Security and Internet payment systems

Security and Internet payment systems

Amid optimistic forecasts of the potential of electronic commerce, several studies have highlighted difficulties of trading over the Internet. A major obstacle identified by a number of studies is the absence of a universally accepted and secure Internet payment system (IPS).

To overcome problems associated with financial transactions over the Internet, many individuals and organisations have been developing payments systems. These have become known as IPS. An IPS can be defined as any conventional or new payment system which enables financial transactions to be made securely from one organisation or individual to another over the Internet. An IPS will provide businesses and consumers with a means of integrating individual transactions into an electronic marketplace. The development of Internet payment systems has generated considerable interest. Since 1996 more than 40 IPS proposals have been published. Developers of these proposals have been varied, ranging from large corporations such as MasterCard, Visa, Microsoft and IBM, to individuals specialising on cryptography and specialists in electronic commerce.

Current IPS models can be categorised into two groups. Prepaid (debit) models, where payment is made in advance to obtain "credit" and post-paid (credit) models, where the requirement is post-purchase payment. Many systems use a "smart card" which can hold information about passwords and security as well as information relating to transactions. Others are virtual systems, with the IPS residing in a computer or similar device.

The common denominator among all the current IPSs is that they attempt to guarantee the security of transactions by applying various technologies to the transmission of financial messages. Like any payment mechanism, there are three primary stakeholders with IPS - issuers, users, and regulators. These stakeholders have varying degrees of security, transaction and other requirements with regard to an Internet transaction.

Security is one of the most important components, if not the most crucial component, of an Internet transaction. It is the primary building block for building trust, and security remains a key issue affecting all three stakeholders. Many people fear the potential threat of financial or personal data being accessible to others. Although this potential threat is yet to be substantiated with real fraud statistics, many IPSs have paid a great deal of attention to this problem. Most Internet transactions using traditional credit or debit cards (with a simple magnetic strip) rely on secure sockets layer (SSL) as the preferred security protocol. SSL system is simple and fast, but it does not offer merchant authentication, it has no guarantee to the cardholder that merchant has a relationship with the bank, and it provides no guarantee to the merchant that they will be paid and consequently does little to build trust between both parties in a transaction.

Most IPS proposals, on the other hand, rely on secure electronic transaction (SET) to maximise security. SET provides integrity of the payment information, authenticates each party, provides confidentiality, and provides peace of mind to merchant and consumer and enhances the relationship. SET is a three-party protocol involving the IPS holder, merchant, and acquirer. It works by using digital signatures and strong encryption techniques to encrypt sensitive data and authenticate the sending and receiving parties. All such certificates generated are linked with a higher entity in the trust chain. Additionally, it allows interoperability among different software and hardware platforms. However, it does need a small percentage increase in computing power compared to SSL.

Apart from the "hard" trust building achieved through better security systems like SET by the IPSs, the stakeholders have varying security related requirements. All parties have a vested interest in safeguarding the anonymity and trustworthiness of an IPS. The regulators monitor the functioning of an IPS to make sure that it falls under the regulatory framework umbrella. The issuers and users have additional "psychological trust" building requirements in dealing with issues like privacy, communication, etc.

Issuers and users have a common interest in the characteristics or attributes of an IPS. These transaction attributes include minimal cost in usage, ease of use of the system, the degree of universality (the ability to seamlessly use the system for both terrestrial and Internet transactions) and ease of exchangeability between parties.

A universally accepted IPS is yet to emerge. There are a number of systems in operation in various parts of the world. Table I gives some of these systems, along with the cost of using the system to the users, i.e. the merchant and buyer. From the large number of IPS trials that have been concluded around the world, it has been shown that users prefer to use an "electronic purse" that can be loaded from any source. Additionally, it has been shown that there is a clear preference among users for systems that can be used for everyday transactions and micropayments. Some IPS developers are now working with other electronic money-makers to develop standards to support this type of purse.

Chanaka JayawardhenaE-mail: cjcor@dmu.ac.ukJunior Research FellowDe Montfort University, UK

Further reading

Digital Money (1999), http://www/emoney.au/eng/esystem/default.htm (accessed 17 October 99).

Jayawardhena, C. and Foley, P. (1998), "Overcoming constraints on electronic commerce - Internet payment systems", Journal of General Management, Vol. 24 No. 2, pp. 19-35.