A Simple and Secure Credit Card-Based Payment System

A Simple and Secure Credit Card-Based Payment System

Chi Po Cheong (University of Macau, China)
DOI: 10.4018/978-1-60566-014-1.ch175
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Credit card is the most popular payment method used in Internet shopping. The idea of credit card payment is to buy first and pay later. The cardholder can pay at the end of the statement cycle or they can pay interest on the outstanding balance. Therefore, there are many credit card-based electronic payment systems (EPSs) that have been developed to facilitate the purchase of goods and services over the Internet such as CyberCash (VeriSign), iKP (Bellare, Garary, Hauser, et al, 1995), SET (Visa and MasterCard, 1997), CCT (Li & Zhange, 2004), and so forth. Usually a credit card-based EPS involves five parties: cardholder, merchant, acquirer bank, issuer bank, and financial institution. Internet is an open system and the communication path between each other is insecure. All communications are potentially open for an eavesdropper to read and modify as they pass between the communicating endpoints. Therefore, the payment information transmitted between the cardholder and the merchant through Internet is dangerous without a secure path. SSL (Zeus Technology, 2000) is a good example to secure the communication channel. Besides the issue of insecure communication, there are a number of factors that each participant must consider. For example, merchant concerns about whether the credit card or the cardholder is genuine. There is no way to know the consumer is a genuine cardholder. As a result, the merchant is incurring the increase in losses due to cardholder disputes and frauds. On the other hand, cardholders are worried about the theft of the privacy or sensitive information such as the credit card number. They don’t want any unauthorized usage of their credit cards and any modification to the transaction amount by a third party. These security issues have deterred many potential consumers from purchasing online. Existing credit card-based EPSs solve the problems in many different ways. Some of them use cryptography mechanisms to protect private information. However, they are very complicated, expensive, and tedious (Xianhau, Yuen, Ling, & Lim, 2001). Some EPSs use the Certificate Authority (CA) model to fulfill the authentication, integrity, and nonrepudiation security schemes. However, each participant requires a digital certificate during the payment cycle. These certificates are issued by independent CAs but the implementation and maintenance cost of this model is very high. In addition, the validation steps of Certificate-based systems are very time-consuming processes. It requires access to an online certificate server during the payment process. Moreover, the certificate revocation list is a major disadvantage of the PKI-based certification model (The Internet Engineering Task Force). The cardholder’s certificate also includes some private information such as the cardholder’s name. The requirement of a cardholder’s certificate means software such as e-Wallet is required to be installed on the cardholder’s computer. It is the barrier for the cardholder to use Certificatebased payment systems. To solve this problem, Visa Company has developed a new payment system called Verified by Visa (VbV) (http:www/visa-asia.com/ ap/sea/merchants/productstech/vbv_implementvbv. shtml). However, sensitive information such as credit card number is still passed to the merchant. Therefore, the cardholder is not protected by the system.
Chapter Preview
Top

Introduction

Credit card is the most popular payment method used in Internet shopping. The idea of credit card payment is to buy first and pay later. The cardholder can pay at the end of the statement cycle or they can pay interest on the outstanding balance. Therefore, there are many credit card-based electronic payment systems (EPSs) that have been developed to facilitate the purchase of goods and services over the Internet such as CyberCash (VeriSign), iKP (Bellare, Garary, Hauser, et al, 1995), SET (Visa and MasterCard, 1997), CCT (Li & Zhange, 2004), and so forth. Usually a credit card-based EPS involves five parties: cardholder, merchant, acquirer bank, issuer bank, and financial institution.

Internet is an open system and the communication path between each other is insecure. All communications are potentially open for an eavesdropper to read and modify as they pass between the communicating endpoints. Therefore, the payment information transmitted between the cardholder and the merchant through Internet is dangerous without a secure path. SSL (Zeus Technology, 2000) is a good example to secure the communication channel. Besides the issue of insecure communication, there are a number of factors that each participant must consider. For example, merchant concerns about whether the credit card or the cardholder is genuine. There is no way to know the consumer is a genuine cardholder. As a result, the merchant is incurring the increase in losses due to cardholder disputes and frauds. On the other hand, cardholders are worried about the theft of the privacy or sensitive information such as the credit card number. They don’t want any unauthorized usage of their credit cards and any modification to the transaction amount by a third party. These security issues have deterred many potential consumers from purchasing online.

Existing credit card-based EPSs solve the problems in many different ways. Some of them use cryptography mechanisms to protect private information. However, they are very complicated, expensive, and tedious (Xianhau, Yuen, Ling, & Lim, 2001). Some EPSs use the Certificate Authority (CA) model to fulfill the authentication, integrity, and nonrepudiation security schemes. However, each participant requires a digital certificate during the payment cycle. These certificates are issued by independent CAs but the implementation and maintenance cost of this model is very high. In addition, the validation steps of Certificate-based systems are very time-consuming processes. It requires access to an online certificate server during the payment process. Moreover, the certificate revocation list is a major disadvantage of the PKI-based certification model (The Internet Engineering Task Force). The cardholder’s certificate also includes some private information such as the cardholder’s name. The requirement of a cardholder’s certificate means software such as e-Wallet is required to be installed on the cardholder’s computer. It is the barrier for the cardholder to use Certificate-based payment systems. To solve this problem, Visa Company has developed a new payment system called Verified by Visa (VbV) (http:www/visa-asia.com/ap/sea/merchants/productstech/vbv_implementvbv.shtml). However, sensitive information such as credit card number is still passed to the merchant. Therefore, the cardholder is not protected by the system.

Evaluation Factors

A successful credit card-based EPS should be simple, secure, and easy to use and has low deployment and maintenance cost. A set of evaluation criteria is described by Sahut (2005). Security is one of the important factors in identifying a good EPS. However, factors such as cost, convenience, ease of use, and so forth, must be also considered when designing a new EPS.

The new EPS must have a balance between security and convenience, especially on the cardholder side. This article proposes a new payment system called simple and secure credit card-based payment system (SSCCPS) which is a “cryptography free” and “certificate free” system.

Key Terms in this Chapter

Two-way communication: Communication involving two participants, either both of the participants can be humans, or it could be a human-machine interaction. It does not necessarily take into account previous messages.

Machine Interactivity: Interactivity resulted from human-to-machine or machine-to-machine communications. Typically, the later form is of less interest to most human-computer studies.

Computer-Mediated Communication (CMC): Refers to the communication that takes place between two entities through a computer, as opposed to face-to-face interaction that takes place between two persons present at the same time in the same place. The two communicating entities, in CMC, may or may not be present simultaneously.

Stickiness: To make people stay at a particular Web site. It can be measured by time spent by the user per visit.

Reciprocal Communication: Communication that involves two or more (human or nonhuman) participants. The direction of communication may be two way or more. However, this type of communication does not necessarily suggest that participants communicate in any preset order.

Telepresence: Defined as the feeling of being fully present at a remote location from one’s own physical location. Telepresence creates a virtual or simulated environment of the real experience.

Reach: To get users to visit a Web site for the first time. It can be measured in terms of unique visitors to a Web site.

Synchronicity: It refers to the spontaneity of feedback received by a user in the communication process. The faster the received response, the more synchronous is the communication.

Complete Chapter List

Search this Book:
Reset