Electronic Payment Electronic Payment SystemsSystems

E-Com Unit – IIE-Com Unit – II

Electronic Payment Electronic Payment SystemsSystems

E-Com Unit – IIE-Com Unit – IIBy:By:

Akhil KaushikAkhil KaushikAssistant Professor, T.I.T&S BhiwaniAssistant Professor, T.I.T&S Bhiwani

Electronic Payment Systems

E-Com Unit – II

E- Transactions

• E-Transactions are any form of data transaction, including financial and knowledge management. This is a broad category that may include applications, without limitation, for example: e-billing, e-funds transfer, e-settlements, e-payments, e-inventory management, e-enquiry and response systems, e-identification management and security services, e-monitoring and control systems, and e-sourcing.

• A transactional unit of work is one in which the following four fundamental transactional properties are satisfied: atomicity, consistency, isolation, and durability (ACID). These are discussed as below:

• Atomicity • Consistency • Isolation • Durability

Transaction processing

• In computer science, transaction processing is information processing that is divided into individual, indivisible operations, called transactions. Each transaction must succeed or fail as a complete unit; it cannot remain in an intermediate state. Transaction mandatorily requires acknowledgment to get received as a necessary feedback for accomplishment.

Basic principles of all transaction-processing

systems

• Rollback Transaction • Rollforward • Deadlocks • Compensating transaction

Transaction processing has these benefits:

• It allows sharing of computer resources among many users.

• It shifts the time of job processing to when the computing resources are less busy.

• It avoids idling the computing resources without minute-by-minute human interaction and supervision.

Updating Traditional Transactions

• Cash• Credit Card• Personal Cheques (or Checks)• Bank Checks• Debit Cards• Money Orders• Traveler’s Cheques• Tokens

Secure Online Transaction Models

• This module looks the models that can be employed for secure online transactions. An organization may outsource or contract with a third-party organizations like electronic mail operators, Internet Service Providers (ISP), etc to manage servers, e-mail orders, website, etc; or may use secure online transactions models themselves

Secure Online Transaction Models

• This module looks the models that can be employed for secure online transactions. An organization may outsource or contract with a third-party organizations like electronic mail operators, Internet Service Providers (ISP), etc to manage servers, e-mail orders, website, etc; or may use secure online transactions models themselves.

Steps needed for Secure Online Transaction

Models

• Secure Web Servers • Secure Server Purchasing • Secure Server Selling • Required Hardware & Software • Electronic Malls

Online Commercial Environment

• The e-com organizations must provide online commercial environment for its clients. They must engineer and implement a technique through which users can browse through their products online, purchase them and get delivered at the same time in case of digital products.

The merchant’s website should be able to collect some information about

the customer like:• Product delivery timings and address• Transaction settlement• Account activity reports• Confirmations• Order status reports• Gathering of marketing information

for future needs

Digital Currencies & Payment Systems

Digital currencies & payment systems are intended to carry value in a protected digital form over the internet. They are actually a way of exchanging value for any product or service.

There are basically 2 types of approaches

provided:• One way is to link the customer payment method

(credit card, checking account, etc) to an online identity that is managed by the service provider. It is the responsibility of the third-party to validate the transactions by authenticating the payee including his payment techniques (checking credit card authenticity, amount in card, etc).

• Another way is to open an account with a financial institution offering digital currency service. The client’s software is used to withdraw money from the account, check on balances; and maintain the ‘digital wallet’, which holds the digital value for a customer. The cash is exchanged by the use of encryption techniques and digital signatures.

Electronic Finds Transfer (EFT)

• Electronic Finds Transfer (EFT) is defined as the “transfer of funds initiated through an electronic terminal like telephone, computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit account”.

The transfer is information-based & intangible. EFT can be categorized into three:

• Banking & financial payments: Large scale or wholesale payments (bank-to-bank transfer), small scale payments like ATMS, home banking like bill payments, etc.

• Retailing payments: Credit cards (Visa or MasterCard), debit cards, charge cards like American Express.

• Online e-com payments: Token based payment systems (digicash, e-checks, etc).

Offline Secure Processing

Most of the e-com applications use online payment processing and employ various cryptographic techniques for securing data transfer from one end to another. Cryptography enables real-time transfer of funds online. However, some developers and entrepreneurs suggest that the benefit of securing the data is actually outweighed by the cost involved in implementation.

The costs involved in encryption implementation are as follows:

• License fees for patented certification facilities.

• Creation & distribution of new internet browsers & servers.

• Maintenance of public key certification facilities.

• Increased computational overhead for business transactions.

• Issues in using strong cryptography outside U.S.A.

Private Data Networks

• Internet is an open network where security is minimal; hence a lot of bigger companies are afraid of using internet for mission-critical business operations. However, they still want to be connected to the global world to avoid distinction from world economic map.

Requirment of Private Data Networks

A solution for these companies is the use of ‘Private Data Networks’ to pass the data to & through internet. Companies like CompuServe, Advantis, AT&T, BBN Planet, etc have offered private data networks for companies that are looking for a large network but do want to build such a large network. Hence, they just pay for the companies to use private data network to get connected. The distribution company will employ all the required security parameters like firewalls, secure browsers and e-com web servers for other organizations and will charge monthly fees of transaction fees from them

Security Protocols

• there are two main security protocols, HTTPS and SSL for secure transfer of funds online. I will describe both one by one. However, these days there is a new protocol based on SSL known as Transport Layer Security (TLS), also developed by Netscape.

Secure Sockets Layer (SSL):

• SSL comes in two options, simple and mutual. The mutual version is more secure, but requires the user to install a personal certificate in their browser in order to authenticate them. Whatever strategy is used (simple or mutual), the level of protection strongly depends on the correctness of the implementation of the web browser and the server software and the actual cryptographic algorithms supported.

Transport Layer Security (TLS)

• TLS is cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for privacy and a keyed message authentication code for message reliability. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

Applications of TLS• In applications design, TLS is

usually implemented on top of any of the Transport Layer protocols, encapsulating the application-specific protocols such as HTTP, FTP, SMTP, NNTP and XMPP

Security :TLS has a variety of security

measures:• Protection against a downgrade of the protocol

to a previous (less secure) version or a weaker cipher suite.

• Numbering subsequent Application records with a sequence number and using this sequence number in the message authentication codes (MACs).

• Using a message digest enhanced with a key (so only a key-holder can check the MAC).

• The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties.

Hypertext Transfer Protocol Secure

(HTTPS) • HTTPS is a combination of the Hypertext

Transfer Protocol (HTTP) with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.

Main ideas of HTTPS• The main idea of HTTPS is to create

a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

T H A N K S