Approaches to safe Electronic Commerce
1) Explain SEPP (Secure electronic payment protocol) process & Architecture in detail.
Ans: – Secure Transactions:
SEPP Process : SEPP assumes that the cardholder and merchant have been communicating in order to negotiate terms of a purchase and generate an order.
- These processes may be conducted via a WWW browser;
- Alternatively, this operation may be performed through the use of electronic mail, via the user’s review of a paper or CD – ROM catalogue or other mechanisms.
Cardholder : This is an authorised holder of a bankcard supported by an issuer and registered to perform electronic commerce.
Merchant : This is a merchant of goods, services and/or e-products who accepts payment for them electronically and may provide selling services and/or electronic delivery of items for sale (eg. e-products).
Acquired : This is a financial institution that supports merchants by providing services for processing credit-card-based transactions.
Certificate Management System : This is an agent of one or more bank card associations that provides for the creation and distribution of electronic certificates for merchants, acquirers and cardholders.
V) Banknet : This represents the existing network which interfaces acquirers, issuers and (now) the certificate management system.
Messages for SEPP – compliant processing of payment transactions.
àA Purchase Order Request àAuthorization Request
àAuthorization Response
àPurchase Order Inquiry
àPurchase Order Inquiry Response
Additional messages for the on-line customer.
à Initiate
àInvoice
àPurchase Order Response (with Purchase Order Status).
Messages for off-line (ie. e-mail) transactions or transactions sent to merchant nonon-line with the acquirer
àPurchase Order Response (acknowledgement without authorization).
Following Task performed by Acquirer : i) Authenticate the merchant.
ii) Verifies the Acquirer. iii) Decrypt the payment instruction from buying cardholder. iv) Formats authorization request to the issuer & receives the response.
v) Response to the merchant with a validates authorization request response.
SEPP Architecture
In the above diagram, the buying cardholder workstation is based on the World Wide Web browser. Through this web browser, the buyer can shop and conduct negotiations with the merchant system offering items for sale.
- The merchant’s website is hosted on the web server.
- Two designs of cardholder work stations are supported.
- The electronic payment system is integrated into the WWW browser.
- An alternate system called “bolt-on payment software may be provided alongside an independent browser to implement the payment process.
-Functions added to traditional WWW browsers to support electronic payments include encryption and decryption of payment data, certificate management, and authentication, and support for electronic payment protocols.
– The certificate request server issues the authentication certifications for clients. – The buying cardholder must obtain authentication certificate from the certificate request server before making the transactions, as the cardholder’s credentials are verified by the merchant (through acquirer).
-Another important interface in the buying cardholder’s system is with the merchant system. This interface supports the buying cardholder’s segment of the payment protocol, which enables the buying cardholder to initiate payment, perform inquiries.
2) Explain in detail Secure Electronic Transactions (SET)? Ans: – Secure Electronic Transactions(SET)
- Provide for confidential payment information and enable confidentiality of order information that is transmitted with payment information.
- Ensure integrity for all transmitted data.
- Provide authentication that a buyer is a legitimate user of a branded (e.g. Visa, MasterCard, American Express) bankcard account.
- Provide authentication that a merchant can accept bank card payments through its relationship with an appropriate financial institution
- Ensure the use of the best security practices and design techniques to protect all legitimate parties in an electronic commerce transaction.
- Ensure the creation of a protocol that is neither dependent on transport security mechanisms nor prevents their use.
- Facilitate and encourage interoperability across software and network providers.
Step 1: Cardholder requests purchase.
Step 2: Merchant contacts payment gateway for authorization.
Step 3: Payment is authorized.
Step 4 Cardholder is notified of authorization.
Step 5: Merchant requests payment capture from the gateway.
Step 6: Token is issued to the merchant.
Step 7: Merchant redeems token for transfer into its bank account.
- SET offers buyers more security than is available in the commercial market. Instead of providing merchants with access to credit card numbers,
- SET encodes the numbers so only the consumer and financial institution have access to them.
- Cardholders, merchants and the financial institution each retain SET certificates that identify them and the public keys associated with their digital identities. – A third party provides digital certificates to the card issuing financial institution; the institution then provides a digital certificate to the cardholder
3) What is a Certificate for Authentication? Explain
Ans: – A digital certificate is a foolproof way of identifying both consumer & merchants.
- It acts as a network version of a driver.
- The digital certificate issued by a certificate authority such as Cyber trust, NORTEL etc..
- VeriSign’s digital certificate come in 3 classes:
Class 1 : – This includes fewest checks on the user’s background; only his or her name & e-mail address verified.
Class 2 : The issuing authority checks PAN, ADDRESS, DOB.
- Used for an online subscription.
Class 3: It verifies information as in class-2, in addition, it requires organization ID, other information. This is used for E-bank, corporate database access, Ecommerce server software validation.