major transit operators in the US are
implementing smart card fare-ticketing systems
E-Identification
Because they have the capability to store
personal information, including pictures,
biometric identifiers, digital signatures, and
private security keys, smart cards are being
used in a variety of identification, access
control, and authentication applications
48

Application of Smart Cards (cont’d)
• In Health Care Industry
• Storing vital medical information in case of
emergencies
• Preventing patients from obtaining multiple
prescriptions from different physicians
• Verifying a patient’s identity and insurance
coverage
• Speeding up the hospital or emergency room
admissions process
49

Securing Smart Cards
• Smart cards store or provide access to
either valuable assets or to sensitive
information
• Because of this, they must be secured
against theft, fraud, or misuse
• The possibility of hacking into a smart card
is classified as a “class 3” attack, which
means that the cost of compromising the
card far exceeds the benefits
50

Near Field Communication
• NFC is the latest payment method introduced to the
world.
• It is not based on cash in the wallet but storing card
information on the phone to be used in a mobile wallet or
to use NFC.

VALUING E-CASH AND ITS
OPPORTUNITIES

E-Cash Conceptual Framework
There are four major components in an electronic cash system:
 Issuers
 Customers
 Merchants or traders
 Regulators.
Issuers can be banks, or non-bank institutions
Customers are referred to users who spend E-Cash
Merchants and traders are vendors who receive E-Cash
Regulators are defined as related authorities or state tax
agencies.

Stages of Transaction
Account Setup
Customers will need to obtain E-Cash accounts
through certain issuers. Merchants who would like to
accept E-Cash will also need to arrange accounts from
various E-Cash issuers.
Issuers typically handle accounting for customers and
merchants.
Purchase
Customers purchase certain goods or services,
merchants tokens which represent equivalent E-Cash.
Purchase information is usually encrypted when
transmitting in the networks.

Stages of Transaction (cont’d)
Authentication
Merchants will need to contact E-Cash issuers
about the purchase and the amount of E-Cash
involved.
E-Cash issuers will then authenticate the
transaction and approve the amount E-Cash
involved.

E-Cash Processing
3
4
2
1
5
Bank
Consumer
Merchant
1) Consumer buys e-cash from Bank
2) Bank sends e-cash bits to
consumer (after changing that
amount plus fee)
3) Consumer sends e-cash to
merchant
4) Merchant checks with Bank that e-
cash is valid (check for forgery or
fraud)
5) Bank verifies e-cash is valid
6) Parties complete transaction

E-Cash Security
 Complex cryptographic algorithms
prevent double spending
 Anonymity is preserved unless double
spending is attempted
 Serial numbers can allow tracing to
prevent money laundering

E-Cash Security (cont’d)
 Simpler than other online payment, no
credential such as card-passwords or
anything such is involved.
 In practice, it’s online fund transfer from
customer’s to trader’s account.
 Customer must keep in mind of internet
security sweep/theft (avoid this by
capitalizing SSL and TSL).

Nuts and Bolts
• Advantages
• More efficient, eventually meaning lower
prices
• Lower transaction costs
• Anybody can use it, unlike credit cards,
and does not require special authorization
• Disadvantages
• Susceptible to forgery

Exploring E-Wallet
Serves a function similar to a physical wallet
 Holds credit cards, electronic cash, owner
identification, and owner contact information
 Provides owner contact information at an
electronic commerce site’s checkout counter
 Stores shipping and billing information,
including a consumer’s first and last names,
street address, city, state, country, and zip or
postal code

Exploring E-Wallet (cont’d)
Decide on an online site where you would like to shop
Download a wallet from the merchant’s website/Sign up on
the website itself to create your Digital wallet
Transfer fund from your bank account into your digital
wallet
When you are ready to buy, click on the wallet button, the
buying process is fully executed
The Digital Wallet’s will check if there is enough E Cash in
the wallet and if yes, then the transaction is completed and
the purchase is made

Types of E-Wallet
Server Side
• A server side electronic wallet stores a customer
information on the remote server belonging to a particular
merchant or wallet publisher
Client Side
• A client side electronic wallet stores customer information
on his/her own computer.
• Many of the early electronic wallet were client side wallet
that require users to download the wallet software

Based on Usage
Closed Wallet
A closed wallet is
one that a company
issues to its
consumers for in-
house goods and
services only.
These instruments
do not carry the
advantage of cash
withdrawal or
redemption
Semi-Closed Wallet
A semi-closed wallet can
be used for goods and
services, including
financial services, at
select merchant locations
or establishments that
have a contract with the
issuing company to
accept these payment
instruments.
Open Wallet
Such wallets can be
used for purchase of
goods and services,
including financial
services such as
funds transfer at
merchant locations
or point-of-sale
terminals that accept
cards, and also cash
withdrawals at
automated teller
machines
or business
correspondents
63

Navigating E-Wallet
• Agile Wallet
• Developed by CyberCash
• Allows customers to enter credit card and
identifying information once, stored on a
central server
• Information pops up in supported
merchants’ payment pages, allowing one-
click payment
• Does not support smart cards or
CyberCash, but company expects to soon

Navigating E-Wallet (cont’d)
• Microsoft Wallet
• Comes pre-installed in Internet Explorer
4.0, but not in Netscape
• All information is encrypted and password
protected
• Microsoft Wallet Merchant directory
shows merchants setup to accept
Microsoft Wallet

Image courtesy of Windows Central

Google Wallet
• Mobile payment system developed by Google
• Allows users to store debit cards, credit cards,
loyalty cards etc
• Uses Near Field Communication to make secure
payments fast and convenient by tapping the
phone on pay press enable terminal
• Works with 30,00,000+ MasterCard merchant
locations

Image courtesy of Android Central

Server side electronic wallet offered by Yahoo!
Lets users store information about several major credit and charge cards

Advantages of E-Wallet
• Convenience
Makes online shopping easier because it fills in an
online order form automatically
• Competitive Advantage
A great advantage for online merchants,
because customers sometimes abandon online
purchases if they feel the order form is too confusing
or frustrating
• Greater revenue opportunities
Open up a new aspect of payment methods in large
markets introducing many business opportunities
and greater potential revenue

• System Outages
Information for E-Wallets are stores on the cloud of
business server, therefore the risk of a system
malfunction or shut down is always present.
• Security
Must ensure their customers’ information is
encrypted and well protected.
• Investment
Initial monetary investment is quite large as it
requires the development of the software as well as
continual maintenance.
Disadvantages of E-Wallet

Future State of E-Wallet
• Automatic Bill Payments: Will be able to make bill payments
on behalf of the used by scheduling payment intervals for
electronic bills and invoices
• Loyalty redemption: Real time reporting of points accrued
under loyalty schemes
• Personal Information access: E wallet will become a single
access point to all personal information including medical,
insurance, mortgage etc.
• Preemptive Purchasing: It can make a list of purchases
based on your purchase habits and remind the consumer to
make these purchases on a regular basis
• Person to Person Payments: It’ll be possible to transfer a
payment from one person to another simply by pointing two
“wallet enabled devices” at each other

Future State of E-Wallet (cont’d)

E-Micro Payments
Small online payments, typically under US$10
Companies with e-micropayment products:
• BitPass (bitpass.com)
• Paystone (paystone.com)
• PayLoadz (payloadz.com)
• Peppercoin (peppercoin.com)
• Clickshare
• IBM micro-payment systems
75

E-Check
A legally valid electronic version or
representation of a paper check
Automated Clearing House (ACH)
Network
A nationwide batch-oriented electronic
funds transfer system that provides for the
interbank clearing of electronic payments
for participating financial institutions

Bitcoin, Here We Go
• First decentralized digital/virtual currency
• Peer-to-Peer currency with mathematic
protection
• No centralized control/Central Bank
• Based on cryptographic proof (SHA256)
instead of trust
• Developed by a person/group under
pseudonym of Satoshi Nakamoto (2008)
• Operational since early 2009
• No financial institutions involved or managed

Bitcoin Key Concepts
Bitcoins
Transactions
Proof of
Work
Mining
Digital Wallet
78

Bitcoin Advantages
• BTC software unchangeable without majority users within
entire network accepting the change
• While majority of nodes are honest, attackers cannot harm
the system
• Attacker would need astronomical computer power to
corrupt block chain
• No government can print more money
• Anonymity
• Lower global transaction costs
• New bubble may emerge (?): Oct13 = USD150 while Nov13
is more than USD500
• March 2013: BTC passed 1 Billion USD (around 11 million
Bitcoins in circulation)

BTC Transactions
•Straight away between owner and
receiver
•Broadcasted through Peer-to-Peer
(P2P) network
•All are public but anonymous
•Mining nodes collects the transactions
into Blocks

BTC Transactions (cont’d)
• Transactions Blocks  Full page in a Ledger Book
• Block contains information about transactions and
previous Block (Block Chain) linking to the first block
when Bitcoin Network started.

Where to use BTC?

COMPREHENDING E-CASH
AND ITS IMPLEMENTATION

Benefits of E-Check
• Reduces merchant’s administrative costs by
providing faster and less paper-intensive
collection of funds
• Improves efficiency of deposit process for
merchants and financial institutions
• Speeds the checkout process for consumers
• Provides consumers with more information
about their purchases on their account
statements
• Reduces float period and number of checks
that bounce because of insufficient funds
(NSFs)

Processing E-Check with Authorize.net

Electronic Bill and Payment
• Presenting and enabling payment of a bill online. Refers
to a B2C transaction

Electronic Bill and Payment (cont’d)
Types of E-Billing
• Online banking
• Biller direct
• Bill consolidator
Advantages of E-Billing
• Reduction in expenses related to billing and processing
payments
• Electronic advertising inserts can be customized to the
individual customer
• Reduces customer’s expenses

E-Billing Process for Single Biller

E-Billing Process for Bill Consolidator

BTC Transactions: Going Further
• Block Chain file is maintained on every node

BTC Transactions: Going Further (cont’d)
• Each Block carries a Proof of Work
• BTC are generated for machine which
solved Proof of Work
• New block is started and linked to the block
chain
• First transaction in a block = Special
transaction = new coins owned by the
creator of the block
• New block chain status is broadcasted to
the network

BTC Transactions: Going Further (cont’d)
• Fighting Transactions Hackers
Transaction history cannot be changed unless
redoing all Proof of Work of all blocks in the chain
• Enormous computational power
Redoing the proof of work since the very first
transaction block
• Double spending problem
Solved using a P2P distributed timestamp server
to generate computational proof of the
chronological order of transactions

BTC Mining
• No centralized entity for generating BTC
• Mining Process will solve Proof of Work from a
Transaction Block
• Confirms transactions and increase security
• User can be miners and are rewarded by:
• Transactions fees for the transactions they confirm
• New block created / proof of work solved (25 BTC
today)
• Mining is a competitive market ($$$$$$)
• More miners = more secure network

BTC Mining (cont’d)
• As of September 2013 it was 11,5 million Bitcoins
• Bitcoins are generated in blocks
• A new Block generated every 10 minutes
• Currently 25 Bitcoins are mined per block
• BTC generation will stop at 2140 (around 21 Million
Bitcoins)
• Mined BTC kept with PC that solved Proof of Work
• In Jan 2009, 1 Transaction Block solved = 50 BTC
• After 2140 the incentive will be only the transaction fee

BTC Mining (cont’d)
• Initially, CPU power to solve PoW for
Transaction Blocks
• Graphic cards solve PoW faster
• New dedicated chips for performing mining
• Miners are crucial BTC network by ensuring:
• Impartial
• Stable
• Secure

Bitcoins Mining (cont’d)
• BTC are entries in transactions blocks
(Ledger Book).
• If someone receives BTC, transaction will
be logged in (transaction) block (chain),
unconfirmed until Proof of Work is solved.
• BTC ownership and transfer are ensured
by digital signatures through crypto private
and public keys.

Proof of Work
• Typical PC may take several years to do
• Only around 10 minutes using BTC network
• Extremely unlikely, but 2 or more nodes may do PoW at
the same time

Trading Platform and Exchange (cont’d)
• BTC-e
Digital currency trading platform and exchange
Founded in July 2011, HQ in Russia
As of Feb15 handles 2.5% all Bitcoin exchange
volume
Allows trading between currencies USD, RUR and
EUR, and cryptocurrencies Bitcoin, Litecoin,
Namecoin, Novacoin, and Peercoin
Been component of CoinDesk Bitcoin Price Index
(Sep13)

• BTC-e
Digital currency trading platform and exchange
Founded in July 2011, HQ in Russia
As of Feb15 handles 2.5% all Bitcoin exchange
volume
Allows trading between currencies USD, RUR and
EUR, and cryptocurrencies Bitcoin, Litecoin,
Namecoin, Novacoin, and Peercoin
Been component of CoinDesk Bitcoin Price Index
(Sep13)

Image courtesy of wikipedia.org
101

102

103

104

105

Digital Wallet
• BTC can be stored in Digital Wallet
• Web services
• Local applications
• USB drivers
• Protected by
Private/Public keys
• Possible to
print BTC

Digital Wallet (cont’d)
• No one can lock/freeze our money like
bank account
• Bitcoins smallest fraction is 1 Satoshi 
0.00000001 BTC
• Losing private key means losing our BTCs
(forever gone from BTC economy)
• BTC is deflationary

How Payment Giants Correspond
MasterCard
• One of 11 investors in Barry Silbert's Digital Currency
Group's (DCG) new undisclosed funding round.
• Earlier: “…the risks presented by digital currencies far
outweighed the benefits” (Nov14)
• Matthew Driver, President for SEA (Dec14): "not completely
comfortable with the idea of cryptocurrencies“ and the
technology was "against the whole principle" on which they
had established its business.
• Another official statement
Source: CoinDesk

How Payment Giants Correspond (cont’d)
VISA
• Invested in crypto space, contributing to blockchain startup
Chain's $30m funding round.
• Recently revealed a new PoC that leverages bitcoin's
blockchain for record keeping such as digitizing car rental
process, using bitcoin transactions to create a digital
fingerprint for each vehicle on the blockchain.
• Jonathan Vaux, New Digital Payments and Strategy Exec
Director at Visa Europe, said:
Source: CoinDesk

American Express
• VC arm invested in bitcoin-to-cash app Abra ($12m Series
A round).
• Official statement: "Let's see what currencies are important
and we'll transact in the currencies that our customers want
to transact in.”
• CEO Kenneth Chenault: “The protocol of bitcoin is going to
be important."
• Another official statement:
Source: CoinDesk

PayPal
• Announced its first partnerships in bitcoin space
(Sep14).
• Alliances with BitPay, GoCoin and Coinbase had
been months in the making.
• (Former) CEO John Donahoe official statement:
Source: CoinDesk

IDENTIFYING
CHALLENGES OF E-CASH

Electronic Payments
Current B2B Payment Practices
• Financial supply chains of most companies are
characterized by inefficiencies created by a number of
factors, including:
• The time required to create, transfer, and process paper
documentation
• The cost and errors associated with manual creation
and reconciliation of documentation
• The lack of transparency in inventory and cash positions
when goods are in the supply chain
• Disputes arising from inaccurate or missing data
• Fragmented point solutions that do not address the
complete end-to-end processes of the trade cycle

Electronic Payments (cont’d)
Enterprise Invoice Presentment and
Payment (EIPP)
Presenting and paying B2B invoices
online
EIPP Models
• Seller Direct
• Buyer Direct
• Consolidator

E-Cash Opportunity

E-Cash Challenges
• Most of e-cash (including stored-value cards)
provides no audit trail
• True electronic cash is not traceable, so money
laundering is a problem
• Electronic cash is susceptible to forgery
• Tax Evasion (tax reporting and collection)
• Jurisdictional concerns
• Regulating issuers: Should anyone be allowed to
issue e-cash? If non-banks allowed to issue, could
they be the subject to the same (extensive)
regulatory controls as bank?

• Money laundry – practically impossible
to track BTC transactions
• FBI x Silk Road – Bitcoin used for
trading drugs among other illicit
products.
• Legality among countries?
Bitcoin Challenges

Bitcoin Challenges (cont’d)

UNDERSTANDING E-
PAYMENT RISKS

Defining Cyber Crime
• Former descriptions were "computer crime",
"computer-related crime" or "crime by computer“.
• With the pervasion of digital technology, some new
terms like "high-technology" or "information-age"
crime were added to the definition. Also, Internet
brought other new terms, like "cybercrime" and "net"
crime.
• Other forms include "digital", "electronic", "virtual" ,
"IT", "high-tech" and technology-enabled" crime.

October 2015
Source: IBM [1] UNODC Comprehensive Study on Cybercrime, 2013

October 2015
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies

October 2015
Source: IBM [6] ESG: http://bit.ly/1xzTmUW

Cyber Crime Categories
• Computing Devices as a Target
Using those devices to
attacks other devices
e.g. Hacking, virus/worms
attacks, DoS attack, etc.
• Computing Devices as a Weapon
Using those devices to
commit real-world crimes
e.g. cyber terrorism, credit
card fraud and
pornography, etc.
October 2015
Image courtesy of chakreview.com

Cyber Crime Categories (cont’d)
From victim point of views:
1. Cyber crime on Persons
e.g. Harassment occurred in cyberspace,
or through the use of cyberspace (sexual,
racial, religious, or other) and cyber bullying.
2. Cyber crime on Groups/Organizations
Targeting particular or certain organizations
or groups whether profit or non-profit. Often
time those who reside as financial industry
players.

Cyber Crime Categories (cont’d)
3. Cyber crime on Property
e.g. Computer vandalism (destruction of others'
property), transmission of harmful programs,
unauthorized intrusion through cyber
space, unauthorized possession of computer
information.
4. Cyber crime on Government
e.g. Cyber terrorism is one distinct kind of crime in
this category.

In 2014 Federal Bureau Investigation (FBI)
unveils from the most frequent one:
• Viruses
• Employee abuse of internet privileges
• Unauthorized access by insiders
• Denial of Service
• System penetration from the outside
• Theft of proprietary information
• Sabotage of data/networks
• Proving/scanning systems
• Financial fraud
Notable Cyber Attacks

 Manipulate data
integrity
 Installed a sniffer
 Stole password
files
 Trojan logons
 IP spoofing
Notable Cyber Attacks (cont’d)
October 2015
Image courtesy of @TrojanLax

Cyber Crime-as-a-Service Marketplace
• Continues to mature over the past two years.
• Enables more fraudsters to cash in without needing
to understand the chain of fraud, how to phish or
spam, or IT infrastructure requirements.
• Becomes fiercely competitive.
• Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
• Generalized increase in quality of malware produced.
• Enables much larger pool of bad actors with no
technical knowledge to profit from.

(cont’d)
• Many types of attack are simple and low
cost.
• Phishing attacks: 500,000 email addresses
cost $30.
• Hosting a phishing site can be more or less
free.
• Thousands of credit cards can be stolen in
return for around $100.

(cont’d)
October 2015
Image courtesy of EMC

Larger Retail and Financial Attacks
• Shift from attacks on individuals to mass attacks on
retailers and financial institutions.
• Banking botnets becoming more resilient and harder to
take down.
• Utilized deep web and untraceable peer-to-peer networks,
(TOR and I2P), to increase resilience and anonymity, and
hide their infrastructure from law enforcement agencies.
• Private botnets – written specifically for individual gang
(harder to trace and analyze).
• Point of Sale (POS) malware used and RAM scrapers.

October 2015
Image courtesy of EMC

Check This Facts Out
Security Threat and Symantec says
• 36,6 million cyber attacks (35% from outside, the rests
from inside the country) from 2012 to 2014.
• 497 cyber crime cases from 2012 to April 2015 with 389
are foreigners and 108 local citizens.
• Fake bank account, money laundering, artificial LC
document, camouflage posting.
• Accounted for 4.1% of the world cyber crimes.
• The highest percentage of PC infected by malware across
the globe.
Government CSRIT says
• 60% of government domains encountered web
defacements and 36% infected by malware

Check This Facts Out (cont’d)
• According to Norton latest Cyber
Crime report, global consumer
cyber crime cost over than USD
150bn annually.
• Yet the figures for Indonesia are
unknown.
• Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
• From Ministry of Communication
and IT’s total budget of USD 500m,
1% allocated for Cyber Security.

Simplest Ways of Prevention
• Disable and log off a specific user account to
prevent access.
• Disable and log off a group of user accounts which
access a particular service that is being attacked.
• Disable and dismount specific (network) devices,
for instance disk devices that are being swamped.
• Disable specific applications, for example, an e-
mail system subjected to a SPAM attack.
• Close down an entire system, and divert
processing to an alternative or backup service on
a secondary network.

Simplest Tips of Controls
• Use antivirus software.
• Install firewalls.
• Uninstall unnecessary software.
• Maintain backup.
• Check security settings.
• Stay anonymous - choose a genderless screen
name.
• Never give your full name or address to
strangers.
• Learn more about Internet privacy.

How to Do?
A flexible organization with a centralized
core
• Security Oversight
• Information Risk
• (Cyber) Security Risk
• Security Architecture and Engineering
• Security Operations

Organization Culture
• What do your executives expect from
security?
• If not GRLC, then focus on operations
• Build trust and demonstrate value
• Reporting Inside or Outside IT?
• Centralized or Decentralized?

Controls to Enforce Policies
• Log access to data, information and transaction
by unique identifier” as it requires log
management or SIEM.
• Limit access to specific data to specific
individuals as it required unique system
username and password.
• Sensitive data shall not be emailed outside the
organization with DLP or email encryption
system.

Educate, Educate, Educate
•Our security stakeholders: employees,
executives, partners, suppliers,
vendors
•What are our policies?
•How to comply?
•Consequences of failure to comply

Monitoring and Controlling
• Assessment
• Review
• Audit
• Monitor change control
• New vendor relationships
• Marketing initiatives
• Employee terminations

IIA Three Lines of Defense (3LoD)
Image courtesy of IIA Global Advocacy Platform
146

InfoSec Control Frameworks

ISACA Framework on Information Security
October 2015
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed Credit: ISACA

NIST Cybersecurity Framework
• Critical Infrastructure
- Vital infrastructure - private and public operators
- Lack of availability would have “debilitating impact”
on the nation’s security, economy, public health,
safety…
• Executive Order 13636; February 12, 2013
• Threat information sharing
• NIST: Baseline Framework to reduce cyber risk
• “Standards, methodologies, procedures and processes that align
policy, business, and technological approaches…”

InfoSec Standards
‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others

InfoSec Standards (cont’d)
• Payment Card Industry – Data Security Standards (PCI-
DSS) version 3

PCI-DSS High Level Overview

Guidelines for Cardholder Data Elements

By Utilizing Such Framework and Standard
Reduce complexity of activities and processes
Deliver better understanding of information
security
Attain cost-effectiveness in managing privacy
and security
Enhance user satisfaction with the
arrangements and outcomes
Improve integration of information security

By Utilizing Such Framework and Standard (cont’d)
Inform risk decisions and risk awareness
Enhance prevention, detection and
recovery
Reduce probability and impact of
security incidents
Leverage support for organization
innovation and competitiveness

October 2015
Thank You!
Image courtesy of rebajhoffman.com

Electronic Payment Fundamentals: When Tech Embracing Payment Industry

More Related Content

What's hot

Viewers also liked

Similar to Electronic Payment Fundamentals: When Tech Embracing Payment Industry

More from Goutama Bachtiar

Recently uploaded

Electronic Payment Fundamentals: When Tech Embracing Payment Industry