New Payment Systems Poised For Primetime

In her May 1, 2000 EC Tech Advisor article Alternative Payment Options: An Overview, Alexis Gutzman covered a myriad of options for e-commerce payments beyond the traditional Mail Order/Phone Order (MOTO) model that''s used with credit, debit, and charge cards today.

In collaboration with Alexis, I''ll be reviewing some of these emerging e-payment options, especially as they relate to SmartCards and other strongly authenticated mechanisms, including Secure Electronic Transactions (SET), EuroPay, Mastercard, Visa (EMV) applications, and e-purse applications like MONDEX.

Reviews of these products often require a good, common understanding of the technology being reviewed. Since neither SET nor EMV are intuitively obvious to understand, it''s critical to set the proper context that helps you to compare oranges-to-oranges when you''re selecting among the multitude of choices. In this segment, we''ll begin with SET by dusting off the old SET specification, revisiting its past and seeing where it''s at today.

New Millennium, New Problems
Now that the heroic efforts needed to remediate the Y2K problems are more or less 20th Century history, the new horizon -- especially for banks -- is computer security. Few people need reminding about the Internet''s inherent lack of security and near daily incidents of Internet abuse remain a thorn in the side of those wanting trusted e-commerce.

SET, the promising payment scheme introduced in 1997, is as revolutionary as credit cards themselves were back in the 1960s, and is slowly becoming just as pervasive. Making cyberspace a safer place to conduct business, SET is expected to boost consumer confidence in electronic commerce and save the banks a bundle in reduced fraud losses. SET focuses on maintaining the confidentiality of information, ensuring message integrity, and authenticating all the parties involved in a transaction.

SET opens the doors to e-commerce, but comes with a price all its own. SET is complex -- very complex in fact. SET not only affects consumer and merchants, it affects the entire Internet community, including private intranet users, and especially B2B site operators. Unlike other efforts aimed at secure e-commerce, SET does require involvement of its participants. SET-compliance takes work on everyone''s part. SET is designed to eliminate all the problems of security related to credit card usage on the Internet; it adds the element of message authentication to assure all involved that they are indeed dealing with those with whom they think they''re dealing.

Using Public-Private Key (PPK) cryptography, SET is a complex arrangement that offers levels of security and protection even higher than those used to protect nuclear missile launch codes.

Digital Certificates
Fundamental to its implementation, each party in a SET transaction requires a digital certificate that identifies him as the legitimate user of a bank card, credit card or merchant account. These certificates contain the user''s public key as well as the account information, and other data necessary to carry out a transaction. Digital certificates can serve as a stand-in for the actual plastic card. The public-private key pair behaves much like the actual signature on the back of the card that''s used for comparison purposes.

Digital certificates are the electronic counterparts to driver''s licenses, passports, or membership cards. You can present one electronically to prove your identity or your right to access information or services online. Digital certificates bind a person''s identity to a pair of electronic keys that are used to encrypt and sign digital information. These certificates are needed to verify someone''s claim that they have the right to use a given key.

The X.509 Standard
The most widely accepted format for digital certificates is defined by the CCITT X.509 international standard; thus certificates can be read or written by any application complying with X.509. SET Certificates are a special instance of X.509 Certificates intended for use specifically for bank card, debit card, and charge card uses.

How Do Digital Certificates Work?
Digital signatures employ public key encryption techniques that require two related keys: a public key and a private key. In PPK cryptography, the public key is made available to everyone who corresponds with the owner of the key pair. The public key can be used to verify a message signed with the private key or to encrypt messages that can only be decrypted using the private key. You can think of these key pairs as the right and left sides of a safe. When it''s locked with the right key, it can only be opened with the left key, and vice versa. The security of messages encrypted this way relies on the ongoing security of the private key, which must be protected against unauthorized use.

SmartCards (to be covered in later segments) are capable of providing the needed protection of private keys on the embedded microchip. The private key portion is protected by a Personal Identification Number (PIN) that''s tied to one SmartCard and no other. The combination of the two is required to gain access --- neither one is good enough on its own. Should your SmartCard be lost, there''s no fear that someone else will impersonate you unless your PIN has also been compromised. As we''re beginning to see, new services in the marketplace are increasingly relying on SmartCards for private key storage and PIN protection mechanisms.

Proving Yourself
When a user requests an SET digital certificate from the card issuer, they''re asked to identify themselves through information only they would possess. This information is then verified by bank records and if it matches correctly, the certificate issuance process commences. Using browser software that''s SET-compliant, the "wallet" that resides inside the user''s PC will generate a private-public key pair and send the public key to the certificate issuer. There, they''ll encode that information into a large package of encrypted bits that contain account information, expiration dates, etc. Once ready, the certificate is returned to the consumer for storage in the electronic wallet and a reference number to the certificate is sent to the bank that''s responsible for the account management. This service is performed via the trusted Certificate Authority (CA) that''s commissioned by the banks and card issuers to perform certificate management services. Fundamental to the process is that the user''s private key remain private, otherwise authentication assurances go out the window.

With SET certificates are in hand (or wallet!), the SET Protocol operates as follows: A consumer visits a shopping site, makes their selections, and decides on the form of payment they wish to use. At this point, SET kicks in and the Merchant Server software sends the consumer their merchant digital certificate (containing their public key) for the credit or charge card the consumer has chosen to use for this purchase. The Merchant Server also sends the transaction acquirer''s (or payment gateway) digital certificate separately. The consumer''s wallet module in the browser then encrypts the user''s corresponding digital certificate using the card issuer''s public key and encrypts the payment agreement (contract) using the merchant''s public key and returns the results to the merchant. Using their private key, the merchant decrypts the payment agreement message and forwards the still encrypted user account information and charge authorization request to the payment gateway of the transaction acquiring body (e.g., First Data Corp., American Express, etc.). The payment gateway then decrypts both "envelopes," processes the request, encrypts the results using its private key, and returns the new envelope to the merchant server. Finally, the gateway''s responses are then encrypted again by the merchant server, returned to the consumer, and the transaction is completed. SET is designed to keep the consumer''s account information out of the hands of the merchant so that only the payment processor can see it. This actually makes it a safer situation for shopping than face-to-face, and orders of magnitude safer than mail- or telephone-ordering.

SET Is Very Secure
SET is designed to operate with 1,024-bit cipher keys, making it one of the strongest encryption applications around. The time it would take to break the encryption described here, especially with all the various level of encryption that are occurring, is upwards to 2,800,000,000,000 years using 100 computers each able to process 10,000,000 instructions per second. Even then, only a single message could be broken and with the next message, the entire process would need to start over. While it may seem like overkill, the protocol is quite attractive to all those wanting to conduct widespread business over the Net, especially the card issuers who have the most to lose from fraud. SET has been approved for export from the U.S., provided that it''s only used in financial transactions, and not as a mechanism to pass secret or sensitive information to those outside the US.

SET provides the advantages of 4 security dimensions that no other method can match:

• Privacy that renders intercepted messages unreadable
• Integrity that assures messages sent are the messages received without alteration
• Authenticationthat assures messages are not counterfeited
• Non-repudiation that prevents senders from denying that they sent a message

SET Global Acceptance
Integral to its success, acceptance of SET in the marketplace as an open standard for conducting electronic commerce on the Internet is mandated. To that end, the SET business definition (Book One) outlines these goals:

• Gain worldwide acceptance through its ease of implementation, with as little disruption as possible to the Merchants and Cardholders
• Provide "bolt-on" implementation of the SET protocol to existing client applications
• Minimize the change in the relationship between acquirers and Merchants, and Cardholders and card issuers, leaving the current business models intact
• Minimize the impacts to Merchant, acquirer, and payment system applications
• Provide a protocol that is efficient for financial institutions

SET''s uses are specific to certain phases of a shopping and buying transaction, and its processing is identified to support only those phases of the E-payment model.

SET''s Role in E-commerce Payment Processing
Of the eight defined phases of e-shopping in the following list, SET is active in phases 4, 5, 6, and 8.

Phase 1. Cardholder browses for items via the Web, through a CD-ROM-based catalog, or through a mail-order paper-based catalog.
Phase 2. Cardholder selects items for purchase.
Phase 3. Cardholder completes an order form, including total costs, shipping, handling, and taxes (if any). This form may be presented, already filled-in electronically via the Web, or may be created off-line on the Cardholder''s PC.
Phase 4. Cardholder selects the form of payment card to use for the order. SET is initiated at this point.
Phase 5. Cardholder sends completed order form and payment instructions to the Merchant. SET is used to sign these order forms and payment instructions digitally using the Cardholder''s digital certificate to prove they came from the Cardholder and no one else.
Phase 6. Merchant requests payment authorization from the Issuer of the payment card using its Merchant account through its Acquirer''s payment system. SET wraps these messages in cryptography to assure their privacy and confidentiality.
Phase 7. Merchant ships goods or performs requested services based on the order. Phase 8. Merchant requests to capture the payment that was previously approved for processing in Phase 6. SET wraps these messages in cryptography, to ensure their privacy and confidentiality.

Those phases not included under SET are considered out-of-band (or out of scope) activities, and their implementation is left up to the involved parties. In addition, those interfaces to systems required for using SET are also out-of-band to the specification. SET provides open and robust data structures and corresponding security to handle virtually any type of order processing. It establishes an infrastructure for banks and Merchants to plug into using software they customize to meet infrastructure requirements. How that software is developed, and any affected systems, remain outside of SET''s definition.

Where SET Stands
SET has been in development stages since late 1995. Presently, software companies worldwide are conducting pilot tests with various card issuers, transaction acquirers, and willing merchants. Interoperability is a key issue that is still being worked on, but is showing great strides forward. As pilot testing commences, tremendous learning is taking place, and out of those lessons, several new and hybrid versions of SET are emerging.

As its turned out, getting the bloated SET-compliant e-wallets into the hands and browsers of cardholders was no trivial problem to solve, and is for the most part, still unsolved. To help mitigate this unseemly aspect of SET, banks and software companies -- primarily in Europe -- have developed a version called Merchant Only SET, or MOSET. MOSET is based on the model where no Cardmember SET certificates are necessary, and SET messaging only takes place between the Merchant Server back office applications and the SET Payment Acquiring Gateway. Cardmember authentication under this model relies on other mechanisms, often employing SmartCard technology, or EMV applications.

Another model, developed in France through cooperative banking relationships has emerged, called B0'' (B-zero-prime) that uses MOSET between merchant and payment acquirer, with an EMV application on a SmartCard at the Cardmember''s desktop. What''s attractive with this model is that it operates the same for both online and point-of-sale (POS) transactions conducted face-to-face.

With the context set (no pun intended!), the first product we''ll take a close look at comes from the Netherlands, called InterPay or iPay. Next time we''ll pull the wraps off the iPay service to see how it uses SET and SmartCards. Stay tuned!