Internet Payment Systems

Related Terms: Online Auction

In 2003, the most recent year for which statistics on electronic commerce were available at the time of writing, e-commerce had reached a record volume of $1,679 billion. The bulk of the volume, $1,573 billion, took the form of business-to-business transactions which, in the mid-2000s, still continued to be settled in the traditional manner—by sellers sending out invoices and receiving checks in the mail. But a small—if by any measure still significant—part of this e-commerce volume, $106 billion, represented online consumer purchases. Consumers used Internet payment systems to pay for most of the goods or services bought. Payments were dominated by credit card transactions in which credit card information (owner's name, card number, type of card, expiration date) moved over secure communications lines in encrypted form to the vendor. According to Visa, more than 90 percent of all online sales are by way of credit cards. Payment also took other forms such as e-cash transactions involving prepaid credit cards and direct transactions between the vendor and the customer's bank. Some of this commerce, of course, took traditional off-line forms: orders were placed over the Internet but payments were arranged over the telephone or sent in before shipments took place; or shipments were made COD (cash on delivery).

SECURITY: THE DOMINANT ISSUE

The most important aspect of Internet payment systems is the security of the transactions—because human contact in online interactions is wholly replaced by images on screens and messages that come and go. The identity of the seller is often difficult for the buyer to confirm. Neither the seller's physical address nor telephone number may be listed on the Web page; the Web page may be a mirage created by images and photographs hiding a scam. The buyer therefore is at least initially wary in online purchasing situations. Can he or she trust this site to 1) safeguard credit card data, 2) actually ship something in exchange for a payment, and 3) guard its records from Internet bandits after the transaction closes?

In the same manner, the seller cannot see the buyer. When the buyer sends credit card information and the card checks out, the seller still doesn't know with any certainty that the party on the other end, hidden by the fog of cyberspace, is real: the buyer may have stolen the card or may maliciously intend later to deny that he or she actually made a purchase.

Linda Punch, writing for Credit Card Management, assembled some numbers from current research to show the extent of the security problem. Citing GartnerG2, a technology research service, Punch noted that 16 percent of consumers surveyed had been victimized by credit card fraud and 8 percent had been victims of identity theft. A 2005 Visa survey found that more than half of consumers responding (56 percent) avoided online shopping because they did not wish to give out their credit card numbers. Consumers are thus aware of problems and the majority may still be avoiding this type of purchasing.

Punch also noted that merchants are also victimized. In credit card parlance the word "chargeback" is used to indicate reversals of credit purchases when the buyer disputes having used the card or refuses payment claiming product defects. Merchants' chargeback experience with Internet sales is significantly higher, at 1.14 percent of charges, than the same experience rate in physical stores (0.08 percent) and in mail-order/telephone-order situations (0.36 percent).

TECHNOLOGICAL DEVELOPMENTS

All communications over the Internet, indeed over any electronic system whatsoever, take place by means of protocols. The sender's and the receiver's systems are both designed to understand the protocol. Using the protocols' pre-set sequences of codes, the parties are able to establish a common set of rules for the dialogue to follow, not least such details as speed of transmission. This process is also known as handshaking. Once a communications channel is thus established, packets of information may be exchanged, each packet having a header, body, and trailer. Error checking is performed. Both sender and receiver calculate mathematical abbreviation of the message, a single number called its CRC (for cyclic redundancy check). The receiver checks its CRC against the one transmitted by the sender. If the two numbers match, all is well. If the CRCs don't match, the receiver requests retransmission. Packet follows packet until the transmission is terminated using the orderly etiquette prescribed by the protocol.

Heightened levels of security are introduced by using encryption of all or some of the data. The most widely used secure method of communication is known as SSL (for secure socket layer), a "layer" of security. SSL was first introduced by Netscape. SSL is an extension of standard protocols under which the level of security to be used is first established between a pair of communicators. Under SSL, the method of encryption to be used can be set or negotiated and encryption keys are exchanged. Use of encryption in either one or in both directions may be agreed upon. All this, of course, takes place automatically, machines murmuring to each other; users do not have to know the deep details. The cryptographic element, thus, becomes central to the security of the cannel.

Modern Internet cryptography is known as public-key cryptography introduced by cryptologists Whitfield Diffie and Martin Hellman in 1976. Before the invention of this method, cryptology required that two parties exchanging encrypted information both had to possess the same key, one in order to encrypt the data and the other to use the same key to decode the message. Public-key cryptography requires two keys: a public key, known to both parties, and a private key, known only to the receiver of the data. Data can only be encoded by the public key, therefore the sender must have this key; but the data can only be decoded by the private key that the receiver controls. A mathematical relationship between the two keys, known only to the receiver, provides the security. A criminal or hacker who has the public key and the encoded message is virtually unable to derive the private key from these two elements of information. Thus this method is very safe. In a typical transaction the parties exchange public keys. Each encodes its message to the other by using the other's public key; each decodes the message received by its private key. Very sophisticated implementations of these systems are available. RSA Security Inc. is the leading provider of such encryption systems.

 1 | 2  NEXT