|
Derived from: Web Security, Privacy, and Commerce, S.
Garfinkel & G. Spafford, O'Reilly, 2002
Typical Payment Card Transaction elements:
 | Consumer |
| Merchant |
| Consumer's bank (that issued the charge card) |
| Merchant's bank or acquiring bank |
| Interbank network |
Steps to Process the Transaction
- Consumer gives card to merchant
- Merchant asks acquiring bank for authorization
- Interbank network sends message from acquiring bank to consumer's bank
asking for authorization
- Response is sent from consumer's bank to acquiring bank (consumer's bank
may put hold on certain amount in consumer's account till transaction is
completed)
- Acquiring bank notifies merchant that the charge is approved
- Merchant fills the order
- Later, merchant submits batch of charges to acquiring bank
- Acquiring bank sends each settlement request on the interbank network to
the consumer's bank
- Consumer's bank debits the customer's account and places the money
(including service charges if any) into an interbank settlement account
- Acquiring bank credits the merchant's account and withdraws a similar sum
of money from the interbank settlement account.
The Charge Slip
| Tracks the transaction, it includes:
 | Customer name |
| Customer charge card number |
| Customer address |
| Customer number |
| Transaction date |
| Transaction amount |
| Description of product or service |
| Reference number |
| Authorization code |
| Merchant name |
|
Web Transactions
| Three general techniques for charging...
- Offline - customers calls in with the credit card information;
same as mail order or telephone.
- Online with encryption - credit card information is transmitted
via encrypted transaction (most safe).
- Online without encryption - a secure transaction is not
used (still very safe).
|
| Internet-based payment system issues:
| Credit card costs are 25-75 cents per transaction with 2-3%
service fees common; not efficient for low cost items. |
| Users hesitate to provide name and other information via the
web. |
| Many do not have (or cannot get) credit cards. |
|
| Three different payment systems for the web:
| Anonymous - isolates customer from merchant; generally has
proven to be impractical. |
| Private - Customer information is maintained by the transacting
company; merchant "can" get the customer information if
necessary. |
| Identifying - customer is known to merchant; most common, used
by credit card companies for online transactions. |
|
| Examples of Internet payment systems:
| Virtual PIN - introduced in 1994; payments are authorized via
e-mail (no encryption, relied on separateness of email transmission). |
| DigiCash - introduced in 1996; used digital coins that were
signed by a third party; no longer in existence. |
| CyberCash/CyberCoin - similar to DigiCash; allowed low value
transactions, functioned similar to a debit card; no longer around. |
| SET (Secure Electronic Transaction) - protocol for sending
credit card information over the Internet; approved for financial
transactions only; includes two transmissions: one for the customer to
the merchant, another for the customer to the bank (to approve); system
has since failed due to complicated nature of transactions. |
| PayPal -
allows any two individuals to transfer money if they have e-mail and a
credit card; assumes both are PayPal users; has become popular because
of E-Bay and similar systems. |
| Gator Wallet - similar to SET and DigiCash; strongly integrated
with Microsoft IE, operates as a digital wallet. |
|
| Evaluating credit card systems, you should...
| Check to see if stored credit card numbers are encrypted. |
| Unless multiple transactions expected, credit card numbers should not
be stored on a server. |
| Credit card numbers should be purged after transactions. |
| The system should check the credit card number to verify no data entry
errors. |
| Real-time transactions should be available. |
| Are credits handled? |
| Are charge-backs handled? |
| How anonymous is the transaction? |
|
|