Internet Payment Systems

In 2003, the most recent year for which statistics on electronic commerce were available at the time of writing, e-commerce had reached a record volume of $1,679 billion. The bulk of the volume, $1,573 billion, took the form of business-to-business transactions which, in the mid-2000s, still continued to be settled in the traditional manner—by sellers sending out invoices and receiving checks in the mail. But a small—if by any measure still significant—part of this e-commerce volume, $106 billion, represented online consumer purchases. Consumers used Internet payment systems to pay for most of the goods or services bought. Payments were dominated by credit card transactions in which credit card information (owner's name, card number, type of card, expiration date) moved over secure communications lines in encrypted form to the vendor. According to Visa, more than 90 percent of all online sales are by way of credit cards. Payment also took other forms such as e-cash transactions involving prepaid credit cards and direct transactions between the vendor and the customer's bank. Some of this commerce, of course, took traditional off-line forms: orders were placed over the Internet but payments were arranged over the telephone or sent in before shipments took place; or shipments were made COD (cash on delivery).

SECURITY: THE DOMINANT ISSUE

The most important aspect of Internet payment systems is the security of the transactions—because human contact in online interactions is wholly replaced by images on screens and messages that come and go. The identity of the seller is often difficult for the buyer to confirm. Neither the seller's physical address nor telephone number may be listed on the Web page; the Web page may be a mirage created by images and photographs hiding a scam. The buyer therefore is at least initially wary in online purchasing situations. Can he or she trust this site to 1) safeguard credit card data, 2) actually ship something in exchange for a payment, and 3) guard its records from Internet bandits after the transaction closes?

In the same manner, the seller cannot see the buyer. When the buyer sends credit card information and the card checks out, the seller still doesn't know with any certainty that the party on the other end, hidden by the fog of cyberspace, is real: the buyer may have stolen the card or may maliciously intend later to deny that he or she actually made a purchase.

Linda Punch, writing for Credit Card Management, assembled some numbers from current research to show the extent of the security problem. Citing GartnerG2, a technology research service, Punch noted that 16 percent of consumers surveyed had been victimized by credit card fraud and 8 percent had been victims of identity theft. A 2005 Visa survey found that more than half of consumers responding (56 percent) avoided online shopping because they did not wish to give out their credit card numbers. Consumers are thus aware of problems and the majority may still be avoiding this type of purchasing.

Punch also noted that merchants are also victimized. In credit card parlance the word "chargeback" is used to indicate reversals of credit purchases when the buyer disputes having used the card or refuses payment claiming product defects. Merchants' chargeback experience with Internet sales is significantly higher, at 1.14 percent of charges, than the same experience rate in physical stores (0.08 percent) and in mail-order/telephone-order situations (0.36 percent).

TECHNOLOGICAL DEVELOPMENTS

All communications over the Internet, indeed over any electronic system whatsoever, take place by means of protocols. The sender's and the receiver's systems are both designed to understand the protocol. Using the protocols' pre-set sequences of codes, the parties are able to establish a common set of rules for the dialogue to follow, not least such details as speed of transmission. This process is also known as handshaking. Once a communications channel is thus established, packets of information may be exchanged, each packet having a header, body, and trailer. Error checking is performed. Both sender and receiver calculate mathematical abbreviation of the message, a single number called its CRC (for cyclic redundancy check). The receiver checks its CRC against the one transmitted by the sender. If the two numbers match, all is well. If the CRCs don't match, the receiver requests retransmission. Packet follows packet until the transmission is terminated using the orderly etiquette prescribed by the protocol.

Heightened levels of security are introduced by using encryption of all or some of the data. The most widely used secure method of communication is known as SSL (for secure socket layer), a "layer" of security. SSL was first introduced by Netscape. SSL is an extension of standard protocols under which the level of security to be used is first established between a pair of communicators. Under SSL, the method of encryption to be used can be set or negotiated and encryption keys are exchanged. Use of encryption in either one or in both directions may be agreed upon. All this, of course, takes place automatically, machines murmuring to each other; users do not have to know the deep details. The cryptographic element, thus, becomes central to the security of the cannel.

Modern Internet cryptography is known as public-key cryptography introduced by cryptologists Whitfield Diffie and Martin Hellman in 1976. Before the invention of this method, cryptology required that two parties exchanging encrypted information both had to possess the same key, one in order to encrypt the data and the other to use the same key to decode the message. Public-key cryptography requires two keys: a public key, known to both parties, and a private key, known only to the receiver of the data. Data can only be en coded by the public key, therefore the sender must have this key; but the data can only be de coded by the private key that the receiver controls. A mathematical relationship between the two keys, known only to the receiver, provides the security. A criminal or hacker who has the public key and the encoded message is virtually unable to derive the private key from these two elements of information. Thus this method is very safe. In a typical transaction the parties exchange public keys. Each encodes its message to the other by using the other's public key; each decodes the message received by its private key. Very sophisticated implementations of these systems are available. RSA Security Inc. is the leading provider of such encryption systems.

This level of security, while it protects credit card numbers very well, does not guarantee that the credit card holder isn't using a stolen card. For this reason the same public-key cryptography is used to encrypt additional information: authentication certificates and digital signatures. The certificates carry information about the parties and the digital signatures, which can be combined with digital date stamps, add yet another layer of authentication to a transaction.

The highest form of security, developed by Visa and MasterCard—with the contributions of Microsoft, IBM, GTE, Netscape, and others—is known as Secure Electronic Transport (SET). Under this protocol, the identities and rights of three parties are simultaneously established during a transaction: the card holder, the merchant, and the card issuing institution, each using certificates, signatures, and date stamps under the protective cloak of cryptography.

SET has not yet established itself widely in the mid-2000s because of its complexity. SSL transactions are still the dominant method of passing credit card information. Visa and MasterCard have introduced another less sophisticated authentication method—primarily to offer credit card holders added security. Card holders can register with the issuer of the card and provide additional authentication data (mother's maiden name, pet's name, and so on) maintained by the issuer. Once the card is thus registered, merchants are notified of this registration and can query card holders for additional authentication data before closing a sale.

GETTING PAID ONLINE

A small business intending to sell its products online must establish a merchant account at a bank and engage the services of a payment processing firm. The business may wish to begin by looking at processing firms which frequently represent banks. Conversely, many banks work with processing firms and will recommend those that they prefer. If the company already accepts credit cards in a store, its natural route is by way of the service bureau it uses for off-line sales. A set-up fee (around $50), monthly services fees (ranging from $40 to $300 based on volume), and transaction fees levied on the volume itself (ranging from 1.5 to 0.75 percent, depending on volume) should be anticipated. The numbers cited come from Yahoo's Small Business Merchants Solutions and, while representative, will vary from vendor to vendor. Three basic types of transactions are available: credit card, online check payment, and small-transaction payment systems (where transactions are a few dollars each), A merchant can sign up for one or two or three of these—each having a different cost. A very wide array of such services has developed—and thus a fair amount of homework is implied. Entering the phrase "payment processing firms" into a search engine like Google or Yahoo will produce an extensive listing of links and ads that will get the business started. Another way of testing the waters, of course, is to ask other merchants about the services they use.

Qualifying for a merchant account may require administrative efforts similar to getting a loan—because the bank will wish to satisfy itself about the business's qualifications. Working with the processing firm will involve the business in installation and testing of card authorization software that will communicate with the processing firm. The processing firm normally handles checking the validity of the credit card number, expiration date, and purchase amount, then provides the merchant with an authorization number. The preferred method for handling online sales is to pass the transaction information along to the payment processing firm for authorization while the customer is still online. An e-mail confirmation completes the transaction.

Internet payment systems, while already highly developed, are still evolving—becoming more secure, more straightforward, and, from the small business point of vantage, more competitive in price. In the mid-2000s many services are available. As electronic retailing continues its rapid growth, it is likely that a handful of major services will begin to emerge and dominate the market until, for the small business, getting online and getting paid online, will become ever more simple.

see also Online Auction

BIBLIOGRAPHY

Beaudoin, Maria. "Web Checks." Newsweek. 11 August 2003.

Beaumier, Carol M. "Multifactor Authentication: A blow to identity theft?" Bank Accounting & Finance. February-March 2006.

Bick, Jonathan. "Authenticating and Enforcing E-signatures." New Jersey Law Journal. 7 June 2004.

Paret, Dominique. RFID and Contactless Smart Card Applications. John Wiley & Sons, 2005.

Lim, Chae Hoom, and Moti Yung, eds. Information Security Applications. Springer, 2005.

Loshin, Peter, John Vacca, and Paul Murphy. Electronic Commerce. Charles River Media, 2004.

O'Mahony, Donal, Michael A. Pierce, and Hitesh Tewari. Electronic Payment Systems for E-Commerce. Artech House, 2001.

Punch Linda. "Authentication's Tentative Gins: Visa and MasterCard have developed authentication systems that will make Internet transactions less vulnerable to fraud." Credit Card Management. May 2002.

"What is Public-Key Cryptography?" RSA Laboratories. Available from http://www.rsasecurity.com/rsalabs/node.asp?id=2165. Retrieved on 4 June 2006.

"With PayPal Backing, Will Micropayments Work This Time?" CioInsight. 12 September 2005.

Wolf, Daniel. "When Dial-Up Link Blocks the Extra Verification Call." American Banker. 9 May 2006.

                                           Darnay, ECDI