Unit 7 : Electronic Payment Systems

By Dr. Surendra Malviya

04/24/23 1
 E-payment systems
• To transfer money over the Internet
• Methods of traditional payment
– Check, credit card, or cash
• Methods of electronic payment
– Electronic cash, software wallets, smart cards, and
credit/debit cards
– Scrip is digital cash minted by third-party organizations

04/24/23 2
 Requirements for e-payments
• Atomicity
– Money is not lost or created during a transfer
• Good atomicity
– Money and good are exchanged atomically
• Non-repudiation
– No party can deny its role in the transaction
– Digital signatures

04/24/23 3
 Desirable Properties of Digital Money

• Universally accepted
• Transferable electronically
• Divisible
• Non-forgeable, non-stealable
• Private (no one except parties know the amount)
• Anonymous (no one can identify the payer)
• Work off-line (no on-line verification needed)

No known system satisfies all.

04/24/23 4
 Advantages and Disadvantages of
Electronic Cash
• Advantages
– More efficient, eventually meaning lower prices
– Lower transaction costs
– Anybody can use it, unlike credit cards, and does not
require special authorization
• Disadvantages
– Tax trail non-existent, like regular cash
– Money laundering
– Susceptible to forgery

04/24/23 5
 Types of E-payments
• E-cash
• Electronic wallets
• Smart card
• Credit card
• NEFT
• RTGS

04/24/23 6
 Electronic Cash

• Primary advantage is with purchase of items less

than $10
– Credit card transaction fees make small purchases
unprofitable
– Micropayments
o Payments for items costing less than $1

04/24/23 7
 E-cash Concept
Merchant
1. Consumer buys e-cash from Bank
2. Bank sends e-cash bits to consumer (after
5 charging that amount plus fee)
3. Consumer sends e-cash to merchant
4
4. Merchant checks with Bank that e-cash
Bank 3 is valid (check for forgery or fraud)
5. Bank verifies that e-cash is valid
6. Parties complete transaction: e.g., merchant
2 present e-cash to issuing back for deposit
1 once goods or services are delivered

Consumer still has (invalid) e-cash

Consumer

04/24/23 8
 Electronic Cash Issues
• E-cash must allow spending only once
• Must be anonymous, just like regular currency
– Safeguards must be in place to prevent counterfeiting
– Must be independent and freely transferable regardless
of nationality or storage mechanism
• Divisibility and Convenience
• Complex transaction (checking with Bank)
– Atomicity problem

04/24/23 9
 Two storage methods
• On-line
– Individual does not have possession personally of
electronic cash
– Trusted third party, e.g. online bank, holds customers’
cash accounts
• Off-line
– Customer holds cash on smart card or software wallet
– Fraud and double spending require tamper-proof
encryption

04/24/23 10
 NEFT and RTGS

• NEFT : National Electronic Funds Transfer (NEFT) is a nation-wide system that facilitates
individuals, firms and corporates to electronically transfer funds from any bank branch to any
individual, firm or corporate having an account with any other bank branch in the country(with in
India) . Charges Above Rs 10000 and Up to Rs. 1 lakh.

• RTGS : RTGS is an acronym that stands for Real Time Gross Settlement. RTGS is a funds transfer
system where money is moved from one bank to another in ‘real-time’, and on gross basis. RTGS
transactions involve large amounts of cash, basically only funds above Rs 200,000 may be
transferred using this system with no upper limit.

04/24/23 11
 Blind Signatures and Digital Signature
• Goal
– to have the bank sign documents without knowing what they are signing.
• Why?
– Anonymity with Authentication

Classes of Digital Signature Certificates

– Class 0 Certificate: This certificate shall be issued only for demonstration/ test purposes.
Class 1 Certificate: Class 1 certificates shall be issued to individuals/private subscribers. These
certificates will confirm that user's name (or alias) and E-mail address form an unambiguous
subject within the Certifying Authorities database.
Class 2 Certificate: These certificates will be issued for both business personnel and private
individuals use. These certificates will confirm that the information in the application provided
by the subscriber does not conflict with the information in well-recognized consumer databases.
Class 3 Certificate: This certificate will be issued to individuals as well as organizations. As
these are high assurance certificates, primarily intended for e-commerce applications, they shall
be issued to individuals only on their personal (physical) appearance before the Certifying
Authorities.

04/24/23 12
 Digital Signature
• Issured by Controller of Certifying Authorities (CCA) and CCA
issues Certificate only to Certifying Authorities. CA issue Digital
Signature Certificate to end-user. We can approach any one of the
seven CAs for getting Digital Signature Certificate. The website
addresses are given below.
• www.safescrypt.com
• www.nic.in
• www.idrbtca.org.in
• www.tcs-ca.tcs.co.in
• www.mtnltrustline.com
• www.ncodesolutions.com
• www.e-Mudhra.com

04/24/23 13
 How to sign with blind fold?
• How?
Basic: Sign anything

1. You encrypt the message

2. Send it to the bank

3. The bank signs the message and

returns it

4. You decrypt the signed

message
5. You spend it
04/24/23 14
 Detecting Double Spending

04/24/23 15
 Electronic Wallets
• Stores credit card, electronic cash, owner
identification and address
– Makes shopping easier and more efficient
o Eliminates need to repeatedly enter identifying
information into forms to purchase
o Works in many different stores to speed checkout
– Amazon.com one of the first online merchants to
eliminate repeat form-filling for purchases

04/24/23 16
An Electronic Checkout Counter Form

04/24/23 17
 Electronic Wallets
• Agile Wallet
– Developed by CyberCash
– Allows customers to enter credit card and identifying
information once, stored on a central server
– Information pops up in supported merchants’ payment pages,
allowing one-click payment
– Does not support smart cards or CyberCash, but company
expects to soon
• eWallet
– Developed by Launchpad Technologies
– Free wallet software that stores credit card and personal
information on users’ computer, not on a central server; info is
dragged into payment form from eWallet
– Information is encrypted and password protected
– Works with Netscape and Internet Explorer

04/24/23 18
 Electronic Wallets
• Microsoft Wallet
– Comes pre-installed in Internet Explorer 4.0, but not in
Netscape
– All information is encrypted and password protected
– Microsoft Wallet Merchant directory shows merchants
setup to accept Microsoft Wallet

04/24/23 19
 Entering Information Into Microsoft Wallet

04/24/23 20
 W3C Proposed Standard for Electronic
Wallets

• World Wide Web Consortium (W3C) is attempting to create

an extensible and interoperable method of embedding
micropayment information on a web page
– Extensible systems allow improvement of the system without
eliminating previous work
• Merchants must accept several payment options to insure
the widest possible Internet audience
– Merchants must embed in their Web page payment information
specific to each payment system
– This redundancy spurred W3C to develop common standards
for Web page markup for all payment systems
– Must move quickly to prevent current methods from becoming
entrenched

04/24/23 21
 W3C Electronic Commerce Interest Group (ECIG)
Draft Standard Architecture

• Client (consumer’s web browser) initiates

micropayment activity
– Client browser includes Per Fee Link Handler module and
one or more electronic wallets
– New HTML tags will carry micropayment information

04/24/23 22
 W3C Proposed Micropayment HTML Tags

04/24/23 23
 The ECML Standard
• Electronic Commerce Modeling Language (ECML)
proposed standards for electronic wallets
– Companies forming the consortium are America Online,
IBM, Microsoft, Visa, and MasterCard
– Ultimate goal is for all commerce sites to accept ECML
– Unclear how this standard will incorporate privacy
standards W3C set forth
– Electronic Commerce Modeling Language (ECML)
Wallet/Merchant Standards Initiative,
Initiative July 1999
(Next four slides)

04/24/23 24
Current state of the market - online
data exchanges
• Providing payment and order information to merchants while
shopping online is typically a manual consumer process
• 27% of online buyers abandon orders before check-out due to the
hassle of filling out forms 1

• There is no standard way for identifying the specific data

attributes that consumers must provide to merchants during an
online transaction
– This significantly complicates/limits the ability for digital wallets to
automatically exchange information with a merchant web site

• “76% of merchants surveyed indicated they are willing to

participate in a multi site wallet enterprise,” indicating that “multi
site wallets offer reduced acquisition costs that far outweigh the
risk to merchants of losing an existing customer” 1

04/24/23
1 Jupiter Communications
25
 ECML - Wallet/Merchant Standard
• Creating a standard approach for the exchange of information will
enhance the ability for digital wallets to be used at all merchant
sites and therefore facilitate the growth of e-commerce
• ECML is a universal, open standard for digital wallets and online
merchants that facilitates the seamless exchange of payment and
order information to support online purchase transactions
– Uniform field names only to start; will evolve over time
• The ECML Alliance today:
– America Online, American Express, Brodia (formerly Transactor
Networks), Compaq, CyberCash, Discover, Financial Services
Technology Consortium (FSTC), IBM, MasterCard, Microsoft, Novell,
SETCo, Sun Microsystems, Trintech, and Visa
• ECML is designed to be security protocol independent, support
global implementations, and support any payment instrument
• ECML does not change the “look and feel” of a merchant’s site
04/24/23 26
Summary of current ECML specification
min min
field field
field names length field names length

Ecom_ShipTo_Postal_Name_Prefix 4 Ecom_ReceiptTo_Postal_Name_Prefix 4
Ecom_ShipTo_Postal_Name_First 15 Ecom_ReceiptTo_Postal_Name_First 15
Ecom_ShipTo_Postal_Name_Middle 15 Ecom_ReceiptTo_Postal_Name_Middle 15
Ecom_ShipTo_Postal_Name_Last 15 Ecom_ReceiptTo_Postal_Name_Last 15
Ecom_ShipTo_Postal_Name_Suffix 4 Ecom_ReceiptTo_Postal_Name_Suffix 4
Ecom_ShipTo_Postal_Street_Line1 20 Ecom_ReceiptTo_Postal_Street_Line1 20
Ecom_ShipTo_Postal_Street_Line2 20 Ecom_ReceiptTo_Postal_Street_Line2 20
Ecom_ShipTo_Postal_Street_Line3 20 Ecom_ReceiptTo_Postal_Street_Line3 20
Ecom_ShipTo_Postal_City 22 Ecom_ReceiptTo_Postal_City 22
Ecom_ShipTo_Postal_StateProv 2 Ecom_ReceiptTo_Postal_StateProv 2
Ecom_ShipTo_Postal_PostalCode 14 Ecom_ReceiptTo_Postal_PostalCode 14
Ecom_ShipTo_Postal_CountryCode 2 Ecom_ReceiptTo_Postal_CountryCode 2
Ecom_ShipTo_Telecom_Phone_Number 10 Ecom_ReceiptTo_Telecom_Phone_Number 10
Ecom_ShipTo_Online_Email 40 Ecom_ReceiptTo_Online_Email 40

Ecom_BillTo_Postal_Name_Prefix 4 Ecom_Payment_Card_Name 30
Ecom_BillTo_Postal_Name_First 15 Ecom_Payment_Card_Type 4
Ecom_BillTo_Postal_Name_Middle 15 Ecom_Payment_Card_Number 19
Ecom_BillTo_Postal_Name_Last 15 Ecom_Payment_Card_Verification 4
Ecom_BillTo_Postal_Name_Suffix 4 Ecom_Payment_Card_ExpDate_Day 2
Ecom_BillTo_Postal_Street_Line1 20 Ecom_Payment_Card_ExpDate_Month 2
Ecom_BillTo_Postal_Street_Line2 20 Ecom_Payment_Card_ExpDate_Year 4
Ecom_BillTo_Postal_Street_Line3 20 Ecom_Payment_Card_Protocol 20
Ecom_BillTo_Postal_City 22
Ecom_BillTo_Postal_StateProv 2 Ecom_ConsumerOrderID 20
Ecom_BillTo_Postal_PostalCode 14
Ecom_BillTo_Postal_CountryCode 2 Ecom_SchemaVersion 30
Ecom_BillTo_Telecom_Phone_Number 10
04/24/23Ecom_BillTo_Online_Email 40 Ecom_TransactionComplete - 27
 ECML implementation and Alliance
participation
• The ECML Alliance seeks widespread support for and adoption of the ECML
standard
• ECML is publicly available today and can be easily implemented by online
merchants, e-commerce technology vendors, and other interested parties
– www.ecml.org - the official web site of ECML
• ECML has been enthusiastically endorsed by several e-commerce industry
segments, including the following leading online merchants:
– beyond.com – Nordstrom.com
– Dell Computer – Omaha Steaks
– fashionmall.com – Reel.com
– healthshop.com – 1-800-Batteries

• To support the current version of ECML, a merchant will need to make a one-
time change to incorporate the uniform field names into the check-out pages
of its web site, and make changes to CGI/ASP scripts
• Organizations interested in participating in the ECML Alliance should contact
[email protected] with their indication of interest
04/24/23 28
 Smart Cards
• Magnetic stripe
– 140 bytes, cost $0.20-0.75
• Memory cards
– 1-4 KB memory, no processor, cost $1.00-2.50
• Optical memory cards
– 4 megabytes read-only (CD-like), cost $7.00-12.00
• Microprocessor cards
– Embedded microprocessor
o (OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM
o Equivalent power to IBM XT PC, cost $7.00-15.00
o 32-bit processors now available

04/24/23 29
 Smart Cards
• Plastic card containing an embedded microchip
• Available for over 10 years
• So far not successful in U.S., but popular in
Europe, Australia, and Japan
• Unsuccessful in U.S. partly because few card
readers available
• Smart cards gradually reappearing in U.S.; success
depends on:
– Critical mass of smart cards that support applications
– Compatibility between smart cards, card-reader devices,
and applications

04/24/23 30
 Smart Card Applications
• Ticketless travel
– Seoul bus system: 4M cards, 1B transactions since 1996
– Planned the SF Bay Area system
• Authentication, ID
• Medical records
• Ecash
• Store loyalty programs
• Personal profiles
• Government
– Licenses
• Mall parking
...

04/24/23 31
 Advantages and Disadvantages
of Smart Cards
• Advantages:
1. Atomic, debt-free transactions
2. Feasible for very small transactions (information commerce)
3. (Potentially) anonymous
4. Security of physical storage
5. (Potentially) currency-neutral
• Disadvantages:
1. Low maximum transaction limit (not suitable for B2B or most
B2C)
2. High Infrastructure costs (not suitable for C2C)
3. Single physical point of failure (the card)
4. Not (yet) widely used

04/24/23 32
 Mondex Smart Card
• Holds and dispenses electronic cash (Smart-card based,
stored-value card)
• Developed by MasterCard International
• Requires specific card reader, called Mondex terminal, for
merchant or customer to use card over Internet
• Supports micropayments as small as 3c and works both
online and off-line at stores or over the telephone
• Secret chip-to-chip transfer protocol
• Value is not in strings alone; must be on Mondex card
• Loaded through ATM
– ATM does not know transfer protocol; connects with
secure device at bank

04/24/23 33
 Mondex Smart Card Processing

04/24/23 34
 Mondex transaction
• Here's what happens "behind the scenes" during a Mondex
transaction between a consumer and merchant. Placing the
card in a Mondex terminal starts the transaction process:
1. Information from the customer's chip is validated by the
merchant's chip. Similarly, the merchant's card is validated by
the customer's card.
2. The merchant's card requests payment and transmits a "digital
signature" with the request. Both cards check the authenticity
of each other's message. The customer's card checks the
digital signature and, if satisfied, sends acknowledgement, again
with a digital signature.
3. Only after the purchase amount has been deducted from the
customer's card is the value added to the merchant's card. The
digital signature from this card is checked by the customer's
card and if confirmed, the transaction is complete.     

04/24/23 35
 Mondex Smart Card
• Disadvantages
– Card carries real cash in electronic form, creating the possibility
of theft
– No deferred payment as with credit cards -cash is dispensed
immediately
• Security
– Active and dormant security software
o Security methods constantly changing
o ITSEC E6 level (military)
– VTP (Value Transfer Protocol)
o Globally unique card numbers
o Globally unique transaction numbers
o Challenge-response user identification
o Digital signatures
– MULTOS operating system
o firewalls on the chip

04/24/23 36
 Credit Cards
• Credit card
– Used for the majority of Internet purchases
– Has a preset spending limit
– Currently most convenient method
– Most expensive e-payment mechanism
o MasterCard: $0.29 + 2% of transaction value
– Disadvantages
o Does not work for small amount (too expensive)
o Does not work for large amount (too expensive)
• Charge card
– No spending limit
– Entire amount charged due at end of billing period

04/24/23 37
Payment Acceptance and Processing
• Merchants must set up merchant accounts to
accept payment cards
• Law prohibits charging payment card until
merchandise is shipped
• Payment card transaction requires:
– Merchant to authenticate payment card
– Merchant must check with card issuer to ensure funds
are available and to put hold on funds needed to make
current charge
– Settlement occurs in a few days when funds travel
through banking system into merchant’s account

04/24/23 38
 Processing a Payment Card Order

04/24/23 39
 Open and Closed Loop Systems

• Closed loop systems

– Banks and other financial institutions serve as brokers
between card users and merchants -- no other institution
is involved
– American Express and Discover are examples
• Open loop systems
– Transaction is processed by third party
– Visa and MasterCard are examples

04/24/23 40
 Setting Up Merchant Account

• Merchant bank
– Also called acquiring bank
– Does business with merchants that want to accept
payment cards
– Merchant receives account where they deposit card sales
totals
– Value of sales slips is credited to merchant’s account

04/24/23 41
 Processing Payment Cards Online

• Can be done automatically by software packaged

with electronic commerce software
• Can contract with third party to handle payment
card processing
– Can also pick, pack, and ship products to the customer
– Allows merchant to focus on web presence and supply
availability

04/24/23 42
 Credit Card Processing

SOURCE: PAYMENT
PROCESSING INC.

04/24/23 43
 Payment Processing Services

• Internetsecure
– Provides secure credit card payment services
– Supports payments with Visa and MasterCard
– Provides risk management and fraud detection, and
ensures all proper security for credit card transactions
is maintained
– Ensures all transactions are properly credited to
merchant’s account

04/24/23 44
 Payment Processing Services
• Tellan
– Provides PCAuthorize for smaller commerce sites and
WebAuthorize for larger enterprise-class merchant
sites
– Both systems capture credit card information from the
merchant’s form and connect directly to the bank
network using dial-up or private, leased lines
– Bank network receives credit information, performs
credit authorization, and deposits the money in the
merchant’s bank account
– The merchant’s web site receives confirmation or
rejection of the transaction, which is communicated to
the customer

04/24/23 45
 Payment Processing Services

• IC Verify
– Provides electronic transaction processing for merchants
for all major credit and debit cards
– Also allows check guarantees and verification
transactions
– A CyberCash company
• Authorize.Net
– Online, real time service that links merchants with
issuing banks by simply inserting a small block of HTML
code into their transaction page

04/24/23 46
 Secure Electronic Transaction
(SET) Protocol
• Jointly designed by MasterCard and Visa with backing of
Microsoft, Netscape, IBM, GTE, SAIC, and others
• Designed to provide security for card payments as they
travel on the Internet
– Contrasted with Secure Socket Layers (SSL) protocol, SET
validates consumers and merchants in addition to providing
secure transmission
• SET specification
– Uses public key cryptography and digital certificates for
validating both consumers and merchants
– Provides privacy, data integrity, user and merchant
authentication, and consumer nonrepudiation

04/24/23 47
 The SET protocol

The SET protocol coordinates the activities of the customer,

merchant, merchant’s bank, and card issuer. [Source: Stein]
04/24/23 48
 SET Payment Transactions
• SET-protected payments work like this:
– Consumer makes purchase by sending encrypted financial
information along with digital certificate
– Merchant’s website transfers the information to a
payment card processing center while a Certification
Authority certifies digital certificate belongs to sender
– Payment card-processing center routes transaction to
credit card issuer for approval
– Merchant receives approval and credit card is charged
– Merchant ships merchandise and adds transaction
amount for deposit into merchant’s account

04/24/23 49
 SET uses a hierarchy of trust

All parties hold certificates signed directly or

04/24/23
indirectly by a certifying authority. [Source: Stein] 50
 SET Protocol
• Extremely secure
– Fraud reduced since all parties are authenticated
– Requires all parties to have certificates
• So far has received lukewarm reception
• 80 percent of SET activities are in Europe and Asian
countries
• Problems with SET
– Not easy to implement
– Not as inexpensive as expected
– Expensive to integrated with legacy applications
– Not tried and tested, and often not needed
– Scalability is still in question

04/24/23 51
 Q& A

04/24/23 52