Over the past decade, the internet has become increasingly used for trading, exchanging, business, import and export. This is categorized as ‘E-shopping’ in the virtual world, otherwise known as ‘E-commerce’.
The emergence of e-commerce has lead to the innovation of new methods for online financial transactions, known as ‘Electronic Payment Systems’. This refers to online payments and processing of transactions via a network. It can be categorized into four groups, which will be discussed in-depth.
In this research, I will focus on distinguishing between the different e-payment systems including their benefits and drawbacks, the infrastructure, technological specification required for execution and the technologies required to safeguard e-payment systems. I will consider the security risks and evaluate the level of competency these systems play for businesses.
To accumulate data, I will be using books, reports, statistics and research carried by third parties based on the same topic, as reference to support and validate the accuracy of my findings.
Electronic commerce (E-commerce), Electronic payment (E-payment), Electronic cards (E-cards), Electronic cash (E-cash), Electronic cheque (E-cheque)
The payment landscape has rapidly revolutionised, with a decline in the paper-based
system, e.g. cash/cheque. The introduction of e-payment systems in the late
1970’s, lead to the emergence of ‘Electronic Data Interchange’ (EDI) and ‘Electronic
Funds Transfer’ (EFT). Businesses were able to send documents, e.g. invoice/ orders
and perform transactions electronically.
E-payment systems are categorised into four groups:
Online credit cards
Online electronic cash
Other forms of new technologies include: mobile payments. This lead to the invention of new standard of trading, i.e. businesses operating primarily via the internet, e.g. eBay and Amazon to reach a mass target audience and electronic banking.
E-payment systems provide a link between the buyer’s method of payment (credit card) and the merchant’s account (bank). The e-payment system withdraws money and deposits it into the consumer’s virtual account which is managed by the merchant making the sale. On request, it will then credit the amount deposited into the consumer’s virtual account to the merchant’s bank account.
Nevertheless, there are risks associated with e-payment systems, these include fraud (e.g. IP spoofing, forged website, etc), theft (e.g. sensitive data, identity theft, etc) and deceit (e.g. building trust, gaining consumer loyalty, etc).
5. Literature Review
5.1 Scope of E-payment Transactions
Payment represents ‘cash and non-cash financial transactions’, which takes place between two or more parties. E-commerce is defined as any business activities conducted using electronic data transmission via the internet. These are divided into three groups (Morley and Parker, 2009):
Business to business: transactions between two or more businesses, e.g. between a wholesaler and retailer.
Business to consumer: selling of products/services to the public, i.e. transactions between a company and consumers. Compared to traditional commerce this process eliminates the intervention of middleman (e.g. retail stores).
Consumer to consumer: transactions between individuals, through a third party e.g. online auction websites (Amazon, eBay).
There are 4 types of e-payment systems, as followed:
5.2 Online Credit Cards
Known as the most popular method for paying online. It is an account that gives consumers credit, allowing them to buy items whilst deferring the payment.
Adopted from forecasts compiled by ePaynews.com
Fig. 1 Forecasted forms of payment for U.S. consumer transactions
(Source: Electronic Commerce, 2009)
5.3 Purchasing Relationships of Credit Cards
Issuer: bank or other financial institution provides cardholder with a payment card account.
Cardholder: individual receives a payment card from the issuer and uses it to make payments.
Merchant: vendor selling products/services, accepts transactions (payment) and sends them to the acquirer.
Acquirer: bank or other financial institution with connection to a merchant, processes transactions for that merchant (Reynolds, 2004).
Fig. 2 Electronic payment model
(Source: Secure electronic payments for Islamic ¬nance, 2004 )
5.4 Online Credit Card Payment Process
Fig. 3 Request from (Source: Rani Fashion, 2010)
A consumer (cardholder) requests a purchase from a merchant. The consumer’s web browser and the merchant’s web server collaborate in creating a secure connection for the request form to be sent to the merchant.
This secure tunnel via the internet is created using protocols such as Secure Socket Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS). It is a payment gateway typically used on e-commerce sites accepting credit card or private information. During transmission the data is encrypted to be kept secure. Encryption refers to the conversion of plain text/ data into cipher text, which can only be read by the sender and the receiver. Using encryption, SSL secures the transmission of the credit card data which will be sent to the merchant and protects the information from internet hackers (Montague, 2004).
The merchant sends the cardholder details (diagram above) via the internet to the acquirer, whom sends the cardholder information over a credit card network to the issuer to authorize the transaction.
The issuer checks the cardholder information to validate it’s legitimate and verifies sufficient credit is present to make the purchase. An authorisation code is then sent to the acquirer if there is valid credit available.
The acquirer authorises the payment made to the merchant. The issuer adds the purchase to the cardholder’s monthly account statement.
5.5 Limitations of Online Credit Card Payment
Merchants are charged a commission of approximately 1-3 % of the overall value of each transaction. Consumers paying by credit cards may be charged a ‘credit card supplement’ by the merchant.
Other fees a consumer may incur: overdue payments, membership fees, interchange fees, e.g. cost of payment guarantee 48%, cost of processing 28%, cost of free-funding period 24% (Ferrero, 2009).
Private/Sensitive information, e.g. personal details can be altered/stolen.
Credit card details intercepted by hackers, whom may use the data fraudulently.
IP spoofing (forged websites).
Approximately 100 million adults (Americans) cannot afford credit cards.
Adults below age 18, are not authorised to have credit cards.
E-cash is a relatively new concept combining computerized convenience with privacy and security to improve on paper-cash. E-cash represents money that is exchanged only electronically via a computer network, the World-Wide-Web and digital stored-value systems (Bidgoli, 2002). E-cash providers include Magex, Cybercash, etc.
5.7 Examples of E-cash Systems:
Deposit: payments transferred from one bank account to another, initiated by the payer.
Direct Electronic Funds Transfer (EFT): computerised systems performing financial transactions electronically via telecommunications network, e.g. transfer or exchange of money from a buyer to seller.
5.8 E-cash Concept
The consumer buys e-cash from a bank.
The bank sends the e-cash bits to the consumer (after charging that amount plus fee).
The consumer sends the e-cash payment to the merchant, whom checks with the bank to verify the e-cash (checking for forgery).
The bank verifies the e-cash validity and the transaction is completed between the parties.
5.9 Benefits of E-cash
Anonymity preserved by digital signatures and blind signatures.
Secure protocols using RSA public-key cryptography, aids in keeping e-cash safe from message tampering and eavesdropping.
Can be used online (i.e. corresponds with the bank via internet to connect with a third party) and offline (i.e. conducts transactions directly without intervention from bank.
Low transactions cost.
5.10 Drawbacks of E-cash
Poor mobility: customers can only use computers that have e-cash purse system.
High financial risk e.g. lost/stolen.
Fraud e.g. prone to forgery (counterfeit) though it’s difficult.
5.11 E-wallet/ Digital wallet
A software for consumers to input purchasing details. It provides authentication of consumers through digital certificates and encryption. It stores, transfers value and secures the payment process from the consumer to the merchant (Reynolds, 2004).
5.12 E-wallet Technology
A user can use e-wallet software from the system server connected with their bank or other software on the internet through an encrypted means. Currently, there are two main e-wallet service systems, Visa Cash and Mondex (Qin, Z. 2009).
To set-up an e-wallet, a software is installed on the client-side allowing the user to enter the relevant information. At ‘check-out’ of an e-commerce site, the e-wallet software can automatically enter the user information (consumer details) into the online form. The user will be prompt to enter a password, when the e-wallet software recognizes a form to be filled in automatically.
If you need assistance with writing your essay, our professional essay writing service is here to help!Essay Writing Service
E-wallets are designed to be precise when transferring data to retail checkout forms. Nevertheless, if a peculiar check-out system is used, the e-wallet may not recognise the forms fields. This problem has been eliminated by sites and wallet software that use ‘Electronic Commerce Modeling Language’ (ECML) technology. It is a protocol which determines how online retailers structure and setup their checkout forms. E-commerce vendors who integrate ECML and e-wallet technology includes: Microsoft and Dell Computers.
5.13 Types of E-wallet
E-wallets are usually stored on the client-side. When using e-wallet the client has to install the software connecting to the server of e-commerce, and input the data of e-card and e-cash to the service system. It offers consumer convenience by filling out forms automatically at online stores, e.g. MasterCard Wallet.
A database of user-inputted information (billing address, payment method, security numbers, etc), created by an organisation for their consumers. Central server stores cconsumer’s identification information (personal/credit-card details, etc), e.g. Microsoft Passport.
5.14 Benefits of E-wallets
Authentication: Identification is confirmed via SET, digital certificates and other encryption techniques.
Privacy/Password management: Helps consumers control their digital environment, card numbers, pins and password.
Eliminates repetition: Automatically enters user information into a check-out form, e.g. Amazon.
5.15 Limitations of E-wallets
Manual installation is required. The user will have to download the e-wallet form and software. It is installed as ActiveX or Plug-in within a browser.
5.16 Smart Card
Invented in 1967 by German engineers, known as ‘Integrated Circuit Card’ (ICC) or ‘Chip Card’. A magnetic stripped card resembling credit cards in shape and size, with embedded memory chips and microprocessors.
According to (Diwan and Singh, 2000), smart cards are categorised into four groups:
Memory cards: used to store pin numbers/ passwords.
Shared key cards: used to store a private key e.g. those used in public-key cryptosystems. The user can insert the card into a workstation which will read the private-key for encryption or decryption.
Signature carrying card: contains a set of pre-generated random numbers. These numbers can be used to generate digital cash.
Signature carrying cards: these cards carry a co-processor used to generate large random numbers, which can be used for the assignment as serial numbers for the digital cash.
Fig. 4 Smart Card (Source: Global Journal of International Business Research, 2009)
5.17 Smart Card Software Security
Keys are stored in files, whilst protocols and algorithms are implemented in the card software. Cryptography is used to authenticate the system entities (e.g. cards, users, etc) and to encrypt communications between the outside world and the smart card.
Before smart cards can provides access to its resources, the entities must be authenticated. A simple authentication procedure is executed. The user enters a four-digit pin number. If it’s the legitimate user, access is granted. However, if not a record of failed attempts are kept on the smart card. After a number of failures, all further communication with the entity is blocked (Guthery and Jurgensen, 2002). A smart card consist of:
200-byte magnetic strip
8 or 16 kilobytes RAM, 346 kilobytes ROM,
256 kilobytes of programmable ROM
Uses serial interface
Receive its power from external sources, e.g. card reader.
5.18 Benefits of Smart Cards
Flexibility/Portability: User is not required to carry several cards and it’s implemented in remote areas where wired online communication is not possible.
Transaction security: Each card has a unique serial number and is capable of performing encryption. Modern-day smart cards have a chip operating system, which possesses user authentication facilities and error-checking capabilities.
Store and process information: Electrically erasable hence they can be modified and possible to update information stored on the card without issuing a new one.
5.19 Drawbacks of Smart Cards
Cost and availability: Expensive to produce and when used as a payment card not every business has the technology and hardware required to use it. The user may be charged a fee for using a smart card for payment.
Level of security: Potential area for computer viruses and hackers.
Identity theft: User will be at risk of loosing extensive information, if lost/stolen.
5.20 Uses of Smart Cards
Used to store monetary value for small purchases. Card readers retrieve the amount currently stored, and deduct the amount for the purchased made.
Bank & Retail
Smart banking cards can be used as credit, direct-debit or stored-value cards, offering a tamper-proof device and counterfeit. The card readers and microchip on the card use a mutual authentication procedure that protects users, merchants and banks from fraudulent use.
According to (Atkins, 2004), there are three types of smart cards attack:
Logical: attempts to decode algorithms and information stored on the card, using mathematical techniques.
Physical: attacks are invasive, attempting to get inside the chip to trace the steps by which it was manufactured.
Electrical: attempts to eavesdrop on the electrical activity and power consumption of the card, using statistical techniques to work out what the card is doing.
Hardware: Each card is assigned a four-digit PIN. If a wrong digit is entered, the card would immediately stop checking the other digits.
Software: Software code is executed to perform tasks. Symmetric algorithms, e.g. Data Encryption Standard (DES), Triple DES and Advanced Encryption Standard (AES). Symmetric algorithm is a key shared between the sender and receiver. Each side of the transmission knows the key for encrypting and decrypting.
6. Other popular forms of e-payment systems
Functions the same way as paper-based cheques. It acts as a message to a bank to transfer funds to a third party.
6.2 Mobile Payment
Payments made to merchants using a mobile phone. The user will have to register to open an account with a mobile payment service provider.
6.3 Debit Cards
Card payment whereby the transaction amount (payment) is subtracted from the cardholder’s bank account.
6.4 Payment Service Providers (PSP)
E-payments made through a third party by companies such as PSP, providing merchants with services for making payments electronically, e.g. Paypal, Sage Pay, PayPoint, etc.
7. Infrastructure of E-payment Systems
Fig. 5 Conceptual Framework of an e-Payment Infrastructure
(Source: E-payment the digital exchange, 2004)
7.1 Front end infrastructure
Initiating an e-payment transaction, this comprises of two elements:
Many businesses offer payment instruments, e.g. credit, debit and charged cards. Other recent card payment instruments include, contactless chip card (smart card), e-wallets and e-cheques have also become popular. These are the means used to enable cardholders to pay for purchases.
The device layer or channel transmits payment instructions to merchants or business entities. There are wired channels, using a traditional landline and wireless channels, using contactless channels that employ sensors or mobile devices. Depending on the channels and devices used to initiate payment instructions, the corresponding gateway or interface into the payment system will differ. For instance, card gateways are used for card systems and wireless gateways are used for mobile devices.
7.2 Back end infrastructure
Identifies the components required to connect the payment instructions with banks. Once a payment instruction is initiated, it has to be authenticated, routed for authorisation, and finally cleared and settles at the bank level. The following describes the procedures involved in processing an e-payment:
Transaction Management Layer
Technologies used to transmit payment instructions include: internet, intranet, leased lines, private lines, etc. The cost of using these technologies has decreased due to a high volume of transactions but increases for encrypting payment transactions during transmission. The challenge is ensuring authentication, data integrity and confidentiality, e.g. e-card payment system (Is the buyer who he says he is?). Safeguarded measures in-place for security includes SSL and SET protocol (explained below).
Comprises of payment gateways, e.g. wireless, open wired, etc. Otherwise known as ‘switches or connectors’. Payment gateways are used to transmit and connect payment instructions to payment players. Payment gates links two communication networks, i.e.:
Public Communication Network, e.g. Internet, General Packet Radio Service (GPRS) or Global System for Mobile Communication (GSM).
Private Financial Communication, e.g. SWIFT (Society for Worldwide Interbank Financial Telecommunication) Messaging Systems, which facilitates the communication between banks.
Fig.6 Example of an e-Payment Gate (Source: iTransAct, 2002)
Routing Rules & Message Formats
Card systems operate globally by credit card companies, e.g. MasterCard, Visa, etc. They depend on a standard messaging protocol known as ISO 8583 (International Organisation for Standardisation), which contains the information required for routing transactions from merchants to the acquiring bank.
The transaction is sent for authorisation from the acquiring bank to the card scheme (interchange system) which transmits the card to the issuing bank. The issuing bank verifies sufficient funds is available and sends a message back to the merchant. The transaction must be sent through the systems for clearing and settlement.
SWIFT plays a pivotal role in establishing global standards in data transmission and communications for international financial transactions.
7.3 Clearing and Settlement
A financial institution which provides clearing and settlement of transactions. This can be divided into three stages:
Trading: market participants (consumers) close a deal.
Clearing: accountability for the exchange of funds and ¬nancial assets are determined. This involves a con¬rmation between the trading parties of the conditions of a transaction or for efficiency, numerous transactions over a longer period, to reduce the actual exchange of funds and assets.
Settlement: involves the actual exchange of funds and assets. If the settlement stage is successful, then the rightful owner has possession of the financial asset involved. In some cases, safe-keeping of the asset is left to specialized ¬nancial institutions called ‘Custodian’. Many things can go wrong after the first stage is completed and before the third stage is completed, e.g. a deal is closed deal and the buyer of a ¬nancial asset already transferred the promised funds but never received the assets he bought.
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.View our services
E-payment service providers appoint a single settlement bank to complete the service,. When cards issued by a card associations are used, that association serves as the settlement agency. The volume of transactions determines the required processing capacity, whilst the value of transactions determines the risk per transaction by a cardholder, account holder (buyer) and a merchant or seller (Tan, 2004).
8. Web Technology
8.1 HTTP request-response
Java Servlets are used on the server side of the web application and as a protocol. In the HTTP request-response concept, the client (web browser) launches a connection/ link with the web server by sending a request to the server. The server then allocates the request to the particular servlet. The servlet then processes the request and produce a HTTP response.
Java servlets is used to provide an interface between the web server and the client’s HTTP request and HTTP response.
Fig. 7 HTTP Servlet Framework (Source: Subbu, 1999)
8.2 Secure Servers
The internet is secure, to an extent. Data can be intercepted during transmission. They use SSL and encryption to protect data during transmission over the internet. There are two types of firewall, physical and logical. Physical firewall is primarily used to act as a barrier to prevent unauthorised access by unauthorised users, e.g. hackers. Firewall also operates as a filter, allowing only certain messages to enter and leave the network. Firewall provides an interface between the web server and the internet (Bergsten, 1999).
9. Risks of E-payment Systems
Violation of Privacy: If not managed carefully, the collection, re-use, and instantaneous transmission of information can diminish personal privacy, resulting in disclosure of private information.
Fraud: stolen username/password, stolen cards, forged website, etc.
Security Issues: data transmission over a public access network, counterfeiting, unauthorised access or modification e.g. alteration of payment data and reliability of the telecommunication network.
Legal Framework: due to numerous e-commerce websites and e-payment systems, a proper regulatory body should be in-place. Existing laws include:
Electronic Communication Act (2000): facilitate e-commerce in the UK.
Electronic Transaction Act (2002): promote the use of e-technology and e-transaction.
Electronic Communication Privacy Act (1986): privacy on the internet.
Socio-cultural issues: Customers are resistant to new payment methods and new technologies.
Scalability: Payment infrastructure should support multiple independent servers, to avoid central bottle necks. Users of the different severs must be able to transact business with one another and funds must be automatically cleared between servers.
Flexibility: different models for different situations, e.g. check, card, etc, hence the need for a common framework.
Liability: system malfunctions, delays in transactions transfer, and unsolicited errors.
10. Challenges of E-payment Systems
10.1 Technological Aspect
Authentication (Identification / Validity): Verification of the transaction parties i.e. buyer and merchant. In a network environment, face-to-face contact is lacking. A merchant’s behaviour cannot be observed by the buyer and vice versa, resulting in misrepresentation. This problem can be prevented by identification, e.g. performing unauthorized transfers will advance trust amongst participants.
Confidentiality (Privacy): Only the required transaction information is made explicit to the participants, whilst other data remains hidden. The aim is to protect the anonymity of the buyer and prevent unauthorised personnel from accessing information from the transactions, e.g. the merchant should not know a customer’s card number when an intermediary provides him with a payment certification (Taddesse and Kidan, 2005).
Data integrity (Accuracy): Detects any modifications, deletion, insertion, repetition or data tampering with any data in the transaction.
Non-repudiation: To prevent the buyer or merchant from rejecting commitments made in a transaction. Information regarding the transaction should be recorded, e.g. in the merchant’s database.
10.2 Economic Aspect
Cost: Buyer and merchant costs e.g. subscription, set-up and interchange fee. Made by a merchant to the card issuer. In the UK, the interchange fee is approximately 0.79% of the transaction value (Ferrero, 2009).
Multi-currency: Foreign currency transactions (3% of the amount).
Financial Risk: All parties are concerned about the level of online transaction security. If there are financial losses, who will incur those losses.
10.3 Social Aspect
Anonymity: Anonymity has a close relation with traceability which indicates how easy to trace money flows, sources of finds to a customer via payment activities.
Convenience: E-payment systems should be easy-to-use and simple. Hence, users are not required to learn a complex process before using the system. The process should be transparent and installation of additional hardware/software is not necessary.
Mobility: With the development of various electronic devices connecting to a network. Users do not always use PCs to access the internet and make online purchases. It is inconvenient if a payment system is fixed to a PC hardware. E-payment systems should provide mobility, i.e. used with different PCs or other devices.
11. Technologies to Secure E-payment
Several methodologies and technologies have been developed to safeguard e-payment systems from risks and threats.
Operates between HTTP and TCP on a web server. It is a transport layer security protocol; otherwise called ‘Cryptographic protocol’ used for providing security for communications via a network. Web browsers and web servers, depends on the SSL protocol to create an encrypted channel over a public network (internet) for private communications.
11.2 SSL Transactions
A client (web browser) requests a secure page (URL starts with HTTPS).
The web server sends its public key, with its certificate, to the client.
Client checks the issued certificate is legitimate and valid (Certification Authority).
Client uses encryption key (public-key) to encrypt information into cipher text. The encryption key is sent to the server with the required URL in an encrypted format.
To decrypt the encryption key, the web server uses its private-key. The web server sends back the requested data, i.e. encrypted with the key.
The client decrypts the data by using the encryption key, and uses the information (displayed via browser).
When a web browser specifies a secure domain, a level of encryption is established based on the type of SSL Certificate and the client web browser, operating system and host server capabilities. This being the reason SSL Certificates feature an array of encryption levels e.g. “up to 256-bit”. Strong encryption, at 128 bits, can calculate 2 88 times as many combinations as 40-bit encryption (Himma, 2007).
11.3 Secure Electronic Transaction Protocol (SET)
A messaging protocol developed by Visa and MasterCard used for securing credit card information during transactions over an unsafe network. SET protects the merchants from dishonest consumers. Whereas SSL protects credit card details from hackers (Joseph, 2008).
11.4 Principle features of SET Protocol
Data Confidentiality refers to consumer’s credit card number not being disclosed to the merchant. Data Authentication uses digital signatures to verify consumer’s identity and digital certificates validate a merchant. Whilst data integrity: prevents data from being intercepted by a third party, e.g. hacker, with the aid of encryption (Schneider, 2009).
Fig. 8 SET Transactions (Source: E-commerce: business, technology, society, 2004)
The process of transforming data (using a key) into an unreadable format.
The sender transmits plaintext to the receiver, by transforming the plaintext into cipher text by using a mathematical algorithm, which is publicly known. An encryption key parameterizes the mathematical algorithm. After receiving the ciphertext, the receiver uses a decryption algorithm to transform the data into its original form.
Two commonly used encryption methods:
‘Secret-key Cryptography’, a symmetric cipher is the ideal technique for implementing confidentiality and data authentication services between communication channels connecting two entities that share a common key.
A secret-key transform the data into ciphertext. Both the sender and recipient knows the secret-key, used to encrypt and decrypt all messages that use this key.
A ‘Public-key Cryptography’, comprises of a pair of keys. The encryption key is made public by the Key Distribution Centre (KDC), whilst the decryption key is made private.
Confidentiality & Integrity: A message being sent from A to B is encrypted using the receiver’s public key. The corresponding private key is used to decrypt the message.
Public-key systems, e.g. Pretty Good Privacy (PGP), are well-known for transmitting information via the internet.
Authenticity: A message is authenticated by creating a digital signature using the private key, which is then verified only by the public key.
11.7 Digital Signatures
Uses encryption technology (public-key cryptography) to demonstrate authenticity of a document or digital message. This process provides a mechanism to protect the integrity of the document by:
Authenticating the sender’s identity, e.g. digital certificate has a digital signature of the certificate issuing authority, inorder to validate the certificate is legitimate.
The document wasn’t modified in route.
No one else can read the document.
A hash-value of the message (called message di
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: