Payment Methods Prepared By William Cheung COMP3610 (Fall 2001) CS, HKBU.
-
date post
18-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Payment Methods Prepared By William Cheung COMP3610 (Fall 2001) CS, HKBU.
Payment Methods 2
Payment Methods Overview
Good Exchange
PrivateVAN
Internet
Cash
Check
Credit / Debit Cards
Electronic/DigitalCash
Credit AccountsDirect Debit
Payment Methods 3
Payment Methods
• Cash
• Cheque
• Direct debit (~ Autopay)
• Credit card
• Debit card (~EPS)
• Credit accounts
Depends on transaction types - C2C, B2C or B2B
Payment Methods 4
Terminology• Invoicing (Seller to Buyer)
– electronic invoice, e.g., email, on-line view of an account
• Clearance (Buyer to Bank)– transmission of payment order
• Settlement (Bank)– recording debit (Buyer) and credit (Seller) positions for
involved parties.
• Collections (Bank)– At a particular time, buyer account is debited and seller one
is credited.
Payment Methods 5
MAB
3. Mark downCredit M
Credit Card Payment
0. Purchase usingcredit card
- Open an account- Issue a credit card
- Open an account- Provide POS devices
1. Authorization
Merchant
Customer IssuingBank
AcquiringBank
Payment ServiceProvider (e.g. Visa)
private networke.g., PSTN, X.25
privatenetwork
private
network
(e.g. VisaNet)
2. Clearing-A: Submit transactions
4. Clearing-B
6. Billing
7. Payment
5. Settlement
Fund Transfer
Payment Methods 6
Credit Card Payment
private networke.g., PSTN, X.25
POS in physical store
BANKCardholder Presenttransactions
What is the difference?
Cardholder Not Presenttransactions
- mail order- phone order- on-line order
What should be the next step?Should they all follow the
same step?
Payment Methods 7
Credit Card Payment
private networke.g., PSTN, X.25
POS in physical store
BANKCardholder Presenttransactions
Cardholder Not Presenttransactions
- mail order- phone order- on-line order
Manual Input
Automated Gateway
1. Protocols2. Security (Encryption) (Authentication)
What are the issues?
Payment Methods 8
SET for Payment via Internet
• http://www.setco.org
• Developed jointly by Visa and MasterCard.
• Strong encryption and authentication of all the parties in a credit card transaction: – the buyer (cardholder)– the merchant– the acquiring bank
… with the help of a certificate authority
Payment Methods 9
SET for Payment via Internet
• Emerging standard for handling credit card transaction on the Internet.– Confidentiality of payment information (How?)– Integrity of transmitted data (How?)– cardholder authentication (How?)– merchant authentication (How?)– authorization and settlement of credit card
transactions (How does it compare to the conventional system? What are the differences?)
Payment Methods 10
SET Software Components
Merchant
CustomerIssuingBank
AcquiringBank
Payment ServiceProvider (e.g. Visa)
- Open an account- Install wallet program
- Open an account- Set up Merchant Server
privatenetwork
private
network
MerchantServer
PaymentGateway
E-Wallet
CertificateAuthority
Internet
Payment Methods 12
SET for Payment via Internet
• Buyer/Cardholder– open an account in the issuing bank, which
supports SET.– obtain a digital certificate from a
recognized CA, which can be used in the SET transactions.
Payment Methods 13
SET for Payment via Internet
• Merchant– open an account in the acquiring bank,
which supports SET.– Install a merchant server for handling the
SET transaction from cardholder to the payment gateway.
– Obtain a digital certificate from a CA which supports SET - with the trademark (SET™).
Payment Methods 14
SET for Payment via Internet
• Payment Gateway (Bank)– Install a payment gateway server for
handling the SET transaction, connecting the internet with the private financial network. (That’s why it is called gateway)
– Obtain a digital certificate from a CA which supports SET - with the trademark (SET™).
Payment Methods 15
SET for Payment via Internet
• Certificate Authorities– A third party organization not involved in
any entities involved in the SET transaction.
– Issues certificates to buyers, merchants, payment gateway involved in SET transactions.
Payment Methods 16
SET Transaction
- Send “Pay by SET”
E-Wallet in cardholder computer
Mer-cert
Merchant Server
Car-cert
Payment Gateway
Gat-cert
- Assign Transaction ID - Generate Response (ID) - Sign Response (Mer-pri) - Send signed Response - Send Mer-cert + Gat-cert
- Verify Mer-signature - Verify Mer-cert - Create Order info. (OI) - Create Payment info. (PI) - Create Dual Signature of ..OI + PI - Generate session key (K) - Encrypt PI using K - Encrypt cardholder’s ..account info (AI) and K ..by Gat_pub in Gat-cert - Send OI + EK(PI) ...+ EGat_pub(AI + K) + ...
Payment Methods 17
SET TransactionE-Wallet in
cardholder computer Mer-cert
Merchant Server
Car-cert
Payment Gateway
Gat-cert
- … - Send OI + EK(PI) …..+ EGat_pub(AI + K) …..+ Dual Signature …..+ Digest of PI . + Car-cert
- Verify Car-cert - Verify the dual signature ..(how?) - Forward EK(PI) …..+ EGat_pub(AI + K) …..+ Dual Signature …..+ Digest of OI
- Obtain AI + PI (How?) - Verify the dual signature - Authorize AI + PI (How?) - Send authorization result- Process OI
- Create Purchase Response - Sign & send the response
- Verify Mer-cert - Verify Mer-signature
Payment Methods 18
Dual Signature
DUAL SIGNATURE CREATION (cardholder side)
• Step 1: Pass OI and PI to a hash function separately to generate two digests.
• Step 2: Concatenate the two digests.• Step 3: Pass them to the hash function again to generate a dual
digest.• Step 4: Encrypt the dual digest by the cardholder private key to
generate the DUAL SIGNATURE.• Step 5: Send the DUAL SIGNATURE as well as the digest of PI
to the merchant.
Payment Methods 19
Dual SignatureDUAL SIGNATURE VERIFICATION BY MERCHANT (The
merchant has OI in plain text)
• Step 1: Decrypt the DUAL SIGNATURE by cardholder public key to obtain the received dual digest (digest-1).
• Step 2: Pass the received OI to hash function to generate the digest of OI.• Step 3: Concatenate the digest of OI with the received digest of PI and
pass it to the hash function to regenerate the dual digest (digest-2).• Step 4: Compare to see whether digest-1 and digest-2 are the same.• Step 5: Send the Payment Gateway the dual signature and the digest of
OI.
Payment Methods 20
Dual SignatureDUAL SIGNATURE VERIFICATION BY PAYMENT GATEWAY
• Step 1: Decrypt the DUAL SIGNATURE by cardholder public key to obtain the received dual digest (digest-3 = digest-1).
• Step 2: After some steps to get back the PI (see you note) and generate the digest of PI
• Step 3: Concatenate the digest of PI with the received digest of OI and pass it to the hash function to regenerate the dual digest (digest-4).
• Step 4: Compare to see whether digest-3 and digest-4 are the same.• Step 5: Start the authorization process and send back the result to the
merchant
Payment Methods 21
Dual Signature
INTREPRETATION
• With this design, both the merchant and the bank can guarantee the integrity of the OI AND PI while OI is only revealed to the merchant and PI is only revealed to the bank only.
Payment Methods 22
Micropayment Instruments
• Mainly two categories:– For shopping in physical stores (smart-card
based products)• Why is it useful?
– For on-line shopping (digital representation of monetary values)
• Why is it useful?
Payment Methods 23
Smart Cards
• Examples: Mondex, Visa Cash
• Contact vs Contactless
• Disposable vs Reloadable
• Single-purpose vs General-purpose– electronic cash– digital certificate– electronic authentication
Payment Methods 24
Smart Card
• About the size of a plastic credit card• compose of
– a computing unit– memory units (ROM and RAM)– interface to the outside world– components for cryptographic operations– some are programmable
• Readers are required
Payment Methods 25
On-line Micropayment
• Small-valued transactions - a few cents or less• Why do we care?
– Revenue source for intangible goods
• What should be the most distinct characteristic of micropayment systems compared with credit card payment?
• How does the on-line publisher get revenue nowadays and what does the micropayment alternative imply?
Payment Methods 26
Micropayment Systems• centralized notational (e.g., NetBill) -
centralized fund transfer• distributed notational (e.g., Mondex) -
distributed fund transfer• centralized token (e.g., DigiCash) - centralized
token transfer• distributed token (e.g., PayWord, MiniPay) -
distributed token
Payment Methods 27
• Developed by Carnegie Mellon University.• Provides payment as well as digital good
delivery.• All the transactions are atomic.• Customer: install MoneyTool (prefunded
using a credit card)• Merchant: install Product Server
NetBill
Payment Methods 29
How NetBill works?• Merchant sends encrypted goods to you.
• Money Tool on your machine verifies that the goods were received intact and sends verification of this to the merchant's server.
• Merchant sends your verification message, your account information, & the decryption key to the NetBill server.
• The NetBill server verifies that there is money in your account to pay for the goods. If there is, it transfers the funds, stores the decryption key, and sends a report back to the merchant's server.
• Merchant sends the decryption key to your Money Tool uses to decrypt the goods.
Payment Methods 31
• eCash (formerly called Digicash)
– Developed by David Chaum for on-line shopping.– Both customer and merchant need accounts in some
bank issuing eCash as well as specialized software ( eCash Purse and eCash Merchant Purse)
– Bank requires a server which can issue eCash.– Two technologies are adopted for producing eCash
• Blind Signature: for anonymity• Double Spending Detection
Payment Methods 32
A eCash request signed by Alice
Verify and remove Alice’s signature,Debit Alice’s account
Send a digital note signed by bank
Divide the random number from note number
Multiple a random number to note numberand request it
Achieve Anonymity !!
Payment Methods 33
PayWord
• It is a credit-based (What does it mean?). Adopted in Micropayment Transfer Protocol (MPTP) - a working draft released by W3C.
• User need to establish an account in a broker, who will issue the user a specific certificate with both broker and user information.
• Step 1: User generates n “tokens” by randomly picking a number wn and using a hash function h() to generate {w0,w1,…wn} s.t. wi-1 = h(wi)
• Step 2: User send merchant the certificate and {w0} as “commitment”
• Step 3: User will use the (w1,1), (w2,2), … as token for subsequent payment, one at a time.
• Step 4: Merchant first verifies the certificate (signature verification) and each (wi,i) can be verified by the previous token wi-1 (hash fnt.).
• Step 5: At the end of the day, the broker receives the “commitment” as well as the largest index token from the merchant for settlement.
Payment Methods 34
PayWord
One-wayfunction
W(i) W(i-1)
w(n
)
w(n
-1)
w(2
)
w(1
). .
1st token2nd token
3rd token. . . . .
w(0
)
User Merchant
Payment Methods 35
Micropayment by Aggregation: Pre-pay or Post-pay
• Pre-pay strategies (debit account)– charged in advance and then debit later
• Post-pay strategies (credit account)– aggregate the charges and bill the customer later
• Considerations– Risks involved– Aggregation at client side or server side (wallet or
account)? Can be used for different shops?
Payment Methods 36
How about the Financial Network
• SWIFT (international)– The Society for Worldwide Interbank Financial
Telecommunication– a global (private) system for financial messages– nearly real-time gross settlement system
• Fedwire (US-based; domestic transaction)– Real-time gross settlement system
• CHIPS (US-based; foreign transaction)– Clearing House Interbank Payments System– not real-time; settlement occurs at the end of the day.
MissionCriticalIS
Payment Methods 37
References• Norris M., West S., and Gaughan K., eBusiness Essentials (Chapter
4), Wiley, 2000• W. Archibald, Using SET for Secure Electronic Commerce, Prentice
Hall, 1998• eCash: http://ntrg.cs.tcd.ie/mepeirce/Project/Chaum/sciam.html
(2/11/00) • MPTP: http://www.w3.org/TR/WD-mptp-951122 (2/11/00)