Understanding Internet Payment Protocols
May 3, 1999
By Brian Walsh
The success of e-commerce is based on standards, such as TCP/IP and HTTP, as well as low-cost Internet access. But more important, its triumph lies with the protocols involved in exchanging money for goods and services. These payment protocols define electronic commerce, distinguishing true e-commerce sites from their information-only, "brochureware" counterparts. A payment protocol does not move data; it moves money. The headers and provided services of these protocols are layered on top of underlying data- and link-layer protocols.
This workshop examines business-to-consumer e-commerce sites (rather than business-to-business sites). We outline the roles of buyer, seller and bank in a real-world scenario, map the requirements of the necessary payment protocols and illustrate protocol message flows.
Payment information in the physical world encompasses both token (dollar bills and coins, for example) and notational (checks and credit cards) exchanges. In contrast, the e-commerce world has concentrated on notational exchanges. Token-based protocols that implement digital currency exist (DigiCash, for example), but they have not been widely accepted. While these token-based protocols are intriguing and may become more popular in the future, we will concentrate on today's most commonly deployed schema, including SSL (Secure Sockets Layer) and CyberCash.
Today's Internet payment processing is a combination of technologies, including legacy credit-card protocols and SSL, that allow two parties to buy, sell and complete transactions safely and successfully.
In essence, commerce is defined by buyers and sellers agreeing upon what is being sold and its price. The seller delivers goods in exchange for payment. This form of basic transaction hasn't changed since early humans first exchanged a spearhead for a hindquarter of antelope. Broken into discrete parts, a transaction is comprised of an offer, goods authentication, payment and delivery. In the virtual world, pages display goods and the buyer's acceptance of a purchase. FedEx or FTP delivers the hard or digital goods. The exchange of offers and delivery of documents via formal protocols has drawn limited market acceptance, primarily at business-to-business sites. Nevertheless, the secure exchange of the buyer's payment has been the first technical and psychological obstacle for e-commerce.
The e-commerce site and associated systems must protect the interests of both buyer and seller by providing security and integrity. Security protects the buyer from illicit use of the payment instrument, while shielding the seller from misrepresentation. Integrity guards the buyer from an unauthorized disclosure of the transaction and shields the seller from disputes about the timing or terms of the sale. These requirements significantly raise the bar of complexity for Web sites and protocols.
Let's look at a single data element, the credit-card number. To be reasonably secure, this number not only should be encrypted during transmission but should be encrypted in all log files and databases in which it is stored. To prevent merchant fraud, a credit-card number should be truncated to display only the last four digits to the merchant's staff.
When contemplated from a legal standpoint, the standards for nonrepudiation services grow in proportion to the transaction value or volumes. The protocols and Web server applications (HTTP server, e-commerce package, site design and site management) must work in concert to implement, secure and retain the properties and states for the transaction. Also factor in payment processing, fraud detection, tax calculation, third party and digital fulfillment.
|
Here
Here
REPORTS
ANALYTICS
Follow 
