Payments on Internet

Online credit card payments

General overview

Most of online purchases are paid for by a credit card. Merchants like credit card payments because an instant authorization guarantees that the card is valid (as opposed to a check which may bounce). Customers like paying by credit cards because they can easily cancel a transaction in case when they don't receive products or services according to the agreement in the transaction.

While some of credit card payments for online services are performed by phone, most of such payments are made by filling in an online form.

Credit card information submitted by the customer is sent to the bank which has issued the credit card to verify. If the transaction is approved, the merchant notifies the customer that the order has been placed. The actual transfer of money from the credit card bank to the merchant may happen in a few hours, or even in a few days.

Merchants who accept credit card payments pay fee (between 1 and 7 percent of the card charge) for each card charge. In addition, in some cases merchants pay authorization fee for each credit card authorization attempt, as well as other fees related to credit card processing.

In case when a customer is not satisfied with the product or a service, or for other reasons, merchants may issue a refund or a charge-back to the customer's account.

Technical issues

There are several technical issues involved in online credit card payments, below we discuss some of them.

Quick check for typos. Since the merchant may be charged for each credit card authorization, it is convenient to check that the credit card number makes sense before sending it to the issuing bank to authorize. There is an easy algorithm to verify a credit card number: the last digit of the credit card number is computed from the other digits using a simple procedure. The details are given here.

The algorithm is public, and therefore can be used only to catch typos and disallow random data, but not to check the validity of a credit card number.

Authenticating the user -- protection from customer fraud. Since the card is not physically present during the transaction, it is practically impossible for a merchant to distinguish a legitimate credit card user from a thief. In online transactions the user is usually asked to provide additional information, such as their address and phone number, and the card's billing address, if different from the customer's address. However, this information can be easily mistyped. While in a telephone transaction an operator can use their judgment to approve or reject a transaction based on how much of the information has matched and how confident the customer sounds, in an online transaction the level of "tolerance" of typos and mistakes must be set automatically.

Another way of verifying a card number is to ask the user to provide the additional digits on the card (the digits which do not appear on the magnetic strip or on a carbon paper when the print of the card is taken). However, online customers may be reluctant to provide this information because of fear of merchant's fraud (see below) or of eavesdropping.

Protecting card numbers in transmission. Since information transmitted in an online transaction is sufficient for approval of a credit card charge, it is essential that this information is protected from eavesdropping. The most common way of doing it is to encrypt data in transmission. This is done via SSL.

However, many online businesses do not use SSL when transmitting credit card numbers and other customer information, or do not make SSL the default for such transmissions. While it is theoretically possible to obtain credit card information sent in plain text (in an e-mail message or via an online form), so far there hasn't been a known case when a credit card number was stolen this way.

Protecting card numbers on the merchant's site. In practice, the main vulnerability of dealing with credit card numbers is not the transmission, but the storage. Security experts agree that storing credit card numbers at the merchant's site is a risky practice, and should be avoided. If credit card numbers need to be stored, they should be stored on a secure machine, and preferably in an encrypted form. They should not be stored in a database which is (at least partially) accessible to customers, nor should they be stored (in any form) on the web server. See the lecture on security for more details.

It is the merchant's responsibility to protect customer's information from fraud. An e-commerce web site may suffer large losses, including those caused by the loss of customer's trust, it fails to protect confidential customer information.

Protecting from merchant fraud The other side of protecting a merchant from a customer's fraud is protection of a customer against a merchant's fraud. If the merchant knows enough of the customer's credit card information to be able to authorize a transaction, then the merchant (including many of the merchant's employees) know enough to be able to use the credit card themselves! In the majority of cases the highest priority of the merchant is to protect the reputation of the business and their own, and a fraud is not in the merchant's interests. However, there may be exceptions, such as a desperate owner whose business is about to go broke, a disgruntled employee, or an online scam which uses a fake online business as a coverup for collecting credit card information.

An online customer has to be careful not to be a victim of a merchant's fraud. Using SSL to verify the site's name is a way to avoid sites that pretend to be a part of a respected business, but in fact are not. To verify that a business is legitimate, a customer may try calling the phone number or sending an e-mail. It is always important to check carefully the credit card statement and immediately investigate an unauthorized charge (and possibly cancel the credit card if theft is suspected).

If a merchant runs a new business which has not yet established customer's trust, they might want to provide a way for the user submit their credit card number directly to a trusted agency which authorizes a transaction. This is done by redirecting the user to a web page of the agency for authorization. An example of such product is VeriSign PayflowLink. The customer enters information on the agency's page, and the agency sends the response back to the merchant with the authorization information. This way the merchant doesn't know the customer's credit card number.

However one has to check carefully the software that implements this feature, because poorly written code for redirection may expose the merchant's ID or allow the customer to change the amount of the transaction in the request (see lecture on security for more details).

Electronic payment systems

Electronic payment systems are non-credit-card online payment systems. The goal of their development is to create analogs of checks and cash on the Internet, i.e. to implement all or some of the following features:

Protecting customers from merchant's fraud by keeping credit card numbers unknown to merchants.
Allowing people without credit cards to engage in online transactions.
Protecting confidentiality of customers.
In some cases providing anonymity of customers ("electronic cash").

The problems in implementing electronic payment systems, especially anonymous electronic money, are:

Preventing double-spending: copying the "money" and spending it several times. This is especially hard to do with anonymous money.
Making sure that neither the customer nor the merchant can make an unauthorized transaction.
Preserving customer's confidentiality without allowing customer's fraud.

While electronic payment systems have not gained a very wide popularity, except for PayPal system used on online auctions, such as eBay, they may become more popular in the future if more businesses start using them. Electronic payment systems may be more convenient for international online business due to differences in credit card customer protection laws in different countries.

Below we look at examples of online payment systems. Most of these products are no longer used, but the ideas developed by their authors are used in other products.

Virtual PIN

Virtual PIN, started in 1994 by a company called First Virtual Holding, was a system for making credit card payments over the Internet without exposing the credit card number to the merchant. It required no special software for a customer to make a purchase. Virtual PIN relied on difficulty of intercepting and forging e-mail.

To enroll, a customer gives their credit card information and their e-mail address to the First Virtual (this was done by phone). After the credit card information has been verified, the customer receives their PIN by e-mail.

The procedure for purchasing an item using Virtual PIN is as follows:

The customer gives the merchant their Virtual PIN.
The merchant sends the Virtual PIN and the amount of transaction to First Virtual.
First Virtual sends an e-mail to the customer asking to confirm the purchase.
The customer answered "Yes", "No", or "Fraud".
If the answer is "Yes", the merchant is informed that the charge has been accepted. If "No", the charge is declined. If the answer is "Fraud", the charge is investigated.

Even though no encryption was involved, an eavesdropper could not use a virtual PIN without being able to intercept and answer the e-mail message to confirm the purchase.

Unlike credit cards which carry the customer's name, Virtual PIN provided a customer's anonymity from the merchant. The e-mail confirmation of the transaction served as a protection against merchant's fraud.

Unfortunately, while the system has been created for all kinds of online business, the main use of Virtual PIN at the time was for buying and selling pornography. Virtual PIN tried to disassociate itself from this market. Eventually the company abandoned the Virtual PIN and became specialized in sending promotional e-mail.

DigiCash (or E-cash)

DigiCash (also known as E-cash) is an electronic payment system developed by Dr. David Chaum, who is widely regarded as an inventor of digital cash. The system was based on digital tokens called digital coins. DigiCash operated as follows:

A customer establishes an account with the bank or other organization that could mint and receive digital coins. The customer's account was backed by real money in some form, for instance it could be linked to the customer's checking account.
The customer also needs to download and install a software called electronic wallet.
To obtain DigiCash, the customer uses the electronic wallet to create digital coins. The coins are sent to the bank to sign. When the coins are signed, the equivalent amount of money is withdrawn from the customer's account.
In the proposed protocol the customer also had an option of "blinding" the coins. To blind a coin, the customer multiplies it by a random number r before sending it to the bank to sign. The bank signs the data. After the data and its digital signature are sent to the customer, the customer computes the digital signature of the original (non-multiplied) coin by dividing the bank's signature by r. This way the bank doesn't know the coin, but the customer, who knows r, can trace his/her payments. Blind signatures have not been implemented.
To find out why blind signatures work, read the article Cryptography and Number Theory for Digital Cash by Orlin Grabbe. This article explains mathematics behind blind signatures. This material is optional.
When the customer wants to make a purchase, he/she sends signed digital coins to the merchant. The merchant verifies the bank's signature and deposits the coins to the bank, where they are credited to the merchant's account.

The DigiCash (or E-cash), produced by the company DigiCash BV based in Amsterdam, has never created a market. The company eventually declared bankruptcy. However, the algorithms used in DigiCash are considered fundamental in development of digital money.

CyberCash/CyberCoin

CyberCash is a system that allows customers to pay by a credit card without revealing the credit card number to the merchant. To achieve this, a credit card number is sent to the merchant in an encrypted form.

To enroll, a customer installs a software called CyberCash wallet on their computer. At the time of the installment the wallet generated a pair of a public and a private key. The wallet was protected by a passphrase, and a backup key was stored encrypted on a floppy disk. A CyberCash account was linked to the customer's credit card. A variation of this scheme called CyberCoin was linked to the customer's checking account.

A purchase was conducted the following way:

When the purchase was initiated, the CyberCash wallet displayed the amount, the merchant's name, and other information. After the customer approved the transaction, an encrypted payment order was sent to the merchant.
The merchant could decrypt some of the information in the order, such as the product list, the address, etc., but not the other (such as the credit card information). The merchant's software would add its own payment information to the order, digitally sign it, and then send it to the CyberCash gateway.
The CyberCash gateway would decrypt the information. The order would be checked for duplicate requests. The gateway would verify that the customer's and the merchant's order information match (i.e. no fraud was committed on either side). Then it would perform the money transfer and send the approval message to the merchant.

The main point of this scheme was to prevent merchant's fraud, and thus allow customers to do business with more merchants without fear of scam. However, CyberCash and CyberCoin were not able to find the market. The main reasons for the failure were the large size of customer's software and the fact that very few merchants would accept CyberCash payment. The company was eventually bought by VeriSign.

SET (Secure Electronic Transactions)

SET is the Secure Electronic Transaction protocol for sending money over Internet. It has been developed jointly by MasterCard, Visa, and several computer companies.

SET uses mechanisms similar to CyberCash. However, being a standard protocol, it is built into a wide variety of commercial products.

In SET the order information consists of two parts: the part which is private between the customer and the merchant (such as the items being ordered) and information which is private between the customer and the bank (such as the customer's account number). SET allows both kinds of information to be included in a single signed transaction: the part private between the customer and the merchant is encrypted using the merchant's private key, and the part private between the customer and the bank is encrypted using the bank's public key.

To prrevent changing the order information, the customer computes message digests of each part of the message separately, then takes the message digest of the two message digests, and then signs the resulting message digest. This mechanism, called a dual signature, allows either the merchant or the bank to read and validate the signature on its half of the purchase request without having to decrypt the other half.

The reason why SET never became popular was pretty much the same as for CyberCash: the trouble of getting a digital wallet software and setting it up for each credit card was not worth it for a customer, because very few merchants would accept SET payments.

PayPal

PayPal is an electronic payment system which can transfer money between its accounts. In order to use PayPal, one has to obtain a PayPal account, which is associated either with the customer's credit card or with their regular bank account. The validity of a credit card is checked by the usual ways. The validity of a checking account is checked as follows: the customer gives PayPal their account number, PayPal makes two small-amount (less than $1) deposits to the account. If the customer is able to tell PayPal the value of these deposits, then the customer is assumed to be a legitimate user of the account.

PayPal provides easy interface to send money to anyone by giving the person's e-mail account. In order for the person to retrieve the money, they must have a PayPal account. To avoid fraud, PayPal sends an e-mail message to both the initiator and the recipient of the transaction.

PayPal is used to settle online auctions, such as eBay auctions. The ease of use and the fact that no credit card is required to use it makes PayPal increasingly popular.

Smart cards

Smart cards are cards that look like credit cards, but store information on a microprocessor chip instead of magnetic strips. A microchip can hold significantly more information than a magnetic strip. Because of this capacity, a single smart card can be used for many different purposes.

Unlike magnetic strip cards which can be read by any magnetic reader, and are therefore vulnerable to loss or theft, a smart card can be password-protected to guarantee that it's only used by the owner.

Smart cards can run RSA encryption and can be programmed to generate a pair of public/private keys. The public key is made publicly readable, but the private key is be stored on the card without anyone being able to copy it. Therefore, to use the private key, the user must physically possess the card.

Smart cards are used in European telephones, and are gaining popularity for other purposes both in Europe and in the US.

This page has been created and is maintained by Elena Machkasova
Some of material on this page is based on Chapter 25 of "Web Security, Privacy, and Commerce" by Simson Garfinkel with Gene Spafford.
Comments and suggestions are welcome at emachkas@wellesley.edu

Spring Semester 2002