E-commerce Payment

Payment methods
• Alternative payment methods such as PayPal continue to make
inroads into traditional payment methods.
• Mobile payments are also expected to grow significantly.
• However, none of these alternative payment methods have become
substitutes for the bank and credit cards.
• but instead provide consumers with alternative methods of accessing
their existing bank and credit accounts.
International payment methods
• If you plan on operating an e-commerce site in Europe, Asia, or Latin
America, you will need to develop different payment systems for each
region.
• For instance, in Denmark, Norway, and Finland payment is primarily
with debit or credit cards,
• while in Sweden, payment after being tendered an invoice and by
bank transfer are very popular in addition to credit/debit cards.
• In the Netherlands, the online payments service iDEAL is the most
popular retail e-commerce payment method.
International payment methods
• In Italy, consumers rely heavily on both credit cards and PayPal.
• In Japan, although credit card is the primary payment method, many
consumers still pick up and pay for goods using cash at local
convenience stores (konbini) (eMarketer, Inc., 2015).
Online card payment
• Online credit card transactions are processed in much the same way
that in-store purchases are, with the major differences being that
online merchants never see the actual card being used, no card
impression is taken, and no signature is available.
• These types of purchases are also called Cardholder Not Present
(CNP) transactions and are the major reason that charges can be
disputed later by consumers.
Bank accounts
• There are five parties involved in an online credit card purchase:
consumer, merchant, clearinghouse, merchant bank (sometimes
called the “acquiring bank”), and the consumer’s card issuing bank.
• In order to accept payments by credit card, online merchants must
have a merchant account established with a bank or financial
institution.
• A merchant account is simply a bank account that allows companies
to process credit card payments and receive funds from those
transactions.
Online transaction
• As shown in Figure 5.14, an online credit card transaction begins with a
purchase
• (1). When a consumer wants to make a purchase, he or she adds the item to
the merchant’s shopping cart. When the consumer wants to pay for the items
in the shopping cart, a secure tunnel through the Internet is created using
SSL/TLS.
• Using encryption, SSL/TLS secures the session during which credit card
information will be sent to the merchant and protects the information from
interlopers on the Internet (2).
• SSL does not authenticate either the merchant or the consumer.
• The transacting parties have to trust one another.
Online transaction
• Once the consumer credit card information is received by the merchant,
the merchant software contacts a clearinghouse (3).
• As previously noted, a clearinghouse is a financial intermediary that
authenticates credit cards and verifies account balances.
• The clearinghouse contacts the issuing bank to verify the account
information (4).
• Once verified, the issuing bank credits the account of the merchant at
the merchant’s bank (usually this occurs at night in a batch process) (5).
• The debit to the consumer account is transmitted to the consumer in a
monthly statement (6).
PCI-DSS Compliance
• The PCI-DSS (Payment Card Industry-Data Security Standard) is a data
security standard instituted by the five major credit card companies
(Visa, MasterCard, American Express, Discover, and JCB).
• PCI-DSS is not a law or governmental regulation, but an industry-
mandated standard.
• Every online merchant must comply with the appropriate level of PCI-
DSS in order to accept credit card payments.
• Those that fail to comply and are involved in a credit card breach may
ultimately be subjected to fines and other expenses.
Levels of standard
• Level 1, the strictest level, applies to very large merchants that
process more than 6 million transactions a year.
• Level 2 applies to those who process between 1 million and 6 million.
• Level 3 applies to organizations that process between 20,000 and 1
million transactions
• Level 4 applies to smaller merchants that process less than 20,000
transactions.
Objectives
• PCI-DSS has six major control objectives
• (a) build and maintain a secure network,
• (b) protect cardholder data,
• (c) maintain a vulnerability management program,
• (d) implement strong access control measures,
• (e) regularly test and monitor networks, and
• (f) maintain an information security policy.
• Each of these six broad control objectives has further specific
requirements that must be met.
Encryption
• Encryption is the process of transforming plain text or data into cipher
text that cannot be read by anyone other than the sender and the
receiver.
• The purpose of encryption is
• (a) to secure stored information
• (b) to secure information transmission
Encryption
• Encryption can provide four of the six key dimensions of e-commerce
security
• Message integrity—provides assurance that the message has not been altered.
• Nonrepudiation—prevents the user from denying he or she sent the message.
• Authentication—provides verification of the identity of the person (or
computer) sending the message.
• Confidentiality—gives assurance that the message was not read by others.
Encryption
• A key (or cipher) is any method for transforming plain text to cipher text.
• In a substitution cipher, every occurrence of a given letter is replaced
systematically by another letter. For instance, if we used the cipher “letter
plus two”—meaning replace every letter in a word with a new letter two
places forward—then the word “Hello” in plain text would be transformed
into the following cipher text: “JGNNQ.”
• In a transposition cipher, the ordering of the letters in each word is changed
in some systematic way.
• Leonardo Da Vinci recorded his shop notes in reverse order, making them
readable only with a mirror.
• The word “Hello” can be written backwards as “OLLEH.”
Symmetric Key Cryptography
• In order to decipher (decrypt) these messages, the receiver would
have to know the secret cipher that was used to encrypt the plain
text.
• This is called symmetric key cryptography or secret key cryptography.
• In symmetric key cryptography, both the sender and the receiver use
the same key to encrypt and decrypt the message.
• How do the sender and the receiver have the same key? They have to
send it over some communication media or exchange the key in
person.
Symmetric Key Cryptography
• Symmetric key cryptography was used extensively throughout World
War II and is still a part of Internet cryptography.
• The possibilities for simple substitution and transposition ciphers are
endless, but they all suffer from common flaws.
• First, in the digital age, computers are so powerful and fast that these
ancient means of encryption can be broken quickly.
• Second, symmetric key cryptography requires that both parties share
the same key. In order to share the same key, they must send the key
over a presumably insecure medium where it could be stolen and
used to decipher messages.
Symmetric Key Cryptography
• If the secret key is lost or stolen, the entire encryption system fails.
• Third, in commercial use, where we are not all part of the same team,
you would need a secret key for each of the parties with whom you
transacted, that is, one key for the bank, another for the department
store, and another for the government.
• In a large population of users, this could result in as many as n(n–1)
keys. In a population of millions of Internet users, thousands of
millions of keys would be needed to accommodate all e-commerce
customers (estimated at about 177 million in the United States).
• Potentially, 177² million different keys would be needed.
Class study
Modern encryption systems are digital. The ciphers or keys used to
transform plain text into cipher text are digital strings. Computers store
text or other data as binary strings composed of 0s and 1s. For
instance, the binary representation of the capital letter “A” in ASCII
computer code is accomplished with eight binary digits (bits):
01000001. One way in which digital strings can be transformed into
cipher text is by multiplying each letter by another binary number, say,
an eight-bit key number 0101 0101. If we multiplied every digital
character in our text messages by this eight-bit key and sent the
encrypted message to a friend along with the secret eight-bit key, the
friend could decode the message easily.
 Public Key
Cryptography
 Public Key
Cryptography
Public Key cryptography
• The mathematical algorithms used to produce the keys are one-way
functions.
• A one-way irreversible mathematical function is one in which, once
the algorithm is applied, the input cannot be subsequently derived
from the output.
• Most food recipes are like this. For instance, it is easy to make
scrambled eggs, but impossible to retrieve whole eggs from the
scrambled eggs.
Public key Cryptography
• Public key cryptography is based on the idea of irreversible
mathematical functions.
• The keys are sufficiently long (128, 256, and 512 bits) that it would
take enormous computing power to derive one key from the other
using the largest and fastest computers available.
Public key Cryptography
• There is no guarantee the sender really is the sender; that is, there is
no authentication of the sender.
• This means the sender could deny ever sending the message
(repudiation).
• And there is no assurance the message was not altered somehow in
transit. For example, the message “Buy Cisco @ $16” could have been
accidentally or intentionally altered to read “Sell Cisco @ $16.”
Public key Cryptography
• hash function an algorithm that produces a fixed-length number
called a hash or message digest.
• A hash function can be simple, and count the number of digital 1s in a
message, or it can be more complex, and produce a 128-bit number
that reflects the number of 0s and 1s.
Public key Cryptography: digital signature
• One more step is required.
• To ensure the authenticity of the message and to ensure
nonrepudiation, the sender encrypts the entire block of cipher text
one more time using the sender’s private key.
• This produces a digital signature (also called an e-signature) or
“signed” cipher text that can be sent over the Internet.
Public key with
digital signature
Public key with
digital signature
Digital Envelopes
• Public key cryptography is computationally slow. If one used 128- or
256-bit keys to encode large documents—such as this chapter or the
entire book—significant declines in transmission speeds and increases
in processing time would occur.
• One solution is to use the more efficient symmetric encryption and
decryption for large documents, but public key cryptography to
encrypt and send the symmetric key.
• This technique is called using a digital envelope.
Digital Envelopes
Digital Envelopes
• a diplomatic document is encrypted using a symmetric key. The
symmetric key—which the recipient will require to decrypt the
document—is itself encrypted, using the recipient’s public key. So we
have a “key within a key” (a digital envelope). The encrypted report
and the digital envelope are sent across the Web.
• The recipient first uses his/her private key to decrypt the symmetric
key, and then the recipient uses the symmetric key to decrypt the
report.
• This method saves time because both encryption and decryption are
faster with symmetric keys.