|
|
|
|
|
|
Lesson#25
|
VIRTUAL PIN PAYMENT SYSTEM
|
|
|
|
A Virtual PIN can become compromised as a result of
eavesdropping and bogus purchases are possible
before it is blacklisted. Stolen credit card number can also be
used to set up Virtual PIN associated with
email addresses controlled by the attacker to carry out bogus
transactions. After every 90 days buyer’s credit
card account is billed for the charges that have accumulated and
the merchant’s account is credited
accordingly. FV does accounting for merchant and buyer;
therefore, it takes a commission per transaction
according to its policy.
Advantages and disadvantages
Simplicity and no encryption is the biggest advantage of this
payment system, which means that no special
software is needed at the frond end. This payment system is good
for low-cost information items.
Therefore, it is suitable for buying online
articles/journals/music etc. where the cost of the items is not
much. In that eventuality, only sales are lost rather than
actual financial loss to the merchant if there is a
fraud. In other words, only some extra copies of the information
items are made in case of a fraud. On the
other hand merchant is exposed to much greater financial loss if
the purchase relates to the actual physical
goods. One of the disadvantages of this payment model is that
pre-registration of the buyer and the
merchant with FV is mandatory in this set up. Moreover,
maintaining a bank account (in case of merchant)
and having a credit card (in case of a buyer) is also essential
part of this system. One can say that the
merchant side is less secured in the transaction because the
goods are delivered by the merchant before the
payment is actually received. The popularity of this payment
system declined after 1998 mainly because of
the introduction and development of encryption based payment
mechanisms.
Centralized Account Payment Model
This is a popular payment system on the internet. In this both
the payer (buyer) and the payee (merchant)
hold accounts at the same centralized on-line financial
institution. Over 20 payment systems use this
approach e.g., PayPal, E-gold, Billpoint, Cybergold, Yahoo! Pay
Direct, Amazon.com Payments etc. This
model is shown in Fig. 1 below:
Fig. 1
On-line opening/funding of one’s account is done in a
centralized bank using credit/debit card or prepaid
cards. To make payment an account holder is authenticated using
an account identifier and a password,
account identifier of the payee and the payment amount. All
communication between the user and the bank
is protected using
SSL (Secure Socket Layer), which is
an encryption based protocol. The chosen account
113
identifier or the account ID is the one which is unique within
the system against which the funds are lying
in the online bank. Normally, the unique email addresses of the
users are chosen as account identifiers.
Payees are notified by email of the payment which they can
confirm by viewing their account using SSL. A
payee must open an account with the online centralized bank to
receive the amount in case there is no such
account already. In some payment systems which use this approach
a question may be sent to the payee to
verify his identity where the payer is not sure of that. For
instance, Yahoo Paydirect allows a payer-specified
question to be sent to the so called email of the payee. If the
payer accepts the answer as proof of the
correct identity of the payee the money is transferred otherwise
the transaction is cancelled.
The centralized bank (depending upon its policy) charges a
transaction fees either from the payer, or payee
or both on funding an account or withdrawing funds from an
account or receiving payments by the
payee/merchant. This payment model requires that all
participants must have their account with the same
central payment system/bank. Note that the payee can eventually
withdraw the money received in his
account in the centralized bank through Automated Clearing House
(ACH).
Electronic Checks
Financial Services Technology Consortium (FSTC) is a group of
U.S banks, research agencies and
government organizations formed in 1993. It has introduced the
concept of electronic checks. An electronic
check contains an instruction to the payer’s bank to make a
specified payment to a payee. Both, symmetric
and asymmetric type of cryptography is used in this system. The
payer and the payee are issued digital
certificates in X. 509 standard format by their respective
banks. These certificates are used to verify the
digital signatures on the check. A bank may include account
restrictions, maximum check value, or
currencies allowed by the bank in the certificate.
All individuals capable of issuing electronic checks will have
an electronic check book device. An electronic
check book device is a combination of secure hardware such as a
smart card and appropriate software. A
smart card is usually the size of a credit card having special
software loaded on it. Information regarding
secret/private key, certificate information and register of what
checks have been signed/endorsed is
normally stored in the smart card. Fig. 2 below shows the
working of an electronic check in its typical
format:
Fig. 2
A payer uses the electronic check book device in his computer
system to generate a blank electronic check
after filling the information regarding amount, date etc., and
the electronic check is digitally signed by the
payer through his private key. A certificate issued by the payer
bank authenticating public key of the payer is
also attached with the electronic check. This information is
then sent to the payee in a secure envelope
through email. A secure envelop is created when a user encrypts
any information with a symmetric key, and
114
then that symmetric key itself is encrypted with the public key
of the receiver. Accordingly, the payee, in this
case, decrypts the secure envelop by first retrieving the
symmetric key (by applying his private key), and
then using that symmetric key to decrypt the information
contained in the electronic check. The payee
endorses (counter-signs) the check using some secure hardware
device such as a smart card and forwards
the check to the payee’s bank in the form of a secure envelop.
The bank clears the check with the help of
traditional Automated Clearing House (ACH). Accordingly, the
account of the payer is debited and the
payee’s account is credited. The banks send email statement to
the respective parties.
Depending on the availability of processing infrastructure,
there are four different scenarios for the
processing of an electronic check.
|
|
|
|
|