Electronic payment systems are non-credit-card online payment systems. The goal of their development is to create analogs of checks and cash on the Internet, i.e. to implement all or some of the following features
Electronic Payment Systems
Electronic payment systems are non-credit-card
online payment systems. The goal of their development is to create analogs of
checks and cash on the Internet, i.e. to implement all or some of the following
features
Protecting customers from merchant’s fraud by
keeping credit card numbers unknown to merchants.
Allowing people without credit cards to engage
in online transactions.
Protecting confidentiality of customers.
In some cases providing anonymity of customers
(“electronic cash”).
Figure explains the process involved in
electronic payment as part of an e-commerce transaction
The problems in implementing electronic payment
systems, especially anonymous electronic money, are
Preventing double-spending copying the “money”
and spending it several times. This is especially hard to do with anonymous
money.
Making sure that neither the customer nor the
merchant can make an unauthorized transaction.
Preserving customer’s confidentiality without
allowing customer’s fraud.
While electronic payment systems have not
gained a very wide popularity, except for PayPal system used on online
auctions, such as eBay, they may become more popular in the future if more
businesses start using them.
Electronic payment systems may be more
convenient for international online business due to differences in credit card
customer protection laws in different countries.
Virtual PIN
Virtual PIN, started in 1994 by a company
called First Virtual Holding, was a system for making credit card payments over
the Internet without exposing the credit card number to the merchant. It
required no special software for a customer to make a purchase. Virtual PIN
relied on difficulty of intercepting and forging e-mail. To enroll, a customer
gives their credit card information and their e-mail address to the First Virtual
(this was done by phone). After the credit card information has been verified,
the customer receives their PIN by e-mail.
The procedure for purchasing an item using
Virtual PIN is as follows
The customer gives the merchant their Virtual
PIN.
The merchant sends the Virtual PIN and the
amount of transaction to First Virtual.
First Virtual sends an e-mail to the customer
asking to confirm the purchase.
The customer answered “Yes”, “No”, or “Fraud”.
If the answer is “Yes”, the merchant is informed that the charge has been
accepted. If “No”, the charge is declined. If the answer is “Fraud”, the charge
is investigated.
Even though no encryption was involved, an
eavesdropper could not use a virtual PIN without being able to intercept and
answer the e-mail message to confirm the purchase.
Unlike credit cards which carry the customer’s
name, Virtual PIN provided a customer’s anonymity from the merchant. The e-mail
confirmation of the transaction served as a protection against merchant’s
fraud.
Unfortunately, while the system has been
created for all kinds of online business, the main use of Virtual PIN at the
time was for buying and selling pornography. Virtual PIN tried to disassociate
itself from this market. Eventually the company abandoned the Virtual PIN and
became specialized in sending promotional e-mail.
DigiCash (or E-Cash)
DigiCash (also known as E-cash) is an
electronic payment system developed by Dr. David Chaum, who is widely regarded
as an inventor of digital cash. The system was based on digital tokens called
digital coins. DigiCash operated as follows
A customer establishes an account with the bank
or other organization that could mint and receive digital coins. The customer’s
account was backed by real money in some form, for instance it could be linked
to the customer’s checking account.
The customer also needs to download and install
a software called electronic wallet.
To obtain DigiCash, the customer uses the
electronic wallet to create digital coins. The coins are sent to the bank to
sign. When the coins are signed, the equivalent amount of money is withdrawn
from the customer’s account.
In the proposed protocol the customer also had
an option of “blinding” the coins. To blind a coin, the customer multiplies it
by a random number r before sending it to the bank to sign. The bank signs the
data.
After the data and its digital signature are
sent to the customer, the customer computes the digital signature of the
original (non-multiplied) coin by dividing the bank’s signature by r. This way
the bank doesn’t know the coin, but the customer, who knows r, can trace
his/her payments. Blind signatures have not been implemented.
To find out why blind signatures work, read the
article Cryptography and Number Theory for Digital Cash by Orlin Grabbe. This
article explains mathematics behind blind signatures. This material is
optional.
When the customer wants to make a purchase,
he/she sends signed digital coins to the merchant. The merchant verifies the
bank’s signature and deposits the coins to the bank, where they are credited to
the merchant’s account.
The DigiCash (or E-cash), produced by the
company DigiCash BV based in Amsterdam, has never created a market. The company
eventually declared bankruptcy. However, the algorithms used in DigiCash are
considered fundamental in development of digital money.
CyberCash/CyberCoin
CyberCash is a system that allows customers to
pay by a credit card without revealing the credit card number to the merchant.
To achieve this, a credit card number is sent to the merchant in an encrypted
form.
To enroll, a customer installs software called
CyberCash wallet on their computer. At the time of the installment the wallet
generated a pair of a public and a private key. The wallet was protected by a
passphrase, and a backup key was stored encrypted on a floppy disk.
A CyberCash account was linked to the
customer’s credit card. A variation of this scheme called CyberCoin was linked
to the customer’s checking account.
A purchase was conducted the following way
When the purchase was initiated, the CyberCash
wallet displayed the amount, the merchant’s name, and other information. After
the customer approved the transaction, an encrypted payment order was sent to
the merchant.
The merchant could decrypt some of the
information in the order, such as the product list, the address, etc., but not
the other (such as the credit card information). The merchant’s software would
add its own payment information to the order, digitally sign it, and then send
it to the CyberCash gateway.
The CyberCash gateway would decrypt the
information. The order would be checked for duplicate requests. The gateway
would verify that the customer’s and the merchant’s order information match
(i.e. no fraud was committed on either side). Then it would perform the money
transfer and send the approval message to the merchant.
The main point of this scheme was to prevent
merchant’s fraud, and thus allow customers to do business with more merchants
without fear of scam. However, CyberCash and CyberCoin were not able to find
the market. The main reasons for the failure were the large size of customer’s
software and the fact that very few merchants would accept CyberCash payment.
The company was eventually bought by VeriSign.
SET (Secure Electronic
Transactions)
SET is the Secure Electronic Transaction
protocol for sending money over Internet. It has been developed jointly by
MasterCard, Visa, and several computer companies. SET uses mechanisms similar
to CyberCash. However, being a standard protocol, it is built into a wide variety
of commercial products.
In SET the order information consists of two
parts the part which is private between the customer and the merchant (such as
the items being ordered) and information which is private between the customer
and the bank (such as the included in a single signed transaction the part
private between the customer and the merchant is encrypted using the merchant’s
private key, and the part private between the customer and the bank is
encrypted using the bank’s public key.
To prevent changing the order information, the
customer computes message digests of each part of the message separately, then
takes the message digest of the two message digests, and then signs the
resulting message digest.
This mechanism, called a dual signature, allows
either the merchant or the bank to read and validate the signature on its half
of the purchase request without having to decrypt the other half.
The reason why SET never became popular was
pretty much the same as for CyberCash the trouble of getting a digital wallet
software and setting it up for each credit card was not worth it for a
customer, because very few merchants would accept SET payments.
PayPal is an electronic payment system which
can transfer money between its accounts. In order to use PayPal, one has to
obtain a PayPal account, which is associated either with the customer’s credit
card or with their regular bank account. The validity of a credit card is
checked by the usual ways. The validity of a checking account is checked as
follows the customer gives PayPal their account number; PayPal makes two
small-amount (less than $1) deposits to the account. If the customer is able to
tell PayPal the value of these deposits, then the customer is assumed to be a
legitimate user of the account.