building an e-commerce trust infrastructure
TRANSCRIPT
B U S I N E S S G U I D E
Building an E-Commerce Trust InfrastructureSSL Server Certificates and Online Payment Services
B U S I N E S S G U I D E
Executive Summary 3
I. The E-Commerce Opportunity 3A. The Risks and Challenges of
E-Commerce Trust 3B. The Goals of Implementing an
E-Commerce Trust Infrastructure 4
II. The Solution: How to Build an Infrastructure for Trusted E-Commerce 4
A. Overview: Public Key Cryptography
& Digital Certificates 4
IV. SSL Server Certificates 8A. SSL Defined 8B. How SSL Server Certificates Work 9C. Securing Multiple Servers and
Domains with SSL 11
V. Online Payment Services 12A. The Internet Payment Processing System 13B. VeriSign Payflow Payment Services 13C. Payment Processing Backbone 15
VI. VeriSign E-Commerce TrustInfrastructure Solutions 18
A. VeriSign Commerce Site and
Secure Site Solutions 18B. Payflow Link and Payflow Pro 20C. Managed PKI for SSL Certificates 21
VII. The VeriSign Advantage 22
VIII. For More Information 22
CONTENTS
B U S I N E S S G U I D E
3
Executive SummaryBusinesses that can manage and process e-commercetransactions can gain a competitive edge by reaching aworldwide audience at very low cost. But the Web poses aunique set of trust issues, which businesses must address atthe outset to minimise risk. Customers submit informationand purchase goods or services via the Web only when theyare confident that their personal information, such as creditcard numbers and financial data, is secure.
The solution for businesses that are serious about e-commerce is to implement a complete e-commerce trustinfrastructure. PKI cryptography and digital signaturetechnology, applied via Secure Sockets Layer (SSL) digitalcertificates, provide the authentication, data integrity andprivacy necessary for e-commerce. Internet payment gatewaysystems provide online merchants with the ability toefficiently and securely accept and process a variety ofonline payments from customers.
VeriSign Inc. offers the essential components of an Internettrust infrastructure to e-commerce businesses. By installing aVeriSign SSL Certificate on their Web servers, businessescan securely collect sensitive information online and increasebusiness by giving their customers the confidence ofknowing that payment transactions are safe. VeriSignPayment Services VeriSign Payflow Payment Servicessimplify e-commerce by providing payment connectivityover the Internet between buyers, sellers and financialnetworks for transactions involving all major consumercredit card, debit card, electronic cheque, purchase card andAutomated ClearingHouse (ACH) transactions. VeriSign’sCommerce Site solutions combine both SSL Certificatesand Payflow Pro payment services, along with additionalvalue-added features, to form a complete e-commerce trustinfrastructure solution.
I. The E-Commerce Opportunity A secure e-commerce website can provide businesses withpowerful competitive advantages, including increased onlineretail sales, as well as streamlined application processes forproducts such as insurance, mortgages or credit cards. E-commerce credit card sales can be especially lucrative:according to independent analysts, cash transactions on theInternet will reach $9 billion in 2000 and $30 billion in2005.
By offering products and services on the Web, businessescan gain unique benefits:
• New customers: Anyone with an Internet connection isa potential customer: millions around the world arealready using the Internet for business transactions. Webstorefronts are open 24 hours a day and require noinvestments in brick and mortar.
• Cost-effective delivery channel: Many products andservices, such as software or information, can bedistributed directly to customers via the Web, enhancingthe customer experience and increasing profitability byeliminating the shipping and overhead costs associatedwith order fulfilment.
• Streamlined enrolment: Paper-based enrolmentworkflows are fraught with delays. Applications forinsurance, a mortgage or a credit card, for example, canbe held up in the post. Once received, applicationinformation must be entered into computer systemsmanually, a labour-intensive process that can introduceerrors. By accepting applications via a secure website,businesses can speed application processing, reduceprocessing costs and improve customer service.
• Better marketing through better customerknowledge: Establishing a storefront on the Webpositions enterprises for one-to-one marketing - theability to customise products and services to individualcustomers rather than large market segments. The Webfacilitates one-to-one marketing by enabling businessesto capture information about demographics, personalbuying habits and preferences. By analysing thisinformation, enterprises can target merchandise andpromotions for maximum impact, tailor Web pages tospecific consumers and conduct effective, tightly focusedmarketing campaigns.
No business can afford to ignore this opportunity. Butbusinesses also cannot ignore the potential pitfalls. Beforeentering the fiercely competitive e-commerce arena,businesses must carefully assess and address theaccompanying risks.
A. The Risks and Challenges of E-Commerce TrustTo succeed in the fiercely competitive e-commercemarketplace, businesses must become fully aware of Internetsecurity threats, take advantage of the technology thatovercomes them and win customers’ trust. Eighty-fivepercent of Web users surveyed reported that a lack ofsecurity made them uncomfortable sending credit cardnumbers over the Internet. The merchants who can win theconfidence of these customers will gain their loyalty - andan enormous opportunity for expanding market share.
In person-to-person transactions, security is based onphysical cues. Consumers accept the risks of using creditcards in places like department stores because they can seeand touch the merchandise and make judgments about thestore. On the Internet, without those physical cues, it ismuch more difficult to assess the safety of a business. Also,serious security threats have emerged. By becoming aware ofthe risks of Internet-based transactions, businesses canacquire technology solutions that overcome those risks:
B U S I N E S S G U I D E
4
• Spoofing: The low cost of website creation and the easeof copying existing pages makes it all too easy to createillegitimate sites that appear to be published byestablished organisations. In fact, con artists haveillegally obtained credit card numbers by setting upprofessional-looking storefronts that mimic legitimatebusinesses.
• Unauthorised disclosure: When transactioninformation is transmitted “in the clear,” hackers canintercept the transmissions to obtain customers’sensitive information.
• Unauthorised action: A competitor or disgruntledcustomer can alter a website so that it refuses service topotential clients or malfunctions.
• Eavesdropping: The private content of a transaction, ifunprotected, can be intercepted en route over theInternet.
• Data alteration: The content of a transaction can benot only intercepted, but also altered en route, eithermaliciously or accidentally. User names, credit cardnumbers and dollar amounts sent “in the clear” are allvulnerable to such alteration.
B. The Goals of Implementing an E-Commerce
Trust InfrastructureTo take advantage of the opportunities of e-commerce andavoid the risks of communicating and transacting businessonline, every business must address practical problems andquestions involving privacy, security and overall confidencein the underlying features of the system. Such concernsinclude:
“How can I be certain that my customers’ credit cardinformation is not accessible to online eavesdropperswhen they enter into a secure transaction on the Web?”
“How can I reassure customers who come to my site thatthey are doing business with me, not with a fake set upto steal their credit card numbers?”
“Once I’ve found a way to authoritatively identify mybusiness to customers and protect private customerinformation on the Web, what’s the best way to letcustomers know about it, so that they can confidentlytransact business with me?”
“When customers feel confident enough to buysomething from me online, how can I enable them topay me easily using their credit cards or other paymentmethods?”
“How can I verify that customer credit card informationis valid?”
“What do I do with payment information oncecustomers send it to me?”
The process of addressing these general security questionsdetermines the fundamental goals of establishing an e-commerce trust infrastructure:
Authentication: Customers must be able to assurethemselves that they are in fact doing business andsending private information with a real entity - not a“spoof” site masquerading as a legitimate bank or e-store.
Confidentiality: Sensitive Internet communications andtransactions, such as the transmission of credit cardinformation, must be kept private.
Data integrity: Communications must be protectedfrom undetectable alteration by third parties intransmission on the Internet.
Nonrepudiation: It should not be possible for a senderto reasonably claim that he or she did not send a securedcommunication or did not make an online purchase.
II. The Solution: How to Build an
Infrastructure for Trusted E-CommerceThe solution for meeting each of the goals above includestwo essential components:
• Digital certificates for Web servers, to provideauthentication, privacy and data integrity throughencryption
• A secure online payment management system, to allowe-commerce websites to securely and automaticallyaccept, process and manage payments online
Together, these technologies form the essential trustinfrastructure for any business that wants to take fulladvantage of the Internet.
A. Overview: Public Key Cryptography & Digital
CertificatesThis section presents background technical information oncryptographic systems, including Public Key Cryptography,the system underlying Secure Sockets Layer (SSL) - thebasis for every e-commerce trust infrastructure.
Encryption is the process of transforming informationbefore communicating it to make it unintelligible to all butthe intended recipient. Encryption employs mathematicalformulas called cryptographic algorithms, or ciphers, andnumbers called keys, to encrypt or decrypt information.
1. Symmetric Cryptography
Until recently, symmetric encryption techniques were usedto secure information transmitted on public networks.Traditional symmetric cryptographic systems are based onthe idea of a shared secret. In such a system, two partiesthat want to communicate securely first agree in advance ona single “secret key” that allows each party to both encryptand decrypt messages.
B U S I N E S S G U I D E
5
Symmetric cryptography has several drawbacks. Exchangingsecret keys is unwieldy in large networks. Furthermore, thesharing of secret keys requires both senders and recipients totrust, and therefore be familiar with, every person theycommunicate with securely. Also, symmetric systems requirea secure channel to distribute the “secret” keys in the firstplace. If there is indeed such a secure channel, why not useit to send the entire secret message?
In today’s Web-based systems involving many participantsand transitory interactions with strong cryptographyrequirements, such symmetric key-based systems are highlyimpractical as a means for agreeing upon the necessarysecrets to begin communicating securely.
This problem, the key agreement or key distributionproblem, is part of a larger problem that is central to themodern understanding of cryptographic systems - the keymanagement problem. The key management problem isdescribed more fully below. Together, they represent thefundamental challenge in designing effective cryptographysystems for modern computing systems. Symmetric keyencryption plays an important role in the SSL protocol,along with asymmetric public key encryption.
2. Public-Key CryptographyToday’s public key or asymmetric cryptography systems area considerable improvement on traditional symmetriccryptography systems in that they allow two parties toexchange data privately in the presence of possibleeavesdroppers, without previously agreeing on a “sharedsecret.” Such a system is called “asymmetric” because it isbased on the idea of a matched cryptographic key pair inwhich a cryptographic key is no longer a simple “sharedsecret” but rather is split into two subkeys, the private keyand public key.
Abstractly, a participant wishing to receive encryptedcommunications using an asymmetric cryptography systemwill first generate such a key pair, keeping the private-keyportion as a secret and “publishing” the public-key portionto all parties that would like to encrypt data for thatparticipant. As encrypting data requires only access to thepublic key, and decrypting data requires the private key,such a system in principle can sidestep the first layer ofcomplexity in the key management problem since no sharedsecret need be exchanged.
3. Modern Cryptography Systems: A Hybrid
Approach
In fact, a combination of both public-key and traditionalsymmetric cryptography is used in modern cryptographicsystems. The reason for this is that public-key encryptionschemes are computationally intensive versus theirsymmetric key counterparts. As symmetric key cryptography
is much faster for encrypting bulk data, moderncryptography systems typically use public-key cryptographyto solve the key distribution problem first, then symmetrickey cryptography is used to encrypt the bulk data.
Such a scheme is used by today’s SSL protocol for securingWeb transactions, as well as by secure e-mail schemes suchas S/MIME that are built into such products as NetscapeCommunicator and the Microsoft Internet Explorer. See“IV. SSL Server Certificates” below for more on SSL.
4. The Key Management Problem
Underlying every cryptographic system is a set of practicalproblems and questions involving privacy, security andoverall confidence in the underlying confidentiality featuresof the system. In principle, the techniques of asymmetricand symmetric cryptography are sufficient to resolve thesecurity questions and properties described above. Forexample, today’s Web browsers use the public key of awebsite in order to send credit card numbers over the Web;similarly, one can protect access to files and data using aprivate symmetric key to scramble the information beforesaving it.
However, in practice, each of these problems requires a“certified” public key in order to operate correctly withoutthird parties being able to interfere. This leads to a secondset of questions; for example:
“How can I be sure that the public key that my browseruses to send credit card information is in fact the rightone for that website, not a bogus one?”
“How can I reliably communicate my public keys to mycorrespondents so that they can rely on it to send meencrypted communications?”
What’s needed in order to address such concerns is thenotion of a “secure binding” between a given entity thatparticipates in a transaction and the public key that is usedto bootstrap secure communication with that entity usingasymmetric public key cryptography.
5. Digital Signatures
Digital signatures are based on a combination of thetraditional idea of data hashing with public-key basedencryption. Most hash functions are similar to encryptionfunctions; in fact, some hash functions are just slightlymodified encryption functions. Most operate by grabbing ablock of data at a time and repeatedly using a simplescrambling algorithm to modify the bits. If this scramblingis done repeatedly, then there is no known practical way topredict the outcome - it is not in general practical forsomeone to modify the original data in any way whileensuring that the same output will emerge from the hashfunction. These hash-based signature algorithms use a
B U S I N E S S G U I D E
6
cryptographically secure hash function such as MessageDigest 5 (MD-5) or Secure Hash Algorithm (SHA) toproduce a hash value from a given piece of data.
As the digital signature process is central to the idea of adigital certificate - and in turn, the digital certificate is theprimary tool to ensure e-commerce security - it’s useful tolook at a diagram of the process:
Figure 1: Steps in forming and verifying a digitally signedmessage
The figure illustrates the steps taken by a sender in forminga digitally signed message as well as the steps a recipienttakes in verifying that the signed message is valid.
The first step is to take the original message and compute a“digest” of the outgoing message using a hashing algorithm.The result is a “message digest,” which is typically depictedas a long string of hexadecimal digits (and manipulated bysoftware as binary data). In the next step, the sender useshis private key to encrypt the message digest.
The original message content, together with the encrypteddigest, forms a digitally signed message, as depicted in thecentre of the figure. This digitally signed message is suitable
for delivery to the recipient. On receipt, the receiver verifiesthe digital signature using an inverse set of steps: first theencrypted digest is decrypted using the sender’s public key.Next, this result is compared to an independentcomputation of the message digest value using the hashingalgorithm. If the two values are the same, the message hasbeen successfully verified.
Note that no actual encryption of the message content itselfneed take place. Only the digital signature itself isencrypted while the message is in transit (unless of coursethere are privacy concerns, in which case the messagecontent should be encrypted as well).
Why is a digital signature compelling evidence that only theintended signer could have created the message? Forexample, what if interlopers were to change the originalmessage? It was not encrypted, after all, and could havebeen changed by a third party in transit. The answer is thatif such a change had been made, then the decryptedoriginal message digest wouldn’t have matched therecomputed one for the changed data in the message.Verification of the digital signature would fail. Similarly, thecreation of a bogus signature is impractical because aninterloper doesn’t have the appropriate private key.
6. Digital Certificates
A digital certificate is an electronic file that uniquelyidentifies individuals and websites on the Internet andenables secure confidential communications. It associatesthe name of an entity that participates in a securedtransaction (for example, an e-mail address or a websiteaddress) with the public key that is used to signcommunication with that entity in a cryptographic system.
Typically, the “signer” of a digital certificate is a “trustedthird party” or “Certificate Authority” (CA), such asVeriSign, that all participants in the use of such certificatesagree is a point of secure storage and management of theassociated private signing key. The CA issues, creates andsigns certificates as well as possibly playing a role in theirdistribution.
Using digital certificates simplifies the problem of trustingthat a particular public key is in fact associated with aparticipating party, effectively reducing it to the problem of“trusting” the associated CA service. Digital certificatestherefore can serve as a kind of digital passport orcredential. This approach represents an advance in the keymanagement problem because it reduces the problem ofbootstrapping trust to the problem of setting up (or intoday’s marketplace, selecting as a vendor) the appropriateCA functionality. All parties that trust the CA can beconfident that the public keys that appear in certificates arevalid.
HashingAlgorithm
OriginalMessage
Steps inForming aDigitallySigned
Message
MessageDigest
+
{=
Sender'sPrivate Key
MessageDigest
EncryptedDigest
+ =
Sender'sPublic Key
EncryptedDigest
Steps inVerifying
A DigitallySigned
Message
RecoveredMessage Digest
+
{=
DigitalSigned
Message {
HashingAlgorithm
OriginalMessage
MessageDigest
+ =
B U S I N E S S G U I D E
7
a. Example: Use of Signer Certificates in NetscapeCommunicator (v4.05 & later)Digital certificates already play a fundamental role inInternet-based cryptography systems. For example,consider the case of a secure Web transaction that takesplace when a user visits a Web storefront to make a creditcard purchase. When the user’s browser accesses a securepage, a public key from the Web store has already beendelivered to the client browser in the form of an X.509digital certificate. All this happens transparently to thebrowser user at the time the secure connection is set up.
The browser trusts the certificate because it is signed andthe browser trusts the signature because the signature canbe verified. And why can it be verified? Because thesigner’s public key is already embedded in the browsersoftware itself. To see this in the particular case ofNetscape Communicator, begin by clicking on the“Security” icon on the main toolbar.
Figure 2: The “Security” Toolbar button in Netscape
Communicator v4.0
Under “Certificates”, choose “Signers” and scroll downthe list. A window similar to the following should appear:
Figure 3: The list of certificate signers hard-coded to be
trusted in Netscape Communicator
Next select a particular certificate and click on the “Edit”button. A display similar to the following should appear:
Figure 4: A VeriSign CA certificate embedded in
Netscape Communicator
This is a representation of an X.509 digital certificate.Although X.509 certificates come in three differentversions, version 3 certificates, such as the one displayedhere, are the ones that are most commonly encounteredin today’s cryptography systems. Such a certificate consistsof the following fields to identify the owner of thecertificate as well as the trusted CA that issued thecertificate:
B U S I N E S S G U I D E
8
• version
• serial number
• signature algorithm ID
•issuer name
• validity period
• subject (user) name
• subject public-key information
• issuer unique identifier (version 2 and 3 only)
• subject unique identifier (version 2 and 3 only)
• extensions (version 3 only)
• digital signature for the above fields
Figure 5: The fields of a X.509 digital certificate
Although only a few of these fields are shown in Figure 4(version, serial number, issuer name and subject name)corresponding to the display elements in Figure 4, thesebasic elements give an idea of what such a typicalcertificate contains.
A more detailed dump of raw certificate content lookslike this:
Certificate:
Data:
Version: v3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: PKCS #1 MD5 With RSA
Encryption
Issuer: CN=Root CA, OU=CIS, O=Structured Arts
Computing Corporation, C=US
Validity:
Not Before: Fri Dec 5 18:39:01 1997
Not After: Sat Dec 5 18:39:01 1998
Subject: CN=Test User, OU=Test Org Unit, O=Test
Organization, C=US
Subject Public Key Info:
Algorithm: PKCS #1 RSA Encryption
Public Key:
Modulus:
00:c2:29:01:63:a1:fe:32:ae:0c:51:8d:e9:07:6b:02:fe:ec:
6d:0e:cc:95:4b:dc:0a:4b:0b:31:a3:1a:e1:68:1f:d8:0b:b7:
91:fb:f7:fd:bd:32:ba:76:01:45:e1:7f:8b:66:cd:7e:79:67:
8d:48:30:2a:09:48:4c:9b:c7:98:d2:b3:1c:e9:54:2c:3c:0a:
10:b0:76:ae:06:69:58:ac:e8:d8:4f:37:83:c3:f1:34:02:6d:
9f:38:60:6f:5e:54:4f:71:c7:92:28:fb:0a:b3:44:f3:1a:a3:
fe:99:f4:3f:d3:12:e2:f8:3b:03:65:33:88:9b:67:c7:de:88:
23:90:2b
Public Exponent: 65537 (0x10001)
Extensions:
Identifier: Certificate Type
Critical: no
Certified Usage:
SSL Client
Identifier: Authority Key Identifier
Critical: no
Key Identifier:
a7:84:21:f4:50:0e:40:0f:53:f2:c5:d0:53:d5:47:56:b7:c5:
5e:96
Signature:
Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
2d:76:3f:49:5b:53:3a:c5:02:06:a3:67:6d:d9:03:50:57:7f:
de:a7:a9:cd:69:02:97:6f:66:6a:7f:95:ea:89:75:7a:fc:b0:26:8
1:fc:33:bb:60:e8:f7:73:77:37:f8:8a:04:3b:fc:c1:3e:42:40:3d:5
8:16:17:7e:47:35:1c:73:5a:ab:72:33:c3:f5:2b:c6:eb:b5:39:52:8
2:c6:3e:e1:38:c6:39:8b:ee:e3:9f:b3:b9:29:42:0d:11:a5:79:af:
6d:3a:f8:a6:ba:d0:9c:55:48:0d:75:91:05:0b:47:67:98:32:f3:
2d:2e:49:ed:22:ab:28:e8:d6:96:a1:9b
Figure 6: The fields of a X.509 digital certificate
IV. SSL Server CertificatesThe practical means of implementing PKI and digitalsignatures are via Web server certificates that enableauthentication and SSL encryption. SSL certificates formthe basis of an Internet trust infrastructure by allowingwebsites to offer safe, secure information exchange to theircustomers. SSL server certificates satisfy the need forconfidentiality, integrity, authentication andnonrepudiation.
A. SSL DefinedSecure Sockets Layer (SSL), originally developed byNetscape Communications, is an information technologyfor securely transmitting information over the Internet. TheSSL protocol has become the universal standard on theWeb for authenticating websites to Web browser users andfor encrypting communications between browser users andWeb servers.
Server certificates are available from Certificate Authorities(CAs) such as VeriSign - trustworthy, independent thirdparties that issue certificates to individuals, organisationsand websites. CAs use thorough verification methods toensure that certificate users are who they claim to be beforeissuing them. CA’s own self-signed SSL digital certificatesare built into all major browsers and Web servers, includingNetscape Communicator and Microsoft Internet Explorer,so that simply installing a digital certificate on a Web serverenables SSL capabilities when communicating with Webbrowsers.
SSL server certificates fulfil two necessary functions toestablish e-commerce trust:
B U S I N E S S G U I D E
9
• SSL server authentication: Server certificates allowusers to confirm a Web server’s identity. Web browsersautomatically check that a server’s certificate and publicID are valid and have been issued by a certificateauthority (CA) - such as VeriSign - included in the listof trusted CAs built into browser software. SSL serverauthentication is vital for secure e-commercetransactions in which users, for example, are sendingcredit card numbers over the Web and first want toverify the receiving server’s identity.
• SSL encryption: SSL server certificates establish asecure channel that enables all information sent betweena user’s Web browser and a Web server to be encryptedby the sending software and decrypted by the receivingsoftware, protecting private information frominterception over the Internet. In addition, all data sentover an encrypted SSL connection is protected with amechanism for detecting tampering: that is, forautomatically determining whether the data has beenaltered in transit. This means that users can confidentlysend private data, such as credit card numbers, to awebsite, trusting that SSL keeps it private andconfidential.
B. How SSL Server Certificates WorkSSL Certificates take advantage of SSL to work seamlesslybetween websites and visitors’ Web browsers. The SSLprotocol uses a combination of asymmetric public keyencryption and faster symmetric encryption.
The process begins by establishing an SSL “handshake” -allowing the server to authenticate itself to the browser userand then permitting the server and browser to cooperate inthe creation of the symmetric keys used for encryption,decryption and tamper detection:
1. A customer contacts a site and accesses a secured URL:a page secured by a SSL Certificate (indicated by aURL that begins with “https:” instead of just “http:”or by a message from the browser). This mighttypically be an online order form collecting privateinformation from the customer, such as address, phonenumber and credit card number or other paymentinformation.
2. The customer’s browser automatically sends the serverthe browser’s SSL version number, cipher settings,randomly generated data and other information theserver needs to communicate with the client usingSSL.
3. The server responds, automatically sending thecustomer’s browser the site’s digital certificate, alongwith the server’s SSL version number, cipher settingsetc.
4. The customer’s browser examines the informationcontained in the server’s certificate and verifies that:
a. The server certificate is valid and has a valid date
b.The CA that issued the server been signed by atrusted CA whose certificate is built into the browser
c. The issuing CA’s public key, built into the browser,validates the issuer’s digital signature
d.The domain name specified by the server certificatematches the server’s actual domain name
If the server cannot be authenticated, the user is warnedthat an encrypted authenticated connection cannot beestablished.
5. If the server can be successfully authenticated, thecustomer’s Web browser generates a unique “sessionkey” to encrypt all communications with the site usingasymmetric encryption.
6. The user’s browser encrypts the session key itself withthe site’s public key so that only the site can read thesession key and sends it to the server.
7. The server decrypts the session key using its ownprivate key.
8. The browser sends a message to the server informing itthat future messages from the client will be encryptedwith the session key.
9. The server then sends a message to the clientinforming it that future messages from the server willbe encrypted with the session key.
10. An SSL-secured session is now established. SSL thenuses symmetric encryption, (which is much faster thanasymmetric PKI encryption) to encrypt and decryptmessages within the SSL-secured “pipeline.”
11. Once the session is complete, the session key iseliminated.
It all takes only seconds and requires no action by the user.
The Netscape Navigator and the Microsoft InternetExplorer browsers have built-in security mechanisms toprevent users from unwittingly submitting their personalinformation over insecure channels. If a user tries to submitinformation to an unsecured site (a site without an SSLserver certificate), the browsers will show a warning bydefault:
B U S I N E S S G U I D E
1 0
In contrast, if a user submits credit card or other informa-tion to a site with a valid server certificate and an SSL con-nection, the warning does not appear. The secure connec-tion is seamless, but visitors can be sure that transactionswith a site are secured by looking for the following cues:
• The URL in the browser window displays “https” at thebeginning, instead of http.
• In Netscape Communicator, the padlock in the lowerleft corner of the Navigator window will be closedinstead of open.
• In Internet Explorer, a padlock icon appears in the barat the bottom of the IE window.
1. SSL Strengths: 40-bit and 128-bit SSLSSL comes in two strengths, 40-bit and 128-bit, which referto the length of the session key generated by everyencrypted transaction. The longer the key, the moredifficult it is to break the encryption code. 128-bit SSLencryption is the world’s strongest: according to RSA Labs,it would take a trillion trillion years to crack using today’stechnology. 128-bit encryption is approximately 3 X 1026stronger than 40-bit encryption.
Microsoft and Netscape offer two versions of their Webbrowsers, export and domestic, which enable different levelsof encryption depending on the type of SSL servercertificate with which the browser is communicating.
• 40-bit SSL server certificates (such as VeriSign’s SSLCertificates) enable 40-bit SSL when communicatingwith export-version Netscape and Microsoft InternetExplorer browsers (used by most people in the U.S. andworldwide) and 128-bit SSL encryption whencommunicating with domestic-version Microsoft andNetscape browsers.
• 128-bit SSL server certificates (such as VeriSign’sGlobal Server IDs) enable 128-bit SSL encryption - theworld’s strongest - with both domestic and exportversions of Microsoft® and Netscape® browsers.
In order to fully enable 128-bit encryption with a GlobalServer ID, it is important to generate the right kind ofprivate key during the process of obtaining an SSLCertificate. An important step in the process is generating aCertificate Signing Request within the Web server software.In generating a CSR, Web server administrators should becareful to select a 1024-bit private key, which enables theGlobal Server ID to establish 128-bit SSL encryption,rather than a 512-bit private key, which enables only 40-bitencryption.
Netscape users can follow these steps to see what level ofencryption is protecting their transactions:
• Go to the secure Web page you want to check.
• Click the Security button in the Navigator toolbar. TheSecurity Info dialogue box indicates whether thewebsite uses encryption.
• If it does, click the Open Page Info button to displaymore information about the site’s security features,including the type of encryption used.
• You can also check to see which level of SSL is activatedon your Web server by following these steps:
• Using a 128-bit client, such as the domestic version ofthe Netscape Navigator, click on Options/SecurityPreferences.
• Under the enable SSL options, click on Configure forboth SSL 2 and SSL 3. Make sure acceptance for the40 and 56 bit encryption ciphers are turned off.
• Try to access the site. If it using less than 128 bitsecurity, then you will receive an error in your browserwindow: “Netscape and this server cannot communicatesecurely because they have no common encryptionmethods.”
IE users can find out a website’s encryption level byfollowing these steps:
• Go to the website you want to check.
• Right-click on the website page and select Properties.
• Click the Certificates button.
• In the Fields box, select “Encryption type.” The Detailsbox shows you the level of encryption (40-bit or 128-bit. See the following section for more informationabout SSL encryption levels).
B U S I N E S S G U I D E
1 1
E-businesses may choose to simplify the process ofcertificate checking for site visitors by describing thesecurity measures they have implemented in a Security andPrivacy statement on their sites. Sites that use VeriSign SSLCertificates can also post the Secure Site Seal on theirhomepage, security statement page and purchase pages. TheSeal is a widely recognised symbol of trust that enables sitevisitors to check certificates in real time from VeriSign withone click (see “VII. The VeriSign Advantage” below formore information about the Seal).
2. SGC and 128-bit Step-up
To ensure that strong 128-bit encryption protects e-commerce transactions for all users, businesses should install128-bit IDs, such as VeriSign’s Global Server IDs, on theirservers. However, the export browsers that permit only 40-bit encryption with 40-bit SSL server certificates will allowstrong 128-bit encryption when interacting with 128-bitserver certificates because these certificates are equippedwith a special extension that enable “Server GatedCryptography (SGC)” for Microsoft browsers and“International Step-Up” for Netscape browsers.
The extension enables 128-bit encryption with export-version browsers by prompting two “handshakes” when auser’s browser accesses a page protected by a Global ServerID. When an export-version Netscape or Microsoft browserconnects to the Web server, the browser initiates aconnection with only a 40-bit cipher. When the servercertificate is transferred, the browser verifies the certificateagainst its built-in list of approved CAs. Here, it recognisedthat the server certificate includes the SGC or InternationalStep-Up extension, and then immediately renegotiates theSSL parameters for the connection to initiate an SSL sessionwith a 128-bit cipher. In subsequent connections, thebrowser immediately uses the 128-bit cipher for full-strength encryption.
C. Securing Multiple Servers and
Domains with SSLAs organisations and service providers enhance theirwebsites and extranets with newer technology to reach largeraudiences, server configurations have become increasinglycomplex. They must now accommodate:
• Redundant server backups that allow websites andextranets to maximise site performance by balancingtraffic loads among multiple servers
• Organisations running multiple servers to supportmultiple site names
• Organisations running multiple servers to support asingle site name
• Service providers using virtual and shared hostingconfigurations
However, in complex multiserver environments, SSL servercertificates must be used carefully if they are to serve theirpurpose of reliably identifying sites and the businessesoperating them to visitors and encrypt e-commercetransactions - establishing the trust that customers requirebefore engaging in e-commerce.
When used properly in an e-commerce trust infrastructureequipped with multiple servers, SSL server certificates muststill satisfy the three requirements of online trust:
1. Client applications, such as Web browsers, can verifythat a site is protected by an SSL server certificate bymatching the “common name” in a certificate to thedomain name (such as www.verisign.co.uk) thatappears in the browser. (Certificates are easily accessiblevia Netscape and Microsoft browsers).
2. Users can also verify that the organisation listed in thecertificate has the right to use the domain name and isthe same as the entity with which the customer iscommunicating.
3. The private keys corresponding to the certificate,which enable the encryption of data sent via Webbrowsers, are protected from disclosure by theenterprise or ISP operating the server.
1. The Certificate Sharing ProblemVeriSign recommends that, to satisfy the requirements ofInternet trust, one SSL server certificate be used to secureeach domain name on every server in a multi-serverenvironment and that the corresponding private keys begenerated from the hosting server.
Some enterprises or ISPs practice certificate sharing or use asingle SSL server certificate to secure multiple servers.Organisations use certificate sharing in order to secure back-up servers, ensure high-quality service on high-traffic sitesby balancing traffic among several servers or, in the case ofISPs and Web hosts, to provide inexpensive SSL protectionto price-sensitive customers. However, as described in thefollowing section, certificate-sharing configurations do notsatisfy the fundamental requirements of Internet trust.
2. VeriSign Recommendations for Implementing SSL
on Multiple Servers
Here are some common shared certificate configurationsand VeriSign’s recommendations for addressing them tomost effectively reinforce an e-commerce trustinfrastructure:
Fail-Safe Backup: Redundant servers, not usedsimultaneously: Certificate sharing is permissible.However, when the back-up server is not under the samecontrol as the primary server, the private key cannot be
B U S I N E S S G U I D E
1 2
adequately protected and a separate certificate should beused for each server.
Load Balancing: Multiple sites with different commonnames on multiple servers: To prevent browsers fromdetecting that the URL of the site visited differs from thecommon name in the certificate and to protect thesecurity of private keys, a different certificate should beused for each server/domain name combination.
Load Balancing: Multiple sites with the same commonname on multiple servers: Instead of jeopardisingprivate key functionality by copying the key for multipleservers, a different certificate should be used for eachserver. Each certificate may have the same common nameand organisational name but slightly differentorganisational unit values.
ISP Shared SSL: One certificate issued to an ISP’sdomain, used on multiple servers by multiple Websites: This prevents site visitors from verifying that thesite they are visiting is the same as the site protected bythe certificate and listed in the certificate itself. Each site’sserver should have its own certificate. Or merchants mustinform their customers that site encryption is provided bythe ISP, not the merchant, and the ISP must guaranteethe services of all the hosted companies whose sites useshared SSL.
Name-Based Virtual Hosting: An ISP or Web Hostprovides each hosted customer with a unique domainname, such as customername.isp.com: If the samecertificate is used for each domain name, browsers willindicate that the site domain name does not match thecommon name in the certificate. To solve this problem, a“wildcard” certificate of the form *.isp.com is required toproperly serve the multi-hostname configuration withoutcreating browser mismatch error messages. (VeriSignoffers wildcard certificates on a case-by-case basis andthey are subject to certain additional licensing terms andconditions. For more information, please [email protected].)
For a complete explanation of VeriSign’s solutions forsecuring multiple Web server and domain configurations,please see our white paper athttp://www.verisign.com/rsc/wp/certshare/certshare.pdf.
V. Online Payment ServicesOnce businesses have built a website and implemented SSLcertificates to authenticate themselves to customers andencrypt communications and transactions, they mustaddress another crucial component of an e-commerceinfrastructure: enabling customers to easily pay for productsand services online, and processing and managing those
payments in conjunction with a complex network offinancial institutions.
Today’s fragmented Internet payment systems often connectonline merchants to banks via privately operated, point-to-point payment networks. In 1998, for example, over 5billion electronic payment transactions - originating fromapproximately 2 million merchant locations andrepresenting over $250 billion in merchant dollar volume -were passed over leased lines and non-Internet interfaces toa single transaction processor (First Data Corporation).
This situation is rapidly changing. Internet commerce isentering an accelerated growth phase. IDC estimatesworldwide e-commerce revenues will increase to $218billion in 2000. Behind each of these Internet purchases is apayment transaction. However, traditional payment systemshave proven to be ill equipped to manage the costs andcomplexity of transitioning and enabling transactions overthe Internet. As a result, only a fraction of today’spotentially automated e-commerce transactions arecurrently enabled for Internet payment. The situation isparticularly acute in the B2B payments arena - today, mostB2B systems stop short of enabling actual paymentexecution on the Web.
Demand is therefore high for a simpler, “Internet paymentgateway” approach that provides easier Internet connectivitybetween buyers, sellers and the financial networks thatmove money between them. A truly flexible Internetpayment gateway must support multiple paymentinstruments, connect to all relevant back-office paymentprocessors and be packaged for easy integration into front-office Web applications. Ideally, the gateway should alsooffer uniform interfaces to payment functionality,permitting e-businesses to deploy payment applications thatcan be easily switched between alternative financialinstruments, institutions and payment processors. To formpart of a complete e-commerce trust infrastructure, thegateway must assure fail-safe security for payment data as itpasses from customer to website and through the back-endprocessing system.
Some merchants may build an Internet payment gatewaythemselves or purchase a software-based solution. However,according to the Gartner Group, most e-merchants havetransaction volumes that do not justify the expense ofbringing the process in-house and are opting for outsourcedASP solutions.
A. The Internet Payment Processing SystemUnderstanding how best to address the need for Internetpayment gateway services first requires a brief examinationof the participants in an Internet payment processingsystem.
B U S I N E S S G U I D E
1 3
Participants in a typical online payment transaction include:
• The customer: typically, a holder of a payment card -such as a credit card or debit card - from an issuer.
• The issuer: a financial institution, such as a bank, thatprovides the customer with a payment card. The issueris responsible for the cardholder’s debt payment.
• The merchant: the person or organisation that sellsgoods or services to the cardholder via a website. Themerchant that accepts payment cards must have anInternet Merchant Account with an acquirer.
• The acquirer: a financial institution that establishes anaccount with a merchant and processes payment cardauthorisations and payments. The acquirer providesauthorisation to the merchant that a given card accountis active and that the proposed purchase does not exceedthe customer’s credit limit. The acquirer also provideselectronic transfer of payments to the merchant’saccount and is then reimbursed by the issuer via thetransfer of electronic funds over a payment network.
• The payment gateway: This function, operated by athird-party provider, processes merchant payments byproviding an interface between the merchant and theacquirer’s financial processing system.
• The processor: a large data centre that processes creditcard transactions and settles funds to merchants,connected to the merchant on behalf of an acquirer viaa payment gateway.
The basic steps of an online payment transaction includethe following:
1. The customer places an order online by selecting itemsfrom the merchant’s website and sending the merchanta list. The merchant often replies with an ordersummary of the items, their price, a total and an ordernumber.
2. The customer sends the order to the merchant,including payment data. The payment information isusually encrypted by an SSL pipeline set up betweenthe customer’s Web browser and the merchant’s Webserver SSL certificate.
3. The merchant requests payment authorisation from thepayment gateway, which routes the request to banksand payment processors. Authorisation is a request tocharge a cardholder and must be settled for thecardholder’s account to be charged. This ensures thatthe payment is approved by the issuer and guaranteesthat the merchant will be paid.
4. The merchant confirms the order and supplies thegoods or services to the customer.
5. The merchant requests payment, sending the requestto the payment gateway, which handles the paymentprocessing with the processor.
6. Transactions are settled or routed by the acquiringbank to the merchant’s acquiring bank for deposit.
B. VeriSign Payflow Payment ServicesVeriSign Payflow Payment Services offers the most effectiveway to streamline the flow of all kinds of payments throughthis complex system - quickly, efficiently, and above all,securely. Payflow simplifies e-commerce by providingpayment connectivity over the Internet between buyers,sellers and financial networks. VeriSign uses a client serverarchitecture to process transactions: the client is installed onthe merchant’s site and integrated with the merchant’s e-commerce application. The client software establishes asecure link with the VeriSign processing server using an SSLconnection to transmit encrypted transaction requests. TheVeriSign server transmits the request over a private networkto the appropriate financial processing network. When theauthorisation response is received via the financialprocessing network, the server returns the response to themerchant’s client, which then completes the transaction bysending an acknowledgment to the server. Typicaltransactions occur within 3 seconds.
By partnering with VeriSign, merchants gain the ability tofree themselves from point-to-point and difficult-to-integrate payment solutions, reaping the benefits of anintegrated payment platform designed specifically for theInternet. Payflow supports all major consumer credit card,debit card, electronic cheque, purchase card and AutomatedClearingHouse (ACH) transactions. (ACH is a nationwidewholesale electronic payment and collection system thatserves as a method of transferring funds between banks viathe Federal Reserve System.)
Its robust and open architecture has been designed tosupport both business-to-consumer (B2C) and business-to-business (B2B) payment applications. It provides theindustry’s highest performance and reliability and is a highlyscalable outsourced solution that can easily grow tohundreds of millions of transactions per month. VeriSignPayflow has proven to be considerably faster, more reliableand scalable than any other competing solution. UsingVeriSign Payflow, a merchant can connect to most banks,transaction services or forms of payment without worryingabout the underlying technology. Customers can pay with avariety of financial instruments, including cheque accounts,savings accounts and credit cards, quickly and simply.
B U S I N E S S G U I D E
1 4
VeriSign Payflow hides the complexity of payment
Competitive design advantages of the VeriSign Payflowservice include:
• Open connectivity with almost all bank processors andpayment types through unified interfaces
• Pre-integration with the most popular e-commerceapplications and forthcoming payment-enabled Internetappliances such as Personal Digital Assistants (PDAs)
• Continuous maintenance of a TCP/IP networkconnection throughout each transaction until it eithersuccessfully completes or times out. Unlike mostcompeting solutions, VeriSign Payflow’s paymentconnection both enables a faster response times(averaging 2.2 seconds) and - through confirmation oftransaction completion - eliminates the uncertainty oftransaction status.
• High availability that exceeds 99.99 percent withdynamic load balancing and failover between all servers
• An XML integration layer both on the server side forease of integration with additional services (such asfraud screening) and on the merchant side for ease ofintegration into back office applications
• A Software Development Kit (SDK) allowing for moreadvanced custom integration into e-commerceapplications
On the merchant side, VeriSign’s payment connectivitytechnology works with all major shopping basket and e-commerce systems. Merchants can select the shoppingbasket system and storefront system that best suits theirneeds and be confident that VeriSign can make theconnections.
To the Internet merchant, VeriSign offers:
• Lower connectivity cost: Connecting to the paymentnetworks over the Internet through VeriSign costs lessto set up and maintain than leased lines or modemconnections.
• Better connection quality: VeriSign manages high-bandwidth, fault-tolerant network connections to theprocessing networks.
• More payment options: Merchants can add newpayment types without having to install new software.
• Increased flexibility: Merchants can switch bankingrelationships and continue to use the same installedsoftware to process payments with the new bank.
On the processor side, VeriSign works with all of the majorprocessing and bank networks. Again, the merchant justselects an appropriate shopping basket, e-commerce packageor VeriSign-provided software development kit and knowsthat VeriSign will make the necessary connections to thetransaction processing services.
1. How Payment Processing Services WorkAt the application level, VeriSign’s payment processingservices can be accessed in three ways:
• Payflow-enabled e-commerce applications: Many off-the-shelf e-commerce applications are pre-enabled touse VeriSign’s Payflow payment processing, givingmerchants a complete solution that can be used out-of-the-box. VeriSign’s broad third-party support andsuperior payment connectivity enables merchants toindependently choose the best e-commerce applicationand the best payment processor for their business needs.
• Payflow Link: A hosted order form service that makespayment processing as simple as adding Web links to amerchant’s website. See “VI. VeriSign E-CommerceTrust Infrastructure Solutions” below for more onPayflow Link.
• Payflow Pro SDK: A software development kit thatgives merchants direct access to VeriSign’s Payflowpayment processing API via a “thin client” networkservice. See “VI. VeriSign E-Commerce TrustInfrastructure Solutions” below for more on PayflowPro and the Payflow Pro SDK.
Through VeriSign’s acquiring bank partners, merchants arealso able to apply for merchant bank accounts during theregistration process. In all cases, online registration andaccount management enables merchants to be up andrunning in minutes.
Banks
TransactionProcessors
FinancialNetworks
Aggregators& Auction Sites
Merchants
InternetAppliances
B U S I N E S S G U I D E
1 5
A look inside the VeriSign Payflow payment processingoperations centre
C. Payment Processing BackboneThe VeriSign payment client is a Secure Sockets Layer(SSL)-enabled communications agent that uses routingparameter inputs to locate and establish communicationswith a VeriSign transaction server. After a securecommunication channel has been established, transactiondata is passed to the VeriSign payment infrastructure forprocessing. VeriSign transaction communications have beendesigned to minimise message-handling errors by ensuringan uninterrupted, TCP-level communication streambetween the client and the server. The VeriSign architecturehas the highest performance in the industry. The averagetransaction response time is 2.2 seconds.
The following sequence of messages illustrates thecommunication stream during a typical transaction from aVeriSign-enabled client to the VeriSign Payment Servicesoperations centre.
• The client opens an SSL connection to a server andsends all transaction data.
• The server processes the transaction and sends aresponse back to the client.
• The client sends an acknowledgment to the serverindicating that the response was successfully received.
• The connection is closed.
VeriSign Payment Services incorporate the following featuresto reinforce an e-commerce trust infrastructure:
1. Connectivity
VeriSign provides connectivity to more payment processorsand supports more payment types than any other onlinepayment solution provider.
2. Scalability
VeriSign’s transaction processing power can grow quickly,providing throughput and reliability as the transaction loadgrows from millions to hundreds of millions of transactionsper month and beyond. VeriSign combines custom-developed, high-throughput server software with a load-balancing network architecture to deliver a solid paymentInternet service explicitly intended for today’s quicklygrowing e-commerce community.
3. Maximum Throughput
While many payment solutions have been implemented as“add-ons” to existing Web server platforms, VeriSign hasbuilt server software specifically designed for paymenttransactions. This provides significant advantages in threeareas:
• Internal Resources: VeriSign server softwareincorporates a sophisticated threading model designedspecifically to deliver maximum throughput forpayment transactions. Signal and timer logic forhandling payment transaction exceptions and errors isbuilt into the server’s kernel. File system access andlogging are optimised for payment transactions.
PayflowPro SDK
PayflowLink
HTTPSSL
TCP/IPSSL
FirewallFirewallPaymentServerCluster
ReplicatedDatabase
Cluser
Processors
FirewallWeb
ServerCluster
VERISIGN PAYMENT SERVICESPAYFLOW OPERATIONS CENTER
PROCESSOR
First Data Corporation 'Nashville'
Paymentech
TeleCheck
Wells Fargo Norwest
NOVA
VITAL
EDS Aurora
First Data Corporation 'South'
AVAILABLE
Now
Now
Now
Now
Now
Now
Now
Now
PAYMENT TYPES
Credit CardsLevel II Purchase Cards
Credit CardsLevel II Purchase Cards
Electronic Check Verification and Guarantee
ACH
Credit CardsLevel II Purchase Cards
Credit CardsLevel II Purchase Cards
Credit CardsLevel II Purchase Cards
Credit CardsLevel II & III Purchase Cards
B U S I N E S S G U I D E
1 6
• Database Resources: VeriSign uses state-of-the-artDBMS technology to store and log the transactionactivity. It has kernel-level control of database loginsand resources, which provides a level of performancetuning and error recovery that is not available topayment systems that are based on Web servers.
• Network Resources: As the VeriSign server is“payment-aware” at its core, it can manage the complexdynamics of communicating with card processingnetworks. Effective load balancing is achieved both inthe local processes and in coordination with peer serversto implement an array-wide throughput optimisationstrategy - in other words, VeriSign servers perform loadbalancing both internally and in relation to othertransaction servers in their cluster. As transaction loadsgrow for a cluster, this advantage becomes increasinglyimportant.
4. Load Balancing and Linear Growth
Highly available payment processing requires that individualtransaction servers be both extremely reliable and efficient.To provide true scalability, it must be practical to add newserver capacity on demand. VeriSign services are deliveredthrough clusters:
• Payment Server Cluster: These machines run theVeriSign Payment Server and manage the processing ofinbound transaction requests to the processingnetworks.
• Web Server Cluster: These servers provide the Webapplication function associated with the paymentservices. VeriSign’s merchant reporting and virtualterminal systems are provided here.
• Replicated Database Cluster: These machines host thedatabase servers. This cluster is broken up into write-biased, read-biased and replicator machines. Write-biased servers are configured for maximum throughputfor new transactions and are used by default by thetransaction servers. Read-biased servers are configuredfor maximum speed on queries and reports and are usedby default by the Web servers. Replication machinesmanage the synchronisation of the data between all ofthe local database machines in the cluster as well asother cluster and backup/archive services.
VeriSign provides quality service for immense numbers oftransactions by ensuring that it has provided adequateservice clusters and has sufficient bandwidth on the frontside (Internet) and back side (banking networks) toaccommodate the load.
VeriSign’s current production cluster supports a nominalload of two million transactions per day. In practice,capacity is added well before it is needed. As a general rule,when a cluster reaches a nominal load of 30% of capacity
or when there are frequent spikes above 50% of capacity,either new capacity is added to the cluster or a new clusteris added to the service.
5. ReliabilityIn addition to load balancing, VeriSign’s server clusters alsoprovide failure protection. When a cluster suffers a serverfailure, the transaction load is seamlessly redistributed tothe remaining servers in the cluster. Hardware redundancyis also provided within each server for every importantsubsystem.
6. SecurityOne of VeriSign’s fundamental design considerations is, ofcourse, security. The hardware, software and physical plantdeveloped and used by VeriSign services are carefullycoordinated with an aggressive set of best practices toprovide maximum protection and integrity at the transport,system and physical levels.
Transport SecurityTransport security protects transaction messages betweenthe VeriSign client and server. Most transactions sentfrom the VeriSign client to VeriSign’s payment servers aresent over the Internet - a public network. To ensure thatthe contents of transactions are private and that theycannot be altered or embellished in any way, VeriSignuses the Secure Sockets Layer (SSL) protocol for allcommunications between clients and servers. Similarly,Web access to every VeriSign website that providessensitive data is available only under the HTTPSprotocol, which is the same SSL protocol used by theclient, running on top of HTTP.
VeriSign has licensed RSA Security, Inc.’s cryptographictools. These tools are the de facto standard for highlysecure communications over the Internet and are widelyregarded as the best available platform on which to builda secure client/server system. This means that transactiondata sent by the merchant to the VeriSign server can beread and used only by the VeriSign server.
Additionally, VeriSign offers merchants the opportunityto identify a set of IP addresses or subnets that constitutevalid transaction sources for a given merchant. Thismeans that in addition to the protection afforded by SSLmessage encryption, the merchant can specify a range ofIP addresses using a string (for example, 192.32.4.18-20or 192.4.22.*) This specifies the valid IP addresses for theVeriSign payment server. Transactions that originate fromunregistered IP addresses are logged as suspiciousbehaviour for VeriSign’s network monitoring tools toinvestigate. This allows the merchant to further validateand protect the transaction stream to the VeriSignservice.
B U S I N E S S G U I D E
1 7
System SecurityVeriSign payment services are protected by firewallsystems based on an extremely conservative accessstrategy: VeriSign’s payment services are isolated from allother services. VeriSign permits communication with theVeriSign payment server or secured Web servers onlythrough SSL (port 443.) This means there is no backdooraccess for e-mail, FTP, DNS, ICMP and so on, which areall security risks. The only data that can enter is SSLtraffic. All access requires user name and password, IPaddress validation or X.509 client authentication.
The VeriSign service is also protected on the “back side” -its array of network connections to the processingnetworks - by firewall systems that ensure that onlyauthorised traffic from authorised sources gets through toVeriSign’s payment servers.
Inside the server array, a layering strategy further isolatesrepositories that contain sensitive information. Best-of-breed intruder detection systems and network monitoringtools are manned on a 24x7 basis, providing instantnotification of suspicious or unauthorised access, as wellas automatic countermeasures and remedies.
Physical SecurityVeriSign’s measures for physically protecting its PaymentServices include 24x7 card key customer access to datacentres, 24x7 video surveillance and recording of thepremises by security personnel and 24x7 on-site securitypersonnel.
7. XMLIn cooperation with selected e-commerce partners andindustry standards bodies, VeriSign has built an XMLintegration and automation layer into its paymentinfrastructure. This layer provides uniform XML access toall payment-related services, including payment execution,registration and reporting.
XMLPayXMLPay is a VeriSign Payment Services specification thatdefines a set of XML document types for paymenttransactions and XML digital receipts. Although XMLPayloosely follows level 3 purchase card data formats, itsupports a variety of payment instruments beyond justpurchase cards. XMLPay is compliant with the jointIETF/W3C working group specification for digitallysigned XML.
XMLRegisterTurning on a business for VeriSign PayFlow is amoderately complex process that involves the manualintervention of several parties, including not only themerchant and VeriSign Payment Services itself but alsothe merchant’s acquiring bank and a payment processor
to move money between buyer and seller banks. Bothresellers and emerging B2B marketplaces are increasinglydemanding more automated access to the process ofenabling online merchant payment accounts. In response,VeriSign is developing XMLRegister, a specificationdefining data formats and processing infrastructuresupporting the automation of VeriSign Payment Servicesmerchant registrations.
Without XMLRegister, merchants typically must registerone at a time for VeriSign Payment Services. WithXMLRegister, formatted XML documents may besubmitted programmatically over a secure transport to aregistration server. The registration server supportsmethods for a single or group merchant registration. Eachregistration element may be for a new registration orupdate of an existing account. As business rules and theinformation needed to complete a registration varyamong processors and acquirers, an XMLRegisterdocument does not attempt to enforce business rulesrelated to a registration. It merely transports data acrossthe wire for processing by the registration server whosejob is to enforce such rules and report non-compliance.
XMLReportXMLReport specifies data used in payment transactionreports. Resellers or merchants submit XMLReportdocument when they need reports on their transactions.In summary, today’s widespread adoption of XML isleading to three significant developments in the paymentsindustry:
• Extensibility: XML enables easy update and extensionof existing services to quickly add entirely new servicesto existing applications.
• Automation: Currently, merchants can download a setof preset reports from the VeriSign Payflow Managerwebsite, but have limited flexibility in what can bequeried or how the results are returned. XMLReportprovides an automation language for merchantreporting. Complex queries and result formattinginstructions can be communicated to the VeriSignservice in a straightforward manner.
• Interoperability: XML is quickly gaining momentum asthe lingua franca of system interchange. Via its threeXML specifications, VeriSign Payment Services willpublish an XML-based vocabulary for its services. Bycollaborating with partners, this vocabulary will beconsistent with emerging industry-standard vocabularies,as well as those of the partners.
The VeriSign Payflow client continues to provide a high-level API for developers who don’t want to switch to XML.The XML layer is therefore strictly optional and isindependently accessible when it is used to communicaterequests and responses from VeriSign Payflow servers.
B U S I N E S S G U I D E
1 8
VI. VeriSign E-Commerce Trust
Infrastructure Solutions VeriSign offers a complete range of products and services to help businesses implement an end-to-end trustinfrastructure for e-commerce. VeriSign’s server certificates,or SSSL Certificates, are available in both 40-bit and 128-bit SSL as part of Secure Site services. VeriSign PayflowLink and Payflow Pro online payment services enablebusinesses to easily accept, manage and process paymentselectronically. VeriSign’s Commerce Site services combineSSL Certificates, Payflow services and other value-addedfeatures to form a complete e-commerce infrastructure. Forlarge enterprises operating multiple servers, Managed PKIfor SSL Certificates simplifies the process of issuing andmanaging large numbers of SSL Certificates.
A. VeriSign Commerce Site and Secure
Site SolutionsVeriSign provides SSL Certificates in two encryptionstrengths:
• VeriSign’s 128-bit SSL (Global Server) IDs enable theworld’s strongest SSL encryption with both domesticand export versions of Microsoft® and Netscape®browsers. 128-bit SSL Global Server IDs are thestandard for large-scale online merchants, banks,brokerages, health care organisations and insurancecompanies worldwide. U.S. Government regulationsdetermine who can implement the powerful encryptionof 128-bit SSL, though 128-bit IDs are now availableto nearly every company worldwide (seehttp://www.verisign.com/products-services/payment-processing/commerce-site-faq.html).
• 40-bit SSL (Secure Server) IDs are ideal for security-sensitive intranets, extranets and websites.
VeriSign 128-bit SSL and 40-bit SSL Certificates areavailable as part of VeriSign’s site trust solutions.
• Commerce Site Services, exclusively from VeriSign, arecomplete integrated solutions that are ideal for e-merchants and online stores.
• Commerce Site includes a 40-bit SSL (Secure Server)ID and VeriSign Payflow Pro online paymentmanagement service (see below for more information),plus an array of additional value-added services.
• Commerce Site Pro includes a 128-bit SSL (GlobalServer) ID, VeriSign Payflow Pro and value-addedservices.
• Secure Site Services are best for intranets, extranets andwebsites that require the leading SSL certificates andwebsite services.
• Secure Site includes a 40-bit SSL (Secure Server) ID,plus additional value added services.
• Secure Site Pro includes a 128-bit SSL (GlobalServer) ID and value-added services.
The value-added services included with Secure Site andCommerce Site Services include the VeriSign Secure SiteSeal.
The Seal is designed for display on websites as a symbol
of security and trust, encouraging customers to
confidently provide credit card numbers and other
sensitive information. The Secure Site Seal is sent
automatically to the technical contact businesses as part
of the Secure Site or Commerce Site enrolment and
purchasing process, 24 hours after the SSL Certificate is
issued.
When the Seal is posted on a website’s homepage,security/privacy policy page or transaction pages, businessescan connect it to their SSL Certificate. When visitors clickon the Seal, they instantly link to a dynamic pop-up screenof information about the SSL Certificate, assuring themthat transactions with the site are encrypted by SSL andallowing them to verify the site’s identity and check the IDstatus in real time.
Secure Site and Commerce Site solutions also include up to$250,000 of NetSure protection, an extended warrantyprogram that protects e-businesses against economic lossresulting from the theft, corruption, impersonation or lossof use of a server certificate.
For a complete description of the additional featuresincluded with Secure Site and Commerce Site solutions, seehttp://www.verisign.co.uk/products-services/security-services/index.html.
1. How to Enrol for Commerce Site and Secure
Site SolutionsBusinesses can try VeriSign’s 40-bit SSL Certificate for free.The trial SSL Certificate can be applied for athttp://www.verisign.co.uk/products/srv/trial/intro.html now.
Businesses can purchase a one-year full-service SSLCertificate as part of VeriSign’s Secure Site or CommerceSite Services by visiting http://www.verisign.co.uk/products-services/security-services/index.html. The applicationprocess takes about 15 minutes. In one to three days, after
SecuredVeriSign
VERIFY
B U S I N E S S G U I D E
1 9
VeriSign has verified credentials, it delivers your SSLCertificate via e-mail.
The U.S. Department of Commerce requires thatcompanies qualify before buying the 128-bit SSL encryptionpower of Global Server IDs, included with Secure Site Proand Commerce Site Pro Services. All companies within theUnited States are eligible for Global Server IDs. The U.S.Government determines the categories of companies thatcan implement 128-bit SSL encryption technology outsidethe U.S. and across U.S. borders. New regulations makeGlobal Server IDs available to a wider group of customersthan ever before: any company or organisation around theworld may purchase a Global Server ID, with the followingexceptions: persons listed on the U.S. Government’s DeniedPerson’s List and customers located in the followingcountries: Afghanistan (Taliban-controlled areas), Cuba,Iran, Iraq, Libya, North Korea, Serbia, Sudan and Syria.
Before beginning VeriSign’s online enrolment, businessesshould check to make sure they are ready to proceed byfollowing these steps:
• Install server software: Nearly all brands supportVeriSign SSL Certificates. The server on which the 128-bit Global Server ID can run server software from anynon-U.S. software vendor or software from a U.S.software vendor properly classified by the U.S.Department of Commerce, including:
• Apache-SSL
• BEA WebLogic
• C2Net Apache Stronghold
• Compaq/Tandem iTP Webserver
• Covalent Raven
• Hewlett Packard Virtual Vault (with NetscapeEnterprise)
• IBM http Server/Webphone 1.3.3.1 and 1.3.6
• Lotus Domino 4.6.2 and later
• Microsoft IIS 3.0 and later
• Mod-SSL
• Nanoteq Netseq server
• Netscape Suite Spot servers, 3.0 or later, includingNetscape
• Enterprise 3.0+ and Netscape Proxy Server 3.0 orlater, 2.0
• O’Reilly WebSite Pro v.2.5 and up
• Red Hat Professional 6.1
• Register domain name: If you haven’t already, registeryour URL at http://www.networksolutions.com.
• Confirm firewall configuration: Certificate enrolmentrequires that you can make both HTTP and HTTPSconnections to VeriSign’s website.
• Prepare payment: You can pay with a purchase order,cheque, wire transfer or an American Express, Visa,Mastercard or Discover card.
• Review legal agreement: In the process of enrolling,you will need to sign the VeriSign Secure ServerSubscriber Agreement. To review it in advance, seehttp://www.verisign.co.uk/repository/index.html.
• Gather proof of correct documents: Before issuingyour SSL Certificate, VeriSign must confirm that yourcompany is legitimate and is registered with the propergovernment authorities. If you have a Dun & BradstreetDUNS number, simply supply your number.International DUNS numbers must be in the Dun &Bradstreet database for at least two months beforeVeriSign can verify the information. If you do not havea DUNS number, either go to http://www.dnb.com andapply for one, or submit a hard copy of at least one ofthe following filed documents for your company:articles of incorporation, partnership papers, businesslicense or fictitious business license. All documents mustbe in English.
To complete your SSL Certificate enrolment, please visithttp://www.verisign.co.uk/security/index.html. There youwill be instructed to complete the following steps.
1. Generate Certificate Signing Request
Follow the instructions in your server software manual, oronline athttp://digitalid.verisign.com/server/enrollStep3.htm, tocreate a Certificate Signing Request (CSR) and a key pair.After the server software creates the two files, make backupcopies of them on a floppy disk and store the disk in asecure location. This is important: If your private key is lost,VeriSign will not be able to recover it for you.
2. Submit the Certificate Signing Request (CSR) to
VeriSign
Open the CSR file in a text editor, such as WordPad,NotePad or Textpad. Do not use a word processingapplication such as Microsoft Word or Adobe FrameMaker.
Select the text in the CSR, beginning with and including:
--BEGIN NEW CERTIFICATE REQUEST--
and ending with
--END NEW CERTIFICATE REQUEST--
Copy and paste the CSR into the VeriSign online enrolmentform for the trial or the one-year subscription. Click theSubmit button.
3. Complete applicationFill out the online application form with information aboutyour company and contacts. The technical contact must beauthorised to run and maintain your secure Web server and
B U S I N E S S G U I D E
2 0
must be employed by your organisation. If you access theWeb through an Internet Service Provider (ISP), the ISPmay complete the CSR for you and serve as the technicalcontact and you can then enrol. If your ISP does not offerVeriSign IDs, refer it to http://www.verisign.co.uk/verisign-partner-program/index.html for information aboutVeriSign’s Secure Site ISP Program. The organisationalcontact must be authorised to make binding agreements,such as the Secure Server Service Agreement, and must beemployed by your organisation. It is best to select adifferent person from the technical contact. The billingcontact will receive invoices. This can be the same person asthe technical or organisational contact.
4. Authentication takes 1-3 days
Within a few hours of receiving your application, VeriSignwill send a confirmation e-mail to your technical andorganisational contacts. The e-mail will include a URLwhere you can check the status of your application, as wellas a Personal Identification Number (PIN) that you willneed to view the status. If the information you submitted iscomplete, your technical contact and organisational contactwill receive your SSL Certificate by e-mail in 1-3 workingdays.
5. Install your SSL CertificateWhen you receive your SSL Certificate, make a backupcopy of it and store it on a labelled floppy disk, noting thedate you received it. Store the floppy disk in a secure place.To install your SSL Certificate, follow the instructions inyour server software documentation for digital certificates.
6. Enable SSL on your server
Consult your server software manual to enable SSL. Theprocess should take approximately five minutes.
7. Post the Secure Site Seal on all your
secure pages
You should receive a file of the Seal, complete withinstructions on how to install it, via e-mail shortly aftercompleting the enrolment process. You can also finddownloadable Seal files and instructions athttp://www.verisign.co.uk/products-services/security-services/ssl/secured-seal-program/index.html.
Note: SSL imposes some performance overhead. Therefore,most server software applications allow you to apply SSLselectively to Web pages that require encryption, such aspayment pages. There is no benefit from applying SSL toproduct information pages, for example.
B. Payflow Link and Payflow ProVeriSign offers two Payment Services that let e-commercebusinesses securely accept and process credit card, debit
card, purchase card and electronic cheque payments on theInternet:
1. VeriSign Payflow LinkPayflow Link provides a fast, easy-to-use solution thatenables merchants to connect their customers via SSL-secured HTTP to a secure VeriSign-hosted order form toautomate order acceptance, authorisation, processing andtransaction management.
Payflow Link allows merchants to connect to VeriSign
using simple Web links
To use Payflow Link, merchants simply add a Web link tothe appropriate Web pages at their site. When the customerclicks this link, he or she is brought to a secure order formthat is hosted by VeriSign. Transaction details that areencoded in the link are used to initialise the form. Thisincludes SKU data, order amount, tax amount and otherorder-specific parameters. At the Payflow Link order form,the consumer enters the required payment information andsubmits the form to execute the order. When orders aresubmitted, the merchant is notified via e-mail. Merchantsfetch the specifics of new orders from the VeriSign PayflowManager merchant website (see more information onPayflow Manager below).
Targeting the business-to-consumer marketplace, PayflowLink provides an inexpensive payment solution for anymerchant needing the ability to quickly and efficientlyprocess a variety of payment types. Payflow Link isintended for use by merchants who process up to 1,000transactions per month. It is especially easy to implementand affordable, with a low setup cost and flat-fee billing.There is no long-term obligation.
2. Payflow Pro
VeriSign Payflow Pro is the most robust, versatile solutionfor online payment processing - ideal for large-scale e-commerce merchants that require peak performance andcomplete customisability. Payflow Pro is included withCommerce Site and Commerce Site Pro e-commercesolutions and is available separately as a downloadableSoftware Development Kit (SDK). It also comes pre-integrated with most shopping basket and e-commerceplatforms.
HTTPSSL
MerchantPayflow
Link
Static Web Pages
Custom WebApplications
Shopping Carts
B U S I N E S S G U I D E
2 1
Targeting the business-to-business market and enterpriseenvironments requiring discrete control over paymentfunctionality, Payflow Pro gives merchants direct access tothe Payflow payment processing API via a “thin client”network service. The Payflow Pro SDK client software,which is installed on the merchant’s system, is a small (400kfootprint) messaging agent that uses SSL and X.509 digitalcertificate technology to securely communicate withVeriSign’s payment servers.
Payflow Pro SDK gives merchants more control via a
direct TCP/IP connection to the payment gateway and a
flexible Software Development Kit (SDK)
To use Payflow Pro SDK, merchants pass paymenttransaction data to the client through a set name/valuepairs. Here is an example of encoded payment transactiondata:
TRXTYPE=S&TENDER=C&USER=userid&PWD=password&
ACCT=5499740000000016&EXPDATE=1299&AMT=1.00
The Payflow client’s only job is to securely pass the paymenttransaction data to VeriSign’s payment servers for processing.The Payflow client does not contain any payment-specificlogic. This means that VeriSign is able to introduce newservices or transaction types at any time, without upgradingthe Payflow client software. Merchants can take advantageof a new service by simply adding the new parameter valuesit requires to their transaction requests.
Payflow Pro SDK provides support through a single clientinterface for the following payment types:
• Credit cards
• AmEx purchase card
• Purchase cards, Level II & III
• ACH transfer
• Electronic Cheque Verification and Guarantee
As with the Payflow Link service, Payflow Pro enablesmerchants to cost-effectively process high volumes oftransactions under a flat-fee pricing schedule. Payflow ProSDK is intended for merchants who process more than1,000 transactions per month. It is robust and scalable upto hundreds of millions of transactions.
3. How to Purchase Payflow Link and Payflow Pro
At http://www.verisign.com/products-services/payment-processing/index.html, companies can register and obtain ausername and password that will enable them to use andtest VeriSign’s Payflow and/or download Payflow Pro.
Business can purchase and download Payflow Link orPayflow Pro from http://www.verisign.com/products-services/payment-processing/index.html; and can then beginusing the service after opening and activating an InternetMerchant Account from an acquiring bank or financialinstitution.
C. Managed PKI for SSL CertificatesAs managing the lifecycles of SSL Certificates can bechallenging for companies with multiple servers spreadacross multiple divisions and locations, many businessesneed an easy way to control the issue, renewal andrevocation of IDs and manage the access privilegesassociated with each ID.
VeriSign Managed PKI for SSL Certificates is ideal forcompanies that need to deploy SSL Certificates for 10 ormore servers - for intranets, extranets or up to four of acompany’s domain names (“www.verisign.co.uk,” forexample). Managed PKI makes organisations their own“Certificate Authority (CA),” allowing enterprises to issueSSL Certificates in minutes to dozens or even hundreds ofservers with fast, easy-to-use, Web-based tools for issuingserver certificates - without the need for extra hardware,software or dedicated personnel. Businesses can appoint oneor more individuals to serve as Managed PKIadministrators, with full authority to approve, renew, rejectand administer certificates, while VeriSign handles all theback-end services necessary to maintain and scale the CA tomeet Internet trust needs.
Managed PKI for SSL Certificates offer e-businesses thefollowing benefits:
• Convenient, one-step purchasing: Managed PKI forSSL Certificates lets enterprises take advantage of asingle, unified enrolment process, plus volume discountsbased on the number of SSL Certificates needed.Businesses need to complete only one purchase order ayear for all their SSL Certificates.
• Easy to set up and configure: Enterprises can issueSSL Certificates quickly and manage them easily via theintuitive Web-based Managed PKI interface. VeriSignsupplies the cryptographic hardware, configurationwizards, enrolment Web templates and installationguides.
• Cost-effective: Managed PKI eliminates the need toinvest in the expensive hardware, software, or overheadnecessary to build and maintain a server certificatesystem from the ground up.
TCP/IPSSL
MerchantPayflowPro SDK
- Custom Web Applications- Shopping Carts- Bill Presentment Solutions- Internet Enabled Legacy Sytems
B U S I N E S S G U I D E
2 2
• Fast and simple to use: Managed PKI administratorscan issue certificates within minutes of receiving arequest. VeriSign maintains the back-end infrastructure,including high-speed servers, telecommunications lines,data storage and back-up, disaster recovery and 24X7customer service.
• Efficient, centralised ID management: Enterprises cansecure and manage multiple servers throughout theirorganisation’s domain and can easily renew IDs or buyadditional IDs
• Flexible ID bundles: SSL Certificates are available viaManaged PKI in bundles of 10, 25, 50, 100 or more,based on business needs.
1. How to Purchase Managed PKI for SSL
CertificatesTo talk to a VeriSign Sales Representative about purchasingVeriSign Managed PKI for SSL Certificates, businessesshould call 0800 032 2101. Businesses can also obtain moreinformation at http://www.verisign.co.uk/products-services/security-services/ssl/ssl-certificates/features-benefits.html.
VII. The VeriSign AdvantageVeriSign’s SSL Certificates and e-commerce trust serviceshave earned the trust of businesses worldwide, includingvirtually all of the Fortune 500 companies on the Web andall of the top 40 e-commerce sites. To date, VeriSign, theworld’s leading CA, has issued more than 400,000 SSLCertificates.
A SSL Certificate from VeriSign provides the ultimate incredibility for online businesses. VeriSign’s rigorousauthentication practices set the industry standard: VeriSigndocuments its carefully crafted and time-proven practicesand procedures in a Certificate Practices Statement.
VeriSign annually undergoes an extensive SAS 70 Type IIaudit by KPMG. (The Statement of Auditing Standard 70,SAS 70, was established by the American Institute ofCertified Public Accountants to certify trusted practices.)Employees responsible for dealing with certificates undergocomplete background checks and thorough training.
VeriSign has achieved its unsurpassed reputation as atrusted third party by paying as careful attention to physicalsecurity as electronic security. For example, the company’s22,000-square-foot plant where keys are issued has five tiersof security, the last three requiring fingerprint identification.
VeriSign’s rigorous authentication practices, leading-edgecryptographic techniques and ultra-secure facilities aredesigned to maximise confidence in our services. Thesepractices, technology and infrastructure are the foundationfor its e-commerce infrastructure services.
VIII. For More Information • More about VeriSign’s e-commerce trust infrastructure
services is available on the VeriSign website athttp://www.verisign.co.uk.
• Click here for a free trial 40-bit SSL Certificate.
• To purchase a VeriSign Commerce Site or Secure Siteservice, go to http://www.verisign.co.uk/products-services/security-services/index.html, or contact InternetSales on 0800 032 2101.
• For more information about Managed PKI for SSL, seehttp://www.verisign.co.uk/products-services/security-services/ssl/ssl-certificates/index.html or contactVeriSign on 0800 032 2101.
• Learn more about VeriSign Payment Services athttp://www.verisign.com/products-services/payment-processing/index.html.
©2004 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo “Where it all comes together,” and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign and itssubsidiaries in the United States and in foreign countries.