9.4 Electronic credit-card payments

Previous page
Table of content
Next page

9.4    Electronic credit-card payments

In the past, credit-card payment systems have become the payment instrument of choice for Internet users and customers. There are several security requirements that these systems must address. For example, a mechanism must be provided to authenticate the various parties involved, such as customers and merchants , as well as participating banks. Another mechanism must be provided to protect the credit-card and payment information during transmission over the Internet. Finally, a process must be instituted to resolve credit-card payment disputes between the various parties involved.

Several electronic credit-card payment systems have been designed to address these requirements. Most of these schemes have additional properties. For example, in some schemes (including, for example, the SET scheme as addressed below) the credit-card information can be prevented from disclosure to the merchant, whereas the information about the products or services purchased can be prevented from disclosure to the banks. Note that this property is not inherent in traditional credit-card systems. Consequently, an electronic credit-card payment scheme may provide a higher level of security than a traditional credit-card payment scheme. Also, an electronic credit-card payment scheme can be designed to obtain almost instant payments to the merchants from credit-card sales. For traditional credit-card schemes, it takes a significant amount of time for the merchant to deliver the credit-card receipts to the bank, and for the bank to settle the payments (this advantage is similar to that of electronic checks).

There are five parties involved in a secure electronic credit-card payment scheme:

  • A credit-card holder;

  • A merchant;

  • A merchant s bank;

  • A certificate management center;

  • A credit-card issuing bank.

The credit-card holder uses his or her credit-card to purchase products or services from the merchant. The merchant, in turn , interacts with his or her bank, called the merchant s bank, the acquirer bank, or simply the acquirer. In an electronic credit-card payment scheme, the acquirer typically refers to a financial institution that has an account with a merchant and processes credit-card authorizations and corresponding payments. In this setting, a payment gateway is a device operated by the acquirer to handle merchant payment messages. A very important party for a secure electronic credit-card payment system is the certificate management center that issues and revokes public key certificates to the parties involved.

There are usually two networks involved in an electronic credit-card payment scheme:

  • A public network (typically the Internet);

  • A private network owned and operated by the banking community.

The basic assumption is that data transmissions across the private network are sufficiently secure, whereas data transmissions across the public network are inherently insecure and must be cryptographically protected. Consequently, an electronic credit-card payment protocol mainly focuses on the communications that take place over the Internet and does not address communications that take place over the private network.

In the recent past, several electronic credit-card payment schemes have been designed, proposed, and implemented (most of them are overviewed and discussed in Chapter 4 of [1]). Examples include the i KP (where i = 1; 2; or 3) family of Internet-keyed payments protocol developed by IBM in the early 1990s [14], the Secure Electronic Payment Protocol (SEPP) developed by a consortium chaired by MasterCard, the Secure Transaction Technology (STT) developed by another consortium chaired by Visa International and Microsoft, and ”most importantly ”a scheme and set of protocols named Secure Electronic Transaction (SET) developed as an industry standard in 1996 [15, 16]. In the second half of the 1990s, it was commonly agreed and expected that SET would become the technology of choice for electronic credit-card-based payments over the Internet. This expectation has not become true and support for SET has never really took off in the commercial world. One reason for this fact is that the SET protocols are complex and difficult to implement. Furthermore, the deployment of SET requires an existing and fully operational PKI (which is hard to achieve as discussed in Chapter 7). Meanwhile, Visa International and MasterCard have both started to work on alternative technologies that will eventually replace SET. As a temporary and intermediate solution, Visa International and MasterCard both use the last three digits of the number that is printed on the back of each credit-card as a proof of physical ownership. Visa International is using the term card verification code (CVC) to refer to this number, whereas MasterCard is using the term card verification value (CVV). Taking all the recent developments in account, it is not at all clear how the market for electronic credit-card payments will evolve in the future.



Previous page
Table of content
Next page
Security Technologies for the World Wide Web
Security Technologies for the World Wide Web, Second Edition
ISBN: 1580533485
EAN: 2147483647
Year: 2003
Pages: 142
Authors: Rolf Oppliger
BUY ON AMAZON
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Data Structures and Algorithms in Java
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Web Systems Design and Online Consumer Behavior
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy