chapter 05- payment and security 1.ppt
TRANSCRIPT
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
1/36
1
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
2/36
Describe typical electronic payment systemsfor EC
Identify the security requirements for safe
electronic payments Describe the typical security schemes used to
meet the security requirements Identify the players and procedures of the
electronic credit card system on the Internet Discuss the relationship between SSL and SET
protocols
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
3/36
Discuss the relationship betweenelectronic fund transfer and debit card
Describe the characteristics of a stored
value card Classify and describe the types of IC cards
used for payments Discuss the characteristics of electronic
check systems
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
4/36
A part of SSL Secure Socket Layer! isavailable on customers" browsers# it is basically an encryption mechanism for order
takin$% queries and other applications# it does not protect a$ainst all security ha&ards
# it is mature% simple% and widely use SET Secure Electronic Transaction! is a
very comprehensive security protocol# it provides for privacy% authenticity% inte$rity% and%
or repudiation penolakan!# it is used very infrequently due to its comple'ity
and the need for a special card reader by the user# it may be abandoned if it is not simpli(ed)improved
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
5/36
SET *rotocol is for Credit Card *ayments
Electronic Cash and +icropayments
Electronic ,und Transfer on the Internet Stored -alue Cards and Electronic Cash
Electronic Check Systems
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
6/36
Security requirements Authentication:A way to verify the buyers identity
before payments are made
Integrity: Ensuring that information will not be
accidentally or maliciously altered or destroyed,usually during transmission
Encryption:A process of making messagesindecipherable except by those who have an
authorized decryption key Non-repudiation: erchants need protection
against the customers un!ustifiable denial of placed
orders, and customers need protection against the
merchants un!ustifiable denial of past payment
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
7/36
Secret .ey Crypto$raphy symmetric!
Scrambled
Message
Original
Message
Sender
InternetScrambled
Message
Keysender(= Keyreceiver)
Encryption
Original
Message
Receiver
Keyreceiver
Decryption
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
8/36
*ublic .ey Crypto$raphy
Sender
OriginalMessage ScrambledMessageScrambledMessage
Public Keyreceiver
OriginalMessage
Receiver
Private Keyreceiver
InternetMessage
Sender
Original
Message
Scrambled
Message
Scrambled
Message
Private Keysender
Original
Message
Receiver
Public Keysender
InternetDigital
Signature
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
9/36
Di$ital Si$nature
digital signature is
attac!ed by a sender
to a message
encrypted in t!e
receiver"s public #ey
$!e receiver is t!e only
one t!at can read t!emessage and at t!e same
time !e is assured t!at
t!e message %as indeed
sent by t!e sender
Sender encrypts
a message %it!
!er private #ey
ny receiver %it!
senders public #ey
can read it
Analogous to handwritten signature
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
10/36
Certi(cate
Name : Richard
key-Exchange Key :
Signature Key :
Serial # : 2948!"$ther %ata : &'228'2"2!
Ex(ire) : *&8*9
Signed : +,) Signature
"dentifying the holder of a public key #$ey%
Exchange&
"ssued by a trusted certificate authority #'A&
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
11/36
Certi(cate Authority / e0$0 -eriSi$n
R&
'&
&
&& M& P&
R& Root &erti*icate ut!ority
'& 'rand &erti*icate ut!ority
& eo+political &erti*icate ut!ority
&& &ard!older &erti*icate ut!orityM& Merc!ant &erti*icate ut!ority
P& Payment ate%ay
&erti*icate ut!ority
,ierarc!y o* &erti*icate ut!orities&erti*icate aut!ority needs to be veri*ied by a government or %ell trusted entity ( e-g-. post o**ice)
(ublic or private, comes in levels #hierarchy&
A trusted third party services
"ssuer of digital certificates
)erifying that a public key indeed belongs to acertain individual
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
12/36
The *layers
'ardholder
erchant #seller&
"ssuer #your bank&
Ac*uirer #merchants financial institution,
ac*uires the sales slips&
+rand #)"A, aster 'ard&
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
13/36
The process of usin$ credit cards o1ine
card!older re/uests t!e issuance o* acard brand (li#e 0isa and Master&ard)to an issuer ban# in %!ic! t!ecard!older may !ave an account-
$!e aut!ori1ation o* card issuanceby t!e issuer ban#. or its designatedbrand company. may re/uire
customer"s p!ysical visit to an o**ice-A plastic card is physically deliveredto the customers address by mail. $!e card can be in e**ect as t!e
card!older calls t!e ban# *orinitiation and signs on t!e bac# o*t!e card-
$!e card!older s!o%s t!e card to amerc!ant to pay a re/uested
amount- $!en t!e merc!ant as#s*or approval *rom t!e brandcompany-
2pon t!e approval. t!e merc!antre/uests payment to t!e merc!ant"sac/uirer ban#. and pays *ee *or t!eservice- $!is process is called a3capturing process4
$!e ac/uirer ban# re/uests t!eissuer ban# to pay *or t!e credit
amount-
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
14/36
&ard!older Merc!antcredit
card
&ard 'rand &ompany
Payment authorization,
payment data
Issuer 'an#
&ard!olderccount
c/uirer 'an#
Merc!antccount
account debit data payment data
&redit &ard Procedure (o**line and online)1-
payment data
amount transfer
Prentice Hall, 2000
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
15/36
20The messa$e is hashed to a pre('ed len$th of messa$edi$est0
30The messa$e di$est is encrypted with the sender"s
private si$nature key% and a di$ital si$nature is created040The composition of messa$e% di$ital si$nature% andSender"s certi(cate is encrypted with the symmetric keywhich is $enerated at sender"s computer for everytransaction0 The result is an encrypted messa$e0 SETprotocol uses the DES al$orithm instead of 5SA for
encryption because DES can be e'ecuted much fasterthan 5SA0
60The Symmetric key itself is encrypted with the receiver"spublic key which was sent to the sender in advance0 Theresult is a di$ital envelope0
1.
enders 'omputer
Prentice Hall, 2000
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
16/36
Sender"s &omputerSenders Private
Signature ey
Senders
!ertificate
5
"
Message
"
#igital Signature
$eceivers
!ertificate
%ncrypt
Symmetric
ey
%ncrypted
Message
$eceivers
ey&%'change ey
%ncrypt
#igital
%nvelope
Message
Message #igest
1/ Prentice Hall, 2000
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
17/36
70The encrypted messa$e and di$ital envelope aretransmitted to receiver"s computer via the Internet0
80The di$ital envelope is decrypted with receiver"s privatee'chan$e key0
90:sin$ the restored symmetric key% the encrypted messa$ecan be restored to the messa$e% di$ital si$nature% andsender"s certi(cate0
;0To con(rm the inte$rity% the di$ital si$nature is decrypted bysender"s public key% obtainin$ the messa$e di$est0
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
18/36
Receiver"s &omputer
#ecryptSymmetric
ey
%ncrypted
Message
Senders
!ertificate
5
"
Message
compare
#igital%nvelope
$eceivers Private
ey&%'change ey
#ecrypt
Message #igest#igital SignatureSenders Public
Signature ey
#ecrypt
Message #igest
12 Prentice Hall, 2000
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
19/36
Entities o* SE$ Protocol in &yber S!opping
I! !ard
$eader !ustomer ' !ustomer y
(ith #igital (allets!ertificate
Authority
%lectronic Shopping Mall
Merchant A Merchant )
!redit !ard
)rand
Protocol
*.+
Payment -ateay
13 Prentice Hall, 2000
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
20/36
Secure Electronic $ransaction (SE$) Secure Soc#et 6ayer (SS6)
&omple7 Simple
SE$ is tailored to t!e credit card
payment to t!e merc!ants-
SS6 is a protocol *or general+
purpose secure message
e7c!anges (encryption)-
SE$ protocol !ides t!e customer"s
credit card in*ormation *rom
merc!ants. and also !ides t!e
order in*ormation to ban#s. to
protect privacy- $!is sc!eme is
called dual signature.
SS6 protocol may use a
certi*icate. but t!ere is no
payment gate%ay- So. t!e
merc!ants need to receive bot!
t!e ordering in*ormation and
credit card in*ormation. because
t!e capturing process s!ould be
initiated by t!e merc!ants-
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
21/36
n rc!itecture o* Electronic 8und $rans*er on t!e Internet
Internet
Payer
!yber )an/
)an/
!yber )an/
Payee
Automated
!learinghouse
VAN)an/
VAN
Payment
-ateay
Payment
-ateay
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
22/36
A delivery vehicle of cash in anelectronic form
+onde'% -isaCash applied this approach Either anonymousor onymous CyberCash has commerciali&ed a debit
card named CyberCoin as a medium of
micropayments on the Internet
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
23/36
It is an EDI used for (nancial transactions# EDI is a standardi&ed way of e'chan$in$
messa$es between businesses
# E,T can be implemented usin$ a ,inancial EDI
system Safe ,inancial EDI needs to adopt a
security scheme used for the SSL protocol
E'tranet encrypts the packets e'chan$edbetween senders and receivers usin$ thepublic key crypto$raphy
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
24/36
Smart Cards 4he concept of e%cash is used in the non%"nternet
environment
(lastic cards with magnetic stripes #old technology&
"ncludes "' chips with programmable functions on
them which makes cards 5smart6
7ne e%cash card for one application
0echarge the card only at designated locations,such as bank office or a kiosk8 9uture: recharge at
your ('
e8g8 ondex )isa'ash
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
25/36
Shoppin$ with +onde'
Addin$ money to the card
*ayments in a new era ofelectronicshoppin$
*ayin$ on the Internet
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
26/36
Di$iCash 4he analogy of paper money or coins
Expensive, as each payment transaction must be
reported to the bank and recorded
'onflict with the role of central banks bill
issuance
;egally,
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
27/36
Stored -alue Cards =o issuance of money
a delivering vehicle of cash in an
electronic form
Either anonymous or onymous
Advantage of an anonymous card
the card may be given from one person to another
Also implemented on the "nternet withoutemployment of an "' card
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
28/36
Smart card/based e/cash# Can be rechar$ed at home throu$h the
Internet
# Can be used on the Internet as well as in a
non/Internet environment Ceilin$ of Stored -alues
#To prevent the abuse of stored values inmoney laundry
# S>7== in Sin$apore? @.>4%=== in @on$ .on$ +ultiple Currencies
# Can be used for cross border payments
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
29/36
*ro'imity Card# :sed to access buildin$s and for payin$ in
buses and other transportation systems
# us% subway and toll card in many cities Ampli(ed 5emote Sensin$ Card
# Bood for a ran$e of up to 2== feet% and canbe used for tollin$ movin$ vehicles at $ates
# *ay toll without stoppin$ e0$0 @i$hway
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
30/36
!hec/
Signature
$emittance
Invoice
Secure %nvelope
$emittance
!hec/
Signature
!ertificate
!ertificate
$emittance
Secure %nvelope
!ertificate
!ertificate
%ndorsement
!ertificate!ertificate
Signature 0!ard1Signature
0!ard1(or/station
Mall statement
%&!hec/ line item
Payers )an/
#ebit account
Payees )an/
!redit account
%& Mail
(((
&,
E&P
!lear !hec/#eposit chec/
Payer Payee
%&mail
Account
$eceivable
Procedure o* 8inancial Service $ec!nology &onsortium Prototype
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
31/36
Electronic Checkbook 'ounterpart of electronic wallet
4o be integrated with the accounting information
system of business buyers and with the payment
server of sellers
4o save the electronic invoice and receipt of
payment in the buyers and sellers computers for
future retrieval Example : afe'heck
?sed mainly in +@+
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
32/36
Payer"s
c!ec#boo#
agent
Payee"s
c!ec#+receipt
agent
Payer Payee
Issue a chec/
$eceipt
9&
D'9&
D'
control
agent of
payers
ban/
control
agent of
payees
ban/
clearing
!hec/boo/,
screened result$e2uest of
screening chec/issuance present
report
payer"s ban# payee"s ban#
Internet
$!e rc!itecture o* Sa*e&!ec# @ Prentice Hall, 2000
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
33/36
Two potential consolidations#The on/line electronic check is mer$in$ with E,T#The electronic check with a desi$nated settlement
date is mer$in$ with electronic credit cards Security ,irst etwork ank S,!
# ,irst cyberbank# Lower service char$es to challen$e the servicefees of traditional banks
-isa# -isaCash is a debit card
# e*ay is an E,T service
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
34/36
An onymous card
is necessary to
/eep the certificates for
credit cards, %34, and
electronic chec/boo/s
4he stored value in
I! card can be delivered
in an anonymous mode
Malaysias Multimedia Supper !orridor pro5ectpursues a One&!ard system
$elationship !ard by 6isa is also attempting
a one card system
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
35/36
Dont reveal your online Passcode to anyone. If you think
your online Passcode has been compromised, change itimmediately.
Dont walk away from your computer if you are in themiddle of a session.
Once you have nished conducting your banking on theInternet, always sign o before visiting other Internet
sites. If anyone else is likely to use your computer, clear your
cache or turn o and re!initiate your browser in order toeliminate copies of "eb pages that have been stored inyour hard drive.
#ank of $merica strongly recommends that you use a
browser with %&'!bit encryption to conduct securenancial transactions over the Internet.
-
7/24/2019 CHAPTER 05- PAYMENT AND SECURITY 1.ppt
36/36
Security solution providers can cultivate the opportunity ofprovidin$ solutions for the secure electronic payment systems
Electronic payment system solution providers can oervarious types of electronic payment systems to electronicstores and banks
Electronic stores should select an appropriate set ofelectronic payment systems
anks need to develop cyberbank services to be compatiblewith the various electronic payment system
Credit card brand companies need to develop an ECstandard like SET% and watch the acceptance by customers
Smart card brand should develop a business model incooperation with application sectors and banks
Certi(cate authority needs to identify the types ofcerti(cate to provide