Published on December 23, 2010
INTERNET PAYMENT SYSTEMS : INTERNET PAYMENT SYSTEMS Introduction : Introduction To make the e-commerce system functional, we also need to incorporate payment functions into the system In the physical world, there are 4 types of payment methods Cash Credit card Check Credit/debit (Fund Transfer) Major Internet Payment Methods : Major Internet Payment Methods Secure Electronics Transaction (SET) Protocol for implementing credit card payment An Electronic Check system for supporting check payment An Electronic funds transfer and Electronic Cash system for emulating physical cash payment Other methods Micropayment methods and Smart card methods Features of Payment Methods : Features of Payment Methods Anonymity : whether the payment method is anonymous Security : whether the payment method is secure Overhead cost : the overhead cost of processing a payment Slide 5: Transferability : whether a payment can be carried out without the involvement of a third party Divisibility : whether a payment can be divided into arbitrary small payments whose sum is equal to the original payment Acceptability : whether the payment method is supported globally 4C Payment Methods : 4C Payment Methods Payment method should be Very secure Having Low overhead cost Transferable Acceptable anywhere Divisible Anonymous Slide 7: Comparison of the 4C payment methods SET Protocol for Credit Card Payment : SET Protocol for Credit Card Payment The credit card is one of the most commonly used payment methods in e-commerce, in particular B2C e-commerce Before the introduction SET protocol, secure credit card payment was usually carried out over an SSL connection Slide 9: Advantage of SSL : It ensures the secure transmission of credit card information over the internet Disadvantage of SSL : It is not a complete credit card payment method For example, it cannot support on-line credit card authorization SET is specially developed to provide secure credit card payment over the internet It is now widely supported by major credit card companies including Visa and MasterCard Slide 10: SET aims at satisfying the following security requirements in the context of credit card payment : Confidentiality - Sensitive messages are encrypted so that they are kept confidential Integrity - Nearly all messages are digitally signed to ensure content integrity Authentication - Authentication is performed through a public key infrastructure SET network architecture : SET network architecture SET network architecture : SET network architecture Merchant : a seller, which is connected to an acquirer Cardholder : a registered holder of the credit card who is a buyer Issuer : the bank that issues the credit card to a cardholder Acquirer : the bank that serves as an “agent” to link a merchant to multiple issuers Slide 13: A merchant can process various credit cards through a single acquirer Payment Gateway : This is typically connected to the acquirer The payment gateway is situated between the SET system and the financial network of the current credit card system for processing the credit card payment SET Digital Certificate System : SET Digital Certificate System Dual signature generation and verification : Dual signature generation and verification In the physical credit card system the Payment Instructions (PI) including the cardholder’s credit card number and signature are not kept confidential data integrity can basically be ensured by using printed receipts cardholder’s authentication relies on simple signature checking only Slide 16: In an electronic credit card system the Order Information (OI) and PI can be digitally signed to ensure data integrity the sensitive credit card information may still be disclosed to other people SET introduces a novel method called the dual signature (DS) to ensure data integrity while protecting the sensitive information : The merchant is provided with OI, H[PI], and DS The dual signature can be verified as follows : Step 1 : The merchant first finds H[ H[PI] || H[OI] ] How the merchant and the payment gateway can verify the DS ? Slide 19: Step 2 : He then decrypts the digital signature with the cardholder’s public signature key as follows : DRSA[ DS | keypublic_sign, cardholder ] Where , keypublic_sign, cardholder public signature key of the cardholder Slide 20: Step 3 : Finally, he compares the two terms H[H[PI] || H[OI]] and DRSA[DS | keypublic_sign,cardholder ] They should be the same if the transmitted DS has not been changed; otherwise the order is not valid Slide 21: The payment gateway is provided with PI, H[OI], and DS By using the dual signature method, each cardholder can link OI and PI while releasing only the necessary information to the relevant party If either the OI or PI is changed, the dual signature will no longer be valid Slide 22: DIGITAL ENVELOPE Slide 23: A random DES key (keyrandom) first generated to encrypt the message, i.e. EDES[M I keyrandom] keyrandom is then encrypted by the VBS's public key_exchange key, say keypublic_exchange i.e. ERSA[keyrandom I keypublic_exchange.VBS] EDES[M I keYrandom1 and ERSA[keYrandom I keYpuhlic_exchange.VBSl are sent to the VBS Slide 24: To obtain the message M, VBS first obtains keyrandom by decrypting ERSA[keYrandom I keYpuhlic- exchange,VBS] i.e. DRSA [ERSA[keYrandom I keYpublic- exchange,VBS1 I keyprIvate_exchange,VBS = keyrandom, where keYprivate-exchange,VBS denotes the private key- exchange key of the VBS After obtaining keyrandom the VBS can obtain M by decrypting EDES[MI keyrandom], i.e. to find DDES[EDES[M I keYrandom1 I keyrandom] =M Slide 25: SET PROTOCOL Slide 26: SET protocol has four phases: initiation, purchase, authorization, and capture First the cardholder sends a purchase initiation request to the merchant for initializing the payment Then the merchant returns a response message to the cardholder Slide 27: In the second phase, the cardholder sends the purchase order together with the payment instruction to the merchant In the third phase, the merchant obtains the authorization from the issuer via the payment gateway Finally, the merchant requests a money transfer to its account PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The merchant needs to obtain payment authorization from the acquirer The authorization request consists of : Transaction ID Amount requested Message digest of order description Other transaction information PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The authorization request is encrypted by using Key B. Key B is then encrypted by using public key-exchange key of the payment gateway to form the digital envelope PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The merchant sends the following to the payment gateway : The encrypted authorization request and the encrypted key B Cardholder’s and merchants certificates The following information as received from the cardholder : PI + DI +H[OI] (all encrypted using key A) Key A + cardholder information (all encrypted using the payment gateway’s public key-exchange key) PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION After receiving the authorization request ,the payment gateway processes it as follows Obtain key B by means of decryption and uses it to decrypt the authorization request Verifies merchant’s certificates and digital signature on the authorization request Obtain key A and the cardholder information by means of decryption Uses key a to obtain the PI, DS and H[OI] Verifies the DS accordingly PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The payment gateway also verifies that the received transaction ID is the same as the one in the PI By checking the order description in the authorization request message, it can be verified that the order has been accepted by the cardholder and the merchant PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION Upon all successful verifications, the payment gateway forwards the authorization request to the issuer via the current payment system After the receiving the authorization from the issuer through the current system, the payment gateway sends an authorization response to the merchant PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION The payment gateway sends the following to the merchant : Signed authorization response (encrypted by Key C) Key C( encrypted by merchant’s public key-exchange key) Signed capture token (encrypted by key D) Key D + cardholder information (encrypted by payment gateway’s public key-exchange key) PAYMENT AUTHORIZATION : PAYMENT AUTHORIZATION After receiving the authorization response from the payment gateway, the merchant obtains key C by decryption and uses it to decrypt authorization response The merchant verifies the payment gateway’s certificate and the digital signature on the authorization response After obtaining the authorization, the merchant then complete the order accordingly PAYMENT CAPTURE : PAYMENT CAPTURE To begin with the payment capture process, the merchant generates capture request that includes transaction ID, capture amount and other information about the capture request The capture request is first signed by using the private key of the merchant and then encrypted with a random symmetric key E PAYMENT CAPTURE : PAYMENT CAPTURE E is then encrypted by using public key-exchange of the payment gateway to form the digital envelope PAYMENT CAPTURE : PAYMENT CAPTURE The merchant sends the following to the payment gateway : Signed capture request (encrypted by using key E) Key E (encrypted by using payment gateway’s public key-exchange key) Signed capture token (encrypted by using key D) Key D + cardholder information (encrypted by using payment gateway’s public key-exchange key) Merchant’s digital certificates PAYMENT CAPTURE : PAYMENT CAPTURE After receiving the capture request, the payment gateway obtains key E by decryption and uses it to decrypt capture request The payment gateway also verifies the digital signature of the capture request by using merchants public key PAYMENT CAPTURE : PAYMENT CAPTURE The payment gateway obtains key D by decryption, uses the key to decrypt the capture token, and verifies the capture token After successful verification the payment gateway sends a payment transfer request to the issuer via the current system PAYMENT CAPTURE : PAYMENT CAPTURE The capture response created by payment gateway is signed by using its private signature key and is encrypted by random symmetric key F F is encrypted by using merchant’s public key-exchange key to form the digital envelope PAYMENT CAPTURE : PAYMENT CAPTURE The payment gateway forwards the following information to the merchant: Signed capture response (encrypted by key F) Key F (encrypted by public key-exchange key) Payment gateway’s digital certificates After receiving the capture response, the merchant decrypts it accordingly and verifies the digital signature. SMART CARD : SMART CARD An Internet Payment Method. First Generation Smart Cards-credit cards and bank cards. Smart cards are “intelligent”,”interactive” and “interoperable”. COMPONENTS OF A SMART CARD : COMPONENTS OF A SMART CARD Central Processing Unit:- 8 bit microprocessor that controls the operation of the smart card. RAM:- Used to store temporary data. EPROM:- Used to store long term data like cryptographic keys. Slide 45: ROM;- Used to store permanent data such as the operating system. I/O Interface:- It provides data input/output functions. Steps to manufacture a smart card : Steps to manufacture a smart card Step 1:The chip is fabricated. Step 2:A module is produced by using the fabricated chip from step 1. Step 3:The plastic card is manufactured. Step 4:The module from step 2 is added to the plastic card. Step 5:Data and programs are loaded into the chip. Step 6:Personalized data is loaded into the chip. ISO 7816-4 : ISO 7816-4 It is a standard that defines the file system and communication protocol. It specifies how a smart card can communicate with a smart card applicationlike a smart card reader by means of Application Protocol Data Units(APDU). Also specifies a file system for smart cards:- Master file Elementary file Dedicated file MONDEX : MONDEX It is a smart card payment system. Devices provided by mondex include the following:- Mondex Wallet Devices to transfer mondex money over telephone networks and the internet. Mondex card Mondex Protocol : Mondex Protocol It uses public key cryptography Basic operation starts with a “handshaking phase” CONCLUSION : CONCLUSION An effective, secure and reliable Internet payment system is needed Depending on the payment amount, different level of security is used Thank you! : Thank you!