Electronic Payment
Systems
Presented by
Rufus Knight
Veronica Ogle
Chris Sullivan
As eCommerce grows, so does our
need to understand current
methods of Electronic Payment
Systems.
Outline
•
•
•
•
•
•
Introduction to Project
Electronic Cash Presentation
Electronic Checks Presentation
Credit Card Payments Presentation
Conclusion
Questions
Introduction
• Our Group has:
– Created a web site on three types of
electronic payment systems
• Electronic Cash
• Electronic Checks
• Credit Card Payments
– Focused on Security Issues, Protocols,
and Real World Implementations of
each Method
eCash
Currency & Micropayments
eCash
• What is eCash?
– A class of technologies that provide an
analog of cash represented in
electronic form.
– Replicates properties of real cash
(anonymity, low transaction cost, etc).
– Can be spent or given away.
– Quick and easy on line transactions.
– Implemented with smart cards or just
software.
eCash Transaction
Model
• eCash Model
eCash
• What are Micropayments?
– Small valued transactions (.10 - $10)
– Suitable for the sale of non-tangible
goods over the Internet.
– Imposes requirements on speed and
cost of processing of the payments.
– Delivery occurs nearly instantaneously
on the Internet, and often in arbitrarily
small pieces.
– Need for security is reduced.
Micropayment
Transaction Model
• Micropayment Model
eCash Security
• Public Key Cryptography
• Coins
– 2 pairs of integers (serial number,
calculated value -> (a, f(a)) )
• a -> serial number
• f -> one-way hash function
– E.g Bank uses RSA algorithm and its
private key to sign a.
eCash
• Blinding (ensures privacy)
–
–
–
–
r -> blinding factor
Person sends f(a)r to Bank
Bank signs and returns
Person divides it with r
• The Bank does not know r so it can’t
trace identity of the coin when it is
cashed later
eCash
• Example Systems:
– DigiCash (software-based)
– Mondex (card-based)
– NetBill (micropayments)
eChecks
Credit-Debit System
Electronic Checks
(eChecks)
• Designed to perform the payment and
other financial functions of paper checks
by using cryptographic signatures and
secure messaging over the Internet
• Based on the idea that electronic
documents can be substituted for paper,
and that public key cryptographic
signatures can be substituted for
handwritten signatures
eChecks (cont.)
eChecks (cont.)
• Three aspects faced in order for
eCheck transactions to take place:
– Private key possession and control -- The
signature verifier must believe that the signer has
exclusive possession of his signing key
• The electronic checkbook, in the form of a PINactivated tamper-resistant smart card or similar
cryptographic hardware, performs a signing
algorithm so that the private signing key is
always kept inside the trusted hardware and is
never read into the signer's networked personal
computer or server
eChecks (cont.)
• The electronic checkbook is aware of echeck
syntax and logs critical data from echecks to
provide the signer with a trusted log of
signing actions
– Key pair generation -- The signature verifier
must believe that the private/public key pair was
generated such that the private key cannot be
guessed by an attacker based on knowledge of
the public key
• The electronic checkbook performs key
generation within the tamper-resistant
hardware using algorithms that have been
properly tested and certified by the
manufacturer
eChecks (cont.)
• Only the public key is exported from the hardware,
and the private key is never revealed to anyone
– Public key infrastructure -- The signature verifier
must be able to trust that the public key provided for use
in verifying the signature really belongs to the signer and
is the other half of the signer's public key pair
• The public key exported from the card is included in
a certificate signed by the bank's Certification
Authority
• The bank echeck servers keep an independent
database of the bank’s signers’ public keys so that
they always know the most current relationships of
keys to accounts and signers
eChecks (cont.)
• Areas of fraud and how eChecks prevent
them:
– Duplicate detection
• Each echeck is guaranteed to be unique by the
operations of the electronic checkbook
• The payee and payee's bank detect and refuse
duplicate submissions of echecks
• The payer's bank detects duplicates and pays only
one instance of an echeck
• Prevents multiple payments due to innocent
retransmissions of email and prevents a payee from
cashing and depositing an echeck in two different
accounts
eChecks (cont.)
– Payee identification
• Echecks can be made out to the
payee's bank routing code and either
an account or customer ID number
• Also can be made out to the payee's
public key
• These parameters uniquely identify
the payee and prevent an
eavesdropper from exploiting the
ambiguity of payee identification,
which otherwise exists if only payee
common names are used
eChecks (cont.)
– Electronic account numbers
• The account number of the echeck is a
randomly chosen number assigned by the
bank for the purpose of writing and
depositing
• The payer's and depositor's echeck account
numbers are mapped to their paper check
account numbers by their respective banks
• The banks will not accept paper checks or
drafts written against the echeck account
numbers
• This prevents an eavesdropper or corrupt
payee from printing and passing paper checks
or drafts against the account numbers
eChecks (cont.)
– Cryptographically attached invoices
• Invoices can be sent to detail the purpose of
the payment, and can be signed by the
echeck signature binding them to the echeck
and ensuring their authenticity and integrity
• This prevents an attacker from intercepting
an echeck and purchase order, changing the
delivery address in the order, and forwarding
the echeck and altered order to the merchant
Credit Cards
Secure Presentation
Electronic Credit Card
Payments
• Secure Electronic Transaction (SET)
• Credit Card Transactions
• Check Sum Algorithm
Secure Electronic
Transaction (SET)
• Protocol for sending financial
information over the Internet.
• Provides secure transmission
• Allows for party authentication
• Provides integrity for the payment
messages
Credit Card
Transactions
1. The consumer supplies the credit card
to the merchant.
2. The merchant seeks card authorization
from the merchant's bank.
3. The merchant's bank then seeks
authorization from the consumer's bank.
4. The consumer's bank responds to the
merchant's bank.
5. The merchant's bank notifies the
merchant that the transaction has been
approved.
Credit Card
Transactions (cont.)
1.
2.
3.
4.
5.
The merchant finalizes the transaction.
The merchant sends a batch of charges to the
merchant's bank.
The merchant's bank then sends each
settlement request to the appropriate
consumer bank
The consumer bank receives each settlement
request and debits the consumer's account.
The merchant's bank credits the merchant's
account and withdraws the credit amount from
the consumer's bank.
Check Sum Algorithm
•
•
•
•
•
•
•
Assumes the credit card number 3728 024906 54059
The number is 15 digits long and thus odd and therefore
has a numerical weight of one
Compute the check digit by:
3, 14, 2, 16, 0, 4, 4, 18, 13, 5, 0, 8, 10, 9
Subtract 9 from every value greater than nine:
3, 5, 2, 7, 0, 4, 4, 9, 0, 3, 5, 8, 0, 1, 9
Add these numbers:
60
The check should equal zero
60 mod 10 = 0
Conclusion
• Electronic money is a more viable
means of making payments.
• These payment methods offer
privacy, convenience, and security
• There are a wide variety of
electronic payment systems
available.
• The consumer must find the system
that best suites their needs
Questions
???