Intro Electronic payments deals with the strategies for the payment of goods and services by online customers.

Various instruments used are Electronic Cash Electronic Checks Credit/ Debit cards Smart cards Types of Electronic Payment systems Token based payment systems Electronic Tokens in the form of Electronic cash/ checks Electronic tokens can be classified as Cash or real time Debit or prepaid Credit or postpaid Credit card based payment systems Using plain credit card details Using encrypted credit card details Using third party verification Electronic Payments: An Overview (cont.) Four parts involved in e-payments Issuer Customer/payer/buyer Merchant/payee/seller Regulator Key issue of trust must be addressed Privacy Authentication and authorization Integrity Nonrepudiation Security for E-Payments Public key infrastructure Plaintext Encryption algorithm Ciphertext Key Types of encryption systems Symmetric (private key) Used to encrypt and decrypt plain text Shared by sender and receiver of text Asymmetric (public key) Uses a pair of keys Public key to encrypt the message Private key to decrypt the message

Private Key Encryption Public Key Encryption Size of key RSA algorithm Speed of Key Rijndael algorithm Security for E-Payments (cont.) Digital Signatures: authenticity and nondenial Analogous to handwritten signature Based on public keys Used to: Authenticate the identity of the sender of a message or document Ensure the original content of the electronic message or document is unchanged Security for E-Payments (cont.) Digital Signatures: authenticity and nondenial (cont.) Benefits: Portable Cannot be easily repudiated or imitated Can be time stamped Digital Signatures Security for E-Payments (cont.) Digital certificates Identifying the holder of a public key (Key-Exchange) Issued by a trusted certificate authority (CA) Digicash Model 1- Consumer asks Bank for Digicash 2- Bank sends Digicash bits to consumer 3- Consumer sends Digicash to merchant in payment 4- Merchant checks that Digicash has not been double spent 5- Bank verifies that Digicash is valid Advantages Privacy, Scalability Disadvantages Complexity Detecting double spending Robustness against failure Accountability Security for E-Payments (cont.) Secure socket layer/transport layer security Secure socket layer (SLL)handle on Web browser, utilizing CAs and data encryption Encryption Digital certificates

Digital signatures In 1996 SSL was standardized and named transport layer security (TSL) Operates at TCP/IP layer (base layer for Internet) IPSecsecure version of IP protocol SET Vs. SSL InformIT.com Online Bookstore InformIT.com SSL Encryption E-Cards Three common types of payment cards Credit cardsprovides holder with credit to make purchases up to a limit fixed by the card issuer Charge cardsbalance on a charge card is supposed to be paid in full upon receipt of monthly statement Debit cardcost of a purchase drawn directly from holders checking account (demand-deposit account) E-Cards The Players Cardholder Merchant (seller) Issuer (your bank) Acquirer (merchants financial institution, acquires the sales slips) Card association (VISA, MasterCard) Third-party processors (outsourcers performing same duties formerly provided by issuers, etc.) Online Credit Card Processing E-Cards E-wallets One-click shoppingsaving your order information on retailers Web server Name Shipping address Billing address Credit card information E-walletsoftware downloaded to cardholders desktop that stores same information and allows one-click-like shopping E-Cards Other security risks with credit cards Stolen cards Reneging by the customerauthorizes a payment and later denies it Theft of card details stored on merchants computerisolate computer storing information so it cannot be accessed directly from the Web Overcoming risks with virtual credit cards E-Cards Purchase cards Instrument of choice for B2B purchasing Special-purpose, non-revolving payment cards issued to employees solely for

purchasing and paying for nonstrategic materials and services E-Cards Purchase cardsoperate like other credit cards Cardholder of corporation places an order for goods or services Supplier processes transaction with authorization of card issuer Issuer verifies purchase authorization E-Cards Purchase cardsoperate like other credit cards (cont.) All cardholders transactions processed centrallyone payment for all purchases Each cardholder reviews monthly statement Card issuer analyzes transactionsstandard and ad hoc reports are made Card issuer creates electronic file to upload to corporations ledger system E-Cards Benefits of purchasing cards Cost savings Productivity gains Bill consolidation Payment reconciliation Preferred pricing Management reports E-Cards E-Cards Optical memory cards Stores 4MB of data; once written, data cannot be changed or removed Ideal for keeping records (medical files) Require expensive card readers Categorize smart cards by how they store data Contact cardinsert in smart card reader Contactless cardembedded antenna read by another antenna (mass-transit applications) Contactless IC Cards Proximity Card Used to access buildings and pay for buses and other transportation systems Bus, subway and toll card in many cities Amplified Remote Sensing Card Good for a range of up to 100 feet, and can be used for tolling moving vehicles at gates Pay toll without stopping (e.g. Highway 91 in California) Smart Card Image E-Cards Smart cards are computer devices and require: Chip with an operating system to run applications

Programming language to write applications Multipurpose cards use new operating systems MultOS JavaCard Microsoft windows for smart cards E-Cards Important applications of smart card use: Loyalty Financial Information technology Health and social welfare Transportation Identification E-Cash and Payment Card Alternatives E-cash and credit card alternatives (for micropaymentsunder $10) E-cash (eCoin.net) Identity of user hidden from merchant Easier to use than earlier e-cash systems Requires specialized software Qpass (Qpass.com) Set up Qpass account User name and password What credit card to charge E-Cash and Payment Card Alternatives PrivateBuy User establishes account User assigned 16-digit user number (anonymous address) Hides user name and card number from merchant site Relies on credit card system already in place PrivateBuy Anonymous Shopping E-Cash and Payment Card Alternatives Echarge enables users to: Establish accounts Receive user ID and password Use instead of credit card numbers Purchases billed to users credit card Merchants must establish payment option E-Cash and Payment Card Alternatives Stores cash downloaded from bank or credit card account Common uses Disposable vs. reloadable cards

Sample cards Visa cash Mondex Electronic purses Lack of interoperable equipment and standards Common Electronic Purse Specification (CEPS) E-Cash and Payment Card Alternatives E-loyalty and rewards programs Loyalty programs online Beenz.com Consumer earns beenz by visiting, registering, or purchasing at 300 participating sites Beenz are stored and used for later purchases Partnered with MasterCard to offer rewardzcardstored-value card used in U.S. and Canada for purchases where MasterCard is accepted Transfer beenz into money to spend on Web, by phone, mail order, physical stores E-Cash and Payment Card Alternatives MyPoints-CyberGold Customers earn cash Cash used for later purchases or applied to credit card account RocketCash Combines online cash account with rewards program User opens account and adds funds Used to make purchases at participating merchants E-Cash and Payment Card Alternatives Person-to-person (P2P) payments and gifts Enable transfer of funds between two individuals Repaying money borrowed Paying for an item purchased at online auction Sending money to students at college Sending a gift to a family member Sending money with PayPal E-Checking Electronic checkbook Counterpart of electronic wallet To be integrated with the accounting information system of business buyers and with the payment server of sellers To save the electronic invoice and receipt of payment in the buyers and sellers computers for future retrieval Example : SafeCheck

Used mainly in B2B E-Checking Current checking system Role of clearinghouses in the check-clearing process Magnetic ink characters (MICR) Costs of the current system MICR Check Characters E-Checking Electronic version of paper check Leverage check payment systems Fit within current business practices, eliminate need for process reengineering Work like paper check with fewer manual steps E-Checking Designed to meet needs of businesses and consumers (state of the art security systems) Used by all bank customers with checking accounts Enhance existing bank accounts with new EC features E-Checking Benefits of e-checking for industry-wide savings Online check collection process Online notices of check returns Truncating paper checks at bank of first deposit Creating new cash management product opportunities E-Checking eCheck Secure Third party vendor with software for e-check purchases Aimed at B2C sites E-Checking Truncating paper checks at bank of first deposit Creating new cash management product opportunities Checkfree (checkfree.com) leading third-party e-billing vendor E-Check Processing by eCheck Secure Digital of Signatures in E-Check Processing E-Checking Treasury Department expects e-checks to: Enhance security through use of public key cryptography Push a payment to the payee and not pull funds from general account of the U.S. Leverage Internet for its strength as ubiquitous communication vehicle Increase payment choices for U.S. Treasury payees E-Billing Customers are either individuals or companies Two common models of e-billing Biller directcustomer receives bill from a single merchant Third-party consolidatorspresents bills from multiple merchants

Figure 14-15 E-Bill Presentment E-Billing Process for Single Biller E-Billing Processes for Bill Consolidator Managerial Issues In the B2C world, understand your customers and products In the B2B world, keep an open mind about online alternatives In-house or outsource Security continues to be a major issue Electronic Cash Bit strings as tokens representing value (amount, serial #) Issued by banks Digital signature to protect integrity Anonymous Can be easily duplicated. Must prevent double spending by monitoring serial number reuse Cash Transaction Digital Checks Consumers issue signed drafts on online bank accounts Merchants may do online or delayed clearing Clear through existing bank systems, e.g.ACH May attach remittance information Electronic Check Concept Electronic Check Electronic Checkbook: PCMCIA, Smart Card, PIN protected Key storage Signature and transaction logging Digital signatures: signing and endorsing Digital certificates: authenticate payor, payor bank and bank account Credit Card Info Sent Direct to Merchant Consumer sends card # direct to merchant Similar to todays phone order Must trust merchant with card info High transaction costs Third Party Intermediary Model (CyberCash) Protects consumers card info Use Internet for reaching Cybercash gateway to acquirers Adds to credit card card cost Smart Cards Magnetic stripe Memory cards

Optical memory cards Microprocessor cards What makes the card smart? CPU (8-bit, 16/23 bit) Memory (RAM, ROM, EEPROM/Flash) I/O channel (Contact/Contact less) Cryptographic co-processor On card devices (Fingerprint, display) Standards (ISO 7816, GSM, EMV, VOP, CEPS) A variety of terminals Embedded system Standards (ISO 7816, PC/SC, OCF) Applications Bank card GSM SIM card Health card Pay-TV ID card Transport Campus card Mondex Smart-card-based, stored-value card (SVC) Subsidiary of MasterCard Secret chip-to-chip transfer protocol Value is not in strings alone; must be on Mondex card Loaded through ATM Spending at merchants having a Mondex value transfer terminal Mondex Components (Hitachi) PayPal Pay anyone, anywhere via email 16 million users Accounts insured up to $100,000 Based on automated clearinghouse Withdraw funds anytime, or send to someone else Mobile payments (WAP) Security Requirements Integrity (data should be protected against modification by unauthorised parties) Authenticity (parties should have certainty about each other's identity) Confidentiality (data should not be visible to unauthorised parties) Availability (data should be accessible by authorised parties) Non-repudiation (parties should not be able to deny the actions that they performed)

Secure Sockets Layer (SSL) SET Protocol