While some of credit card payments for online services are performed by phone, most of such payments are made by filling in an online form.
Credit card information submitted by the customer is sent to the bank which has issued the credit card to verify. If the transaction is approved, the merchant notifies the customer that the order has been placed. The actual transfer of money from the credit card bank to the merchant may happen in a few hours, or even in a few days.
Merchants who accept credit card payments pay fee (between 1 and 7 percent of the card charge) for each card charge. In addition, in some cases merchants pay authorization fee for each credit card authorization attempt, as well as other fees related to credit card processing.
In case when a customer is not satisfied with the product or a service, or for other reasons, merchants may issue a refund or a charge-back to the customer's account.
Quick check for typos. Since the merchant may be charged for each credit card authorization, it is convenient to check that the credit card number makes sense before sending it to the issuing bank to authorize. There is an easy algorithm to verify a credit card number: the last digit of the credit card number is computed from the other digits using a simple procedure. The details are given here.
The algorithm is public, and therefore can be used only to catch typos and disallow random data, but not to check the validity of a credit card number.
Authenticating the user -- protection from customer fraud. Since the card is not physically present during the transaction, it is practically impossible for a merchant to distinguish a legitimate credit card user from a thief. In online transactions the user is usually asked to provide additional information, such as their address and phone number, and the card's billing address, if different from the customer's address. However, this information can be easily mistyped. While in a telephone transaction an operator can use their judgment to approve or reject a transaction based on how much of the information has matched and how confident the customer sounds, in an online transaction the level of "tolerance" of typos and mistakes must be set automatically.
Another way of verifying a card number is to ask the user to provide the additional digits on the card (the digits which do not appear on the magnetic strip or on a carbon paper when the print of the card is taken). However, online customers may be reluctant to provide this information because of fear of merchant's fraud (see below) or of eavesdropping.
Protecting card numbers in transmission. Since information transmitted in an online transaction is sufficient for approval of a credit card charge, it is essential that this information is protected from eavesdropping. The most common way of doing it is to encrypt data in transmission. This is done via SSL.
However, many online businesses do not use SSL when transmitting credit card numbers and other customer information, or do not make SSL the default for such transmissions. While it is theoretically possible to obtain credit card information sent in plain text (in an e-mail message or via an online form), so far there hasn't been a known case when a credit card number was stolen this way.
Protecting card numbers on the merchant's site. In practice, the main vulnerability of dealing with credit card numbers is not the transmission, but the storage. Security experts agree that storing credit card numbers at the merchant's site is a risky practice, and should be avoided. If credit card numbers need to be stored, they should be stored on a secure machine, and preferably in an encrypted form. They should not be stored in a database which is (at least partially) accessible to customers, nor should they be stored (in any form) on the web server. See the lecture on security for more details.
It is the merchant's responsibility to protect customer's information from fraud. An e-commerce web site may suffer large losses, including those caused by the loss of customer's trust, it fails to protect confidential customer information.
Protecting from merchant fraud The other side of protecting a merchant from a customer's fraud is protection of a customer against a merchant's fraud. If the merchant knows enough of the customer's credit card information to be able to authorize a transaction, then the merchant (including many of the merchant's employees) know enough to be able to use the credit card themselves! In the majority of cases the highest priority of the merchant is to protect the reputation of the business and their own, and a fraud is not in the merchant's interests. However, there may be exceptions, such as a desperate owner whose business is about to go broke, a disgruntled employee, or an online scam which uses a fake online business as a coverup for collecting credit card information.
An online customer has to be careful not to be a victim of a merchant's fraud. Using SSL to verify the site's name is a way to avoid sites that pretend to be a part of a respected business, but in fact are not. To verify that a business is legitimate, a customer may try calling the phone number or sending an e-mail. It is always important to check carefully the credit card statement and immediately investigate an unauthorized charge (and possibly cancel the credit card if theft is suspected).
If a merchant runs a new business which has not yet established customer's trust, they might want to provide a way for the user submit their credit card number directly to a trusted agency which authorizes a transaction. This is done by redirecting the user to a web page of the agency for authorization. An example of such product is VeriSign PayflowLink. The customer enters information on the agency's page, and the agency sends the response back to the merchant with the authorization information. This way the merchant doesn't know the customer's credit card number.
However one has to check carefully the software that implements this feature, because poorly written code for redirection may expose the merchant's ID or allow the customer to change the amount of the transaction in the request (see lecture on security for more details).
While electronic payment systems have not gained a very wide popularity, except for PayPal system used on online auctions, such as eBay, they may become more popular in the future if more businesses start using them. Electronic payment systems may be more convenient for international online business due to differences in credit card customer protection laws in different countries.
Below we look at examples of online payment systems. Most of these products are no longer used, but the ideas developed by their authors are used in other products.
To enroll, a customer gives their credit card information and their e-mail address to the First Virtual (this was done by phone). After the credit card information has been verified, the customer receives their PIN by e-mail.
The procedure for purchasing an item using Virtual PIN is as follows:
Unlike credit cards which carry the customer's name, Virtual PIN provided a customer's anonymity from the merchant. The e-mail confirmation of the transaction served as a protection against merchant's fraud.
Unfortunately, while the system has been created for all kinds of online business, the main use of Virtual PIN at the time was for buying and selling pornography. Virtual PIN tried to disassociate itself from this market. Eventually the company abandoned the Virtual PIN and became specialized in sending promotional e-mail.
In the proposed protocol the customer also had an option of "blinding" the coins. To blind a coin, the customer multiplies it by a random number r before sending it to the bank to sign. The bank signs the data. After the data and its digital signature are sent to the customer, the customer computes the digital signature of the original (non-multiplied) coin by dividing the bank's signature by r. This way the bank doesn't know the coin, but the customer, who knows r, can trace his/her payments. Blind signatures have not been implemented.
To find out why blind signatures work, read the article Cryptography and Number Theory for Digital Cash by Orlin Grabbe. This article explains mathematics behind blind signatures. This material is optional.
To enroll, a customer installs a software called CyberCash wallet on their computer. At the time of the installment the wallet generated a pair of a public and a private key. The wallet was protected by a passphrase, and a backup key was stored encrypted on a floppy disk. A CyberCash account was linked to the customer's credit card. A variation of this scheme called CyberCoin was linked to the customer's checking account.
A purchase was conducted the following way:
SET uses mechanisms similar to CyberCash. However, being a standard protocol, it is built into a wide variety of commercial products.
In SET the order information consists of two parts: the part which is private between the customer and the merchant (such as the items being ordered) and information which is private between the customer and the bank (such as the customer's account number). SET allows both kinds of information to be included in a single signed transaction: the part private between the customer and the merchant is encrypted using the merchant's private key, and the part private between the customer and the bank is encrypted using the bank's public key.
To prrevent changing the order information, the customer computes message digests of each part of the message separately, then takes the message digest of the two message digests, and then signs the resulting message digest. This mechanism, called a dual signature, allows either the merchant or the bank to read and validate the signature on its half of the purchase request without having to decrypt the other half.
The reason why SET never became popular was pretty much the same as for CyberCash: the trouble of getting a digital wallet software and setting it up for each credit card was not worth it for a customer, because very few merchants would accept SET payments.
PayPal provides easy interface to send money to anyone by giving the person's e-mail account. In order for the person to retrieve the money, they must have a PayPal account. To avoid fraud, PayPal sends an e-mail message to both the initiator and the recipient of the transaction.
PayPal is used to settle online auctions, such as eBay auctions. The ease of use and the fact that no credit card is required to use it makes PayPal increasingly popular.
Unlike magnetic strip cards which can be read by any magnetic reader, and are therefore vulnerable to loss or theft, a smart card can be password-protected to guarantee that it's only used by the owner.
Smart cards can run RSA encryption and can be programmed to generate a pair of public/private keys. The public key is made publicly readable, but the private key is be stored on the card without anyone being able to copy it. Therefore, to use the private key, the user must physically possess the card.
Smart cards are used in European telephones, and are gaining popularity for other purposes both in Europe and in the US.