Internet Payment Security: Technical Principles and Security Offers

Internet Payment Security: Technical Principles and Security Offers

Several technical problems have to be solved to secure payments on the Internet. The first relates to data confidentiality. This problem is generally solved by the use of cryptographic systems which allow the encoding of an intelligible message into an incomprehensible cipher text (knowing that the legitimate recipient must be able to decipher the cipher text and obtain the clear text). The second technical problem concerns the guarantee of origin (authenticity) and integrity messages sent.

In other words, the interlocutors must be assured that the messages have not been modified during their transit on the network and that they indeed come from their partner in relation. These two problems are generally solved by the use of an electronic signature. Finally, the third technical problem concerns user authentication. In other words, it should be ensured that the devices the electronic keys – which make it possible to encrypt and decrypt the messages belong to the declared users. To guarantee this authentication, an electronic certificate issued by a certification authority (company, bank, administration) is used. The electronic certificate guarantees the link between a key and its “owner”.

All of these technical problems must therefore be resolved to ensure a maximum level of security for Internet payments. However, while all electronic payment systems guarantee the confidentiality and integrity of data, only a few systems can meet the requirements of message authenticity and payment originator authentication. Several offers for securing payments by bank card, characterized by increasing levels of security, are then in competition on the market. The following section presents these security offers.

The SSL system without intermediary

The Secure Socket Layer system is a transaction security protocol. This protocol, originally designed by Netscape, and standardized by the Internet Engineering Task Force under the name of Transport Layer Security, enables the secure transmission of the credit card number over the Internet. SSL is the most widely used system on the Internet today. According to the ninth barometer of electronic commerce in France, 71.8% of commercial sites that allowed to perform an online transaction on 1st June 2001 (full sale or booking online) offered a secure ssl. As the sources of the ssl / tls standard are open source and free for commercial applications, it can handle individually high risk merchant accounts.

Four players are present in the transaction: the Internet user, the e-merchant, the certification authority and the e-merchant’s bank. The latter, possibly through its host, uses the ssl protocoling its server. But to make use of the protocol, he must call on a certification authority which issues him an electronic certificate. In addition, to offer online payment by bank card, the e-merchant must complete a distance payment contract with his bank. Its bank, affiliated with the bank card network, ensures during the transaction the validity of the bank card and the absence of opposition to the card. For this service, a percentage of sales is taken from the e-merchant by his bank. Lastly, the Internet user does not have any software or hardware equipment to settle his transactions and therefore pays no price for the security service. He only sends, as part of a secure form on his web browser,

Banks have joined forces on several occasions to develop payment security protocols that authenticate the Internet user in the transaction: the Secure Electronic Transaction system offered by Visa and MasterCard for magnetic stripe cards and the Cyber- comm system (Visa, MasterCard, Grouping of bank cards, etc.) for smart cards. These systems aim to reduce the risk of fraud by guaranteeing e-merchants payment for sales made online and by removing consumers’ right to repudiate payments. To do this, they use an electronic signature system that authenticates the Internet user remotely.

You May Also Like

About the Author: Angelique Chrisafis

Angelique Chrisafis is the Guardian's Paris correspondent. She is responsible for churning out quality articles based on her research while keeping an eye on the tech world. She likes technology, gadgets, and food. Works as an individual contributor to the team.