Payment Methods

Prepared By William Cheung

COMP3610 (Fall 2001)

CS, HKBU

Payment Methods 2

Payment Methods Overview

Good Exchange

PrivateVAN

Internet

Cash

Check

Credit / Debit Cards

Electronic/DigitalCash

Credit AccountsDirect Debit

Payment Methods 3

Payment Methods

• Cash

• Cheque

• Direct debit (~ Autopay)

• Credit card

• Debit card (~EPS)

• Credit accounts

Depends on transaction types - C2C, B2C or B2B

Payment Methods 4

Terminology• Invoicing (Seller to Buyer)

– electronic invoice, e.g., email, on-line view of an account

• Clearance (Buyer to Bank)– transmission of payment order

• Settlement (Bank)– recording debit (Buyer) and credit (Seller) positions for

involved parties.

• Collections (Bank)– At a particular time, buyer account is debited and seller one

is credited.

Payment Methods 5

MAB

3. Mark downCredit M

Credit Card Payment

0. Purchase usingcredit card

- Open an account- Issue a credit card

- Open an account- Provide POS devices

1. Authorization

Merchant

Customer IssuingBank

AcquiringBank

Payment ServiceProvider (e.g. Visa)

private networke.g., PSTN, X.25

privatenetwork

private

network

(e.g. VisaNet)

2. Clearing-A: Submit transactions

4. Clearing-B

6. Billing

7. Payment

5. Settlement

Fund Transfer

Payment Methods 6

Credit Card Payment

private networke.g., PSTN, X.25

POS in physical store

BANKCardholder Presenttransactions

What is the difference?

Cardholder Not Presenttransactions

- mail order- phone order- on-line order

What should be the next step?Should they all follow the

same step?

Payment Methods 7

Credit Card Payment

private networke.g., PSTN, X.25

POS in physical store

BANKCardholder Presenttransactions

Cardholder Not Presenttransactions

- mail order- phone order- on-line order

Manual Input

Automated Gateway

1. Protocols2. Security (Encryption) (Authentication)

What are the issues?

Payment Methods 8

SET for Payment via Internet

• http://www.setco.org

• Developed jointly by Visa and MasterCard.

• Strong encryption and authentication of all the parties in a credit card transaction: – the buyer (cardholder)– the merchant– the acquiring bank

… with the help of a certificate authority

Payment Methods 9

SET for Payment via Internet

• Emerging standard for handling credit card transaction on the Internet.– Confidentiality of payment information (How?)– Integrity of transmitted data (How?)– cardholder authentication (How?)– merchant authentication (How?)– authorization and settlement of credit card

transactions (How does it compare to the conventional system? What are the differences?)

Payment Methods 10

SET Software Components

Merchant

CustomerIssuingBank

AcquiringBank

Payment ServiceProvider (e.g. Visa)

- Open an account- Install wallet program

- Open an account- Set up Merchant Server

privatenetwork

private

network

MerchantServer

PaymentGateway

E-Wallet

CertificateAuthority

Internet

Payment Methods 11

http://www.setco.org/cgi-bin/vsm.cgi

Payment Methods 12

SET for Payment via Internet

• Buyer/Cardholder– open an account in the issuing bank, which

supports SET.– obtain a digital certificate from a

recognized CA, which can be used in the SET transactions.

Payment Methods 13

SET for Payment via Internet

• Merchant– open an account in the acquiring bank,

which supports SET.– Install a merchant server for handling the

SET transaction from cardholder to the payment gateway.

– Obtain a digital certificate from a CA which supports SET - with the trademark (SET™).

Payment Methods 14

SET for Payment via Internet

• Payment Gateway (Bank)– Install a payment gateway server for

handling the SET transaction, connecting the internet with the private financial network. (That’s why it is called gateway)

– Obtain a digital certificate from a CA which supports SET - with the trademark (SET™).

Payment Methods 15

SET for Payment via Internet

• Certificate Authorities– A third party organization not involved in

any entities involved in the SET transaction.

– Issues certificates to buyers, merchants, payment gateway involved in SET transactions.

Payment Methods 16

SET Transaction

- Send “Pay by SET”

E-Wallet in cardholder computer

Mer-cert

Merchant Server

Car-cert

Payment Gateway

Gat-cert

- Assign Transaction ID - Generate Response (ID) - Sign Response (Mer-pri) - Send signed Response - Send Mer-cert + Gat-cert

- Verify Mer-signature - Verify Mer-cert - Create Order info. (OI) - Create Payment info. (PI) - Create Dual Signature of ..OI + PI - Generate session key (K) - Encrypt PI using K - Encrypt cardholder’s ..account info (AI) and K ..by Gat_pub in Gat-cert - Send OI + EK(PI) ...+ EGat_pub(AI + K) + ...

Payment Methods 17

SET TransactionE-Wallet in

cardholder computer Mer-cert

Merchant Server

Car-cert

Payment Gateway

Gat-cert

- … - Send OI + EK(PI) …..+ EGat_pub(AI + K) …..+ Dual Signature …..+ Digest of PI . + Car-cert

- Verify Car-cert - Verify the dual signature ..(how?) - Forward EK(PI) …..+ EGat_pub(AI + K) …..+ Dual Signature …..+ Digest of OI

- Obtain AI + PI (How?) - Verify the dual signature - Authorize AI + PI (How?) - Send authorization result- Process OI

- Create Purchase Response - Sign & send the response

- Verify Mer-cert - Verify Mer-signature

Payment Methods 18

Dual Signature

DUAL SIGNATURE CREATION (cardholder side)

• Step 1: Pass OI and PI to a hash function separately to generate two digests.

• Step 2: Concatenate the two digests.• Step 3: Pass them to the hash function again to generate a dual

digest.• Step 4: Encrypt the dual digest by the cardholder private key to

generate the DUAL SIGNATURE.• Step 5: Send the DUAL SIGNATURE as well as the digest of PI

to the merchant.

Payment Methods 19

Dual SignatureDUAL SIGNATURE VERIFICATION BY MERCHANT (The

merchant has OI in plain text)

• Step 1: Decrypt the DUAL SIGNATURE by cardholder public key to obtain the received dual digest (digest-1).

• Step 2: Pass the received OI to hash function to generate the digest of OI.• Step 3: Concatenate the digest of OI with the received digest of PI and

pass it to the hash function to regenerate the dual digest (digest-2).• Step 4: Compare to see whether digest-1 and digest-2 are the same.• Step 5: Send the Payment Gateway the dual signature and the digest of

OI.

Payment Methods 20

Dual SignatureDUAL SIGNATURE VERIFICATION BY PAYMENT GATEWAY

• Step 1: Decrypt the DUAL SIGNATURE by cardholder public key to obtain the received dual digest (digest-3 = digest-1).

• Step 2: After some steps to get back the PI (see you note) and generate the digest of PI

• Step 3: Concatenate the digest of PI with the received digest of OI and pass it to the hash function to regenerate the dual digest (digest-4).

• Step 4: Compare to see whether digest-3 and digest-4 are the same.• Step 5: Start the authorization process and send back the result to the

merchant

Payment Methods 21

Dual Signature

INTREPRETATION

• With this design, both the merchant and the bank can guarantee the integrity of the OI AND PI while OI is only revealed to the merchant and PI is only revealed to the bank only.

Payment Methods 22

Micropayment Instruments

• Mainly two categories:– For shopping in physical stores (smart-card

based products)• Why is it useful?

– For on-line shopping (digital representation of monetary values)

• Why is it useful?

Payment Methods 23

Smart Cards

• Examples: Mondex, Visa Cash

• Contact vs Contactless

• Disposable vs Reloadable

• Single-purpose vs General-purpose– electronic cash– digital certificate– electronic authentication

Payment Methods 24

Smart Card

• About the size of a plastic credit card• compose of

– a computing unit– memory units (ROM and RAM)– interface to the outside world– components for cryptographic operations– some are programmable

• Readers are required

Payment Methods 25

On-line Micropayment

• Small-valued transactions - a few cents or less• Why do we care?

– Revenue source for intangible goods

• What should be the most distinct characteristic of micropayment systems compared with credit card payment?

• How does the on-line publisher get revenue nowadays and what does the micropayment alternative imply?

Payment Methods 26

Micropayment Systems• centralized notational (e.g., NetBill) -

centralized fund transfer• distributed notational (e.g., Mondex) -

distributed fund transfer• centralized token (e.g., DigiCash) - centralized

token transfer• distributed token (e.g., PayWord, MiniPay) -

distributed token

Payment Methods 27

• Developed by Carnegie Mellon University.• Provides payment as well as digital good

delivery.• All the transactions are atomic.• Customer: install MoneyTool (prefunded

using a credit card)• Merchant: install Product Server

NetBill

Payment Methods 28

NetBill Server

Customer Merchant

Payment Methods 29

How NetBill works?• Merchant sends encrypted goods to you.

• Money Tool on your machine verifies that the goods were received intact and sends verification of this to the merchant's server.

• Merchant sends your verification message, your account information, & the decryption key to the NetBill server.

• The NetBill server verifies that there is money in your account to pay for the goods. If there is, it transfers the funds, stores the decryption key, and sends a report back to the merchant's server.

• Merchant sends the decryption key to your Money Tool uses to decrypt the goods.

Payment Methods 30

Payment Methods 31

• eCash (formerly called Digicash)

– Developed by David Chaum for on-line shopping.– Both customer and merchant need accounts in some

bank issuing eCash as well as specialized software ( eCash Purse and eCash Merchant Purse)

– Bank requires a server which can issue eCash.– Two technologies are adopted for producing eCash

• Blind Signature: for anonymity• Double Spending Detection

Payment Methods 32

A eCash request signed by Alice

Verify and remove Alice’s signature,Debit Alice’s account

Send a digital note signed by bank

Divide the random number from note number

Multiple a random number to note numberand request it

Achieve Anonymity !!

Payment Methods 33

PayWord

• It is a credit-based (What does it mean?). Adopted in Micropayment Transfer Protocol (MPTP) - a working draft released by W3C.

• User need to establish an account in a broker, who will issue the user a specific certificate with both broker and user information.

• Step 1: User generates n “tokens” by randomly picking a number wn and using a hash function h() to generate {w0,w1,…wn} s.t. wi-1 = h(wi)

• Step 2: User send merchant the certificate and {w0} as “commitment”

• Step 3: User will use the (w1,1), (w2,2), … as token for subsequent payment, one at a time.

• Step 4: Merchant first verifies the certificate (signature verification) and each (wi,i) can be verified by the previous token wi-1 (hash fnt.).

• Step 5: At the end of the day, the broker receives the “commitment” as well as the largest index token from the merchant for settlement.

Payment Methods 34

PayWord

One-wayfunction

W(i) W(i-1)

w(n

)

w(n

-1)

w(2

)

w(1

). .

1st token2nd token

3rd token. . . . .

w(0

)

User Merchant

Payment Methods 35

Micropayment by Aggregation: Pre-pay or Post-pay

• Pre-pay strategies (debit account)– charged in advance and then debit later

• Post-pay strategies (credit account)– aggregate the charges and bill the customer later

• Considerations– Risks involved– Aggregation at client side or server side (wallet or

account)? Can be used for different shops?

Payment Methods 36

How about the Financial Network

• SWIFT (international)– The Society for Worldwide Interbank Financial

Telecommunication– a global (private) system for financial messages– nearly real-time gross settlement system

• Fedwire (US-based; domestic transaction)– Real-time gross settlement system

• CHIPS (US-based; foreign transaction)– Clearing House Interbank Payments System– not real-time; settlement occurs at the end of the day.

MissionCriticalIS

Payment Methods 37

References• Norris M., West S., and Gaughan K., eBusiness Essentials (Chapter

4), Wiley, 2000• W. Archibald, Using SET for Secure Electronic Commerce, Prentice

Hall, 1998• eCash: http://ntrg.cs.tcd.ie/mepeirce/Project/Chaum/sciam.html

(2/11/00) • MPTP: http://www.w3.org/TR/WD-mptp-951122 (2/11/00)