No One Moves until
Everyone Moves – The REAL Nuts and Bolts of Online Payment Processing
Shannon L Byrne
Paradata Systems Inc.
102-1080 Millar Creek
Road
Whistler BC V0N 1B1
Phone:
604.905.5546 Fax 604.905.3936
sbyrne@paradata.com www.paradata.com
Introduction
It’s impossible to watch the news and not find something about
electronic commerce and its promises to transform entire industries. E-commerce
has been in the media for over three years.
Everyone thinks it has been happening for years until they try to
commerce enable their own organization.
Actually e-commerce and online payment processing just started to take
off in the last quarter of 1998 when a new breed of web service providers were
born – Online Payment Hosts.
Online Payment Hosts are just that. These organizations only process online
payments. They do not host web sites. They do not build web sites. Online
Payment Hosts connect the merchant’s “pay” button to Financial
Institutions. Small, medium and large
companies are lining up in desperation to have a turnkey solution easily
implemented into their existing web and Intranet infrastructure. Unlike what most people in the industry
thought, ISPs and web developers are not willing to provide this solution. Reason being – cost, maintenance, liability
and keeping up with the ever-changing technology. This has allowed this new service, Online Payment Hosting to
evolve and clear up the e-commerce confusion in the market place today.
This paper will cover the REAL nuts and bolts of Online
Payment Processing based VeriFone’s vPOS transaction server. An overview of the payment model will be
covered from the merchant’s site right through to the Financial
Institution. This model will explain
where and how Online Payment Hosting fits into the overall e-commerce model. A step by step guide will be presented to
show how SET (Secure Electronic Transactions) and SSL (Secure Socket Layer)
work within the vPOS transaction server.
And finally, a step by step e-commerce guide will be discussed for
organizations who want to easily and quickly start leveraging the Internet to
reduce paperwork, speed up time to market, improve communications and of course
generate new revenues.
Online Payment Host
An Online Payment Host is a service provided by companies
focusing on the gap in the enablement of eCommerce merchants. A merchant in the physical world in order to
process debit or credit card payment received a “swipe” machine from their
bank. They usually rent this machine
from the bank costing $20-$40 per month.
Every merchant in the physical world has their own “swipe” machine. In the virtual world, this is not the case;
an Online Payment Host takes the place of this “swipe” machine. One Online Payment Host can service many
merchants.
Another reason for Online Payment Hosts emergence are the
skills needed by a merchant or ISP to install their own online payment
engine. The skill set needed to install
a payment engine is where you needed to know how to program is C++, Java, Comm
objects, HTML and asp. These are not
common skills among merchants let alone ISPs.
Online Payment Hosts also take the “pain” away from ISPs and
merchants when comes to upgrading software and maintenance. The Online Payment Host keeps the latest and
greatest software running 24 hours, seven days a week.
Overview of an Online Payment Model
Online payment involves a lot more than just payment. A merchant must be concerned about building
and maintaining a store, creating a relationship with a financial institution,
how to deliver their products, how to report and account their eCommerce
financial information, and once the store is live, how to generate “hits”. The backbone of all of this is enabling the
merchant to receive payment for their goods and/or services. This is obvious, but history has shown
payment seems to be the last thing on an eCommerce Merchant’s mind.
There are two models of an online payment:
1.
Merchant Hosts Payment Engine: The Merchant can either host their own
web store or have a web host do it for them.
The diagram below shows a merchant hosting his or her own web store and
online payment engine. The Merchant
needs to make a relationship with a third party or financial institution that
has a live Internet gateway.
2.
Online Payment Hosts Payment Engine: In the diagram below the Merchant
out sources their payment engine to an Online Payment host. The Online payment host already has an
Internet connection with many financial institutions or third parties.
Online Payment Hosting Fits into the Overall eCommerce Model
Online Payment Hosting fits into the overall eCommerce model
because merchants do not have the expertise needed to host their own payment
engine and feel comfortable in having an online payment host do this function
for them.
The way the market place works today is that in order for a
merchant to be come eCommerce enabled they must pay all the way along the value
chain. That is they must pay to create
their store, for Internet connectivity, for a web hosting solution, online
payment hosting, and the banks.
In order for eCommerce to survive and online payment hosting
these companies must partner with web host and financial institutions to offer
a full turn key solution. Experience
shows that merchants seem to be looking for the one-stop-eCommerce-shop.
Overview of a Payment Engine – VeriFone’s vPOS
Today VeriFone’s vPOS payment engine supports both Secure
Sockets Layer (SSL) and Secure Electronic Transactions (SET). SET is not where the market thought it would
be today. Technically the protocol is implemented. The challenge is to educate the market place
and distribute the consumer tools needed to make the transaction fully
secure. This has become a challenge
because no organization on the value chain, in particular the credit card
organizations and financial institutions, want to take the first step. That is why today SET is predominantly
“merchant originated”. Meaning between
the merchant and the financial institution the SET transmission protocol is
used to transmit the message and between the Merchant and customer SSL is used. See the diagram below.
The above diagram shows the Merchant hosted vPOS model using
SSL and SET protocols. The diagram
below shows the Online Payment Hosts model using SSL and SET protocols.
The above diagrams show the use of SSL, meaning the risks
for the merchant that are related to using end to end SSL still exist. SSL
protocol is widely deployed on the Internet today. It has helped create a basic level of security sufficient for
some eager people to start to conduct business over the web. SSL is supported by web browsers used by
consumers as well as merchant server software.
Hundreds of millions of dollars are already changing hands when online
shoppers enter their credit card numbers on web pages secured with SSL
technology. What this means is that SSL
provides a secure “electronic pipe” between the consumer and the merchant for
exchanging payment information. Data
sent through this pipe is encrypted, so that no one other that the two parties
will be able to read it. Therefore, SSL
can give us confidential communications.
The key component that is missing from the SSL transaction
is a method for the consumer to be able to identify the merchant as being
legitimate. As well there is no method
for the merchant to make sure the consumer is who they say they are. SSL provides a secure communication pipe but
it does not provide a way of knowing whom we are dealing with.
Another weakness of SSL is that the merchant sees the
consumer’s financial information and this information is usually stored in an
online database on the Internet server.
This is definitely the weak link.
Net Criminals are not out to steal just one shopper for their credit
card but many shoppers. It is the
server site that a criminal wants, and the one that contains information of
tens of thousands credit cards. And it
is the company behind the site that is liable. This company is responsible for
keeping the information posted to its sites secure.
SET is an open standard, multi-party protocol for conducting
secure bankcard payments over the Internet. Interoperability is ensured by
design through specific protocols and message formats. SET provides message
integrity, authentication of all financial data, and encryption of sensitive
data. In addition, SET is designed to permit additional encryption where that
is permitted (e.g., the use of lower encryption within the United States).
SET provides the special security needs of electronic commerce:
· Privacy
of payment data and confidentiality of order information transmission.
· Authentication
of a cardholder for a branded bankcard account. Cardholder account authentication
is ensured by the use of digital signatures and cardholder certificates.
· Authentication
of the merchant to accept credit card payments. Merchant authentication is
ensured by the use of digital signatures and merchant certificates.
· Payment
information integrity is ensured by the use of digital signatures.
· Special
purpose certificates.
· Nonrepudiation
for dispute resolution.
The major advantage of SET over SSL is the addition of digital certificates
(X509 version 3) that associates the cardholder and merchant with a financial
institution and the Visa and MasterCard payment systems. Digital certificates will prevent a level of
fraud that the SSL does not address. The certificates will also provide
cardholders and merchants with the confidence that transactions will be
processed in the same high quality manner that Visa and MasterCard transactions
are being handled today.
Simple Hierarchy of
Trust
Example: When you write a paper check in a "widget" store,
the merchant may ask you to present your driver’s license as proof of your
identity. Although the merchant doesn’t know you from Adam, he or she is
willing to defer to the Department of Motor Vehicles (DMV) in your
province/state as a trusted third party that can vouch for you. The assumption,
of course, is that to get a driver’s license from the DMV, you had to prove
your identity to them with a birth certificate (or a similar legal document).
The DMV issued you a plastic card identifying you (e.g. name, address, personal
photo), then signed the card with either a preprinted signature of some
government official or the state seal (or both) to prove that this license
really did come from the DMV.
With this system, the merchant doesn’t have to know you in
order to trust that you are who you claim to be. The DMV becomes the trusted
third party, whose authoritative credentials "prove" that you really
are you.
Digital certificates replace the traditional plastic
ID’s. These certificates contain the
essential elements for authenticating your transactions to establish a similar
system of trust.
The important thing to
understand is that SET defines in great detail exactly what these digital
certificates look like, the communication flows necessary to get them signed,
the hierarchy of trust, and when and to whom you must present your certificate
when making a purchase. SSL does not
require an equivalent system of credentials and is, therefore, subject to
attack by imposters posing as merchants, consumers, or banks.
Realize SSL does allow for digital certificates but these
certificates are optional and can’t begin to match the robustness of the SET
credentialing system. There is no
single, internationally recognized hierarchy of trust for today’s SSL
certificates. A number of companies will issue a certificate to you which they
have signed, but since they have failed to establish a common root certificate
that applies to all SSL certificates (as SET has done), the result is a
proliferation of
certificate authority signatures that must be recognized by
every consumer’s browser, every merchant's server, and every bank’s payment system.
Also, since SSL certificates are not tied to a specific credit card account
number, they really only serve to identify the machine of the parties involved,
not their right to debit the account to complete the sale.
Another advantage of SET is that merchant banks can
determine whether or not the merchant will see the consumer’s account number.
Since SET has such a strong system of credentials, many in the credit card
service industry hope that this account number-hiding option will be used extensively.
This would limit the number of people who know your account number, therefore
resulting in less potential for fraud. Even if both the consumer and the
merchant are upstanding citizens who would never get involved in credit card
fraud, remember that when the merchant receives your account number, they will
have to store it (at least temporarily) before passing it along to my bank to
capture the funds. While your number is on their system, a hacker could break
in and steal this number as explained above.
SET defines all the necessary protocols - exchanging payment data between the
consumer and merchant as well as between the merchant and the bank. Once the bank receives the payment
information it uses its existing back-end system to interface with both the
credit card company and the consumer’s bank to collect the funds.
Now that you have an understanding of SET and SSL, below is
a diagram of a full end to end vPOS payment engine model. This model below shows a merchant hosted
model.
End to end SET can also be utilized in an Online Payment
Host model. The transmission between
all parties will utilize the SET protocol.
See diagram below.
It is definitely possible to set up a similar system with SSL, the fact remains
that no internationally recognized system exists today. What this means for a merchant is that each
must deal with their own bank. The
security implications of such a “free for all” aren’t very comforting.
Both SET and SSL provide a degree of confidentiality. And SET provides a means of
authentication. But how does this stop
the payment message from being tampered with?
SET provides a means for verifying message integrity, to ensure what the
consumer sent is what the merchant receives.
For banks and merchants to feel confident about e-commerce,
they prefer a payment system that can establish an environment of nonrepudiation
(i.e. neither you nor I can renege on the deal).
The SET protocol mimics the current structure of the
existing credit card processing system and replaces every telephone call or
transaction slip of paper with its electronic counterpart. MasterCard, Visa, AMEX and other industry
leaders – Microsoft, IBM, SAIC, GTE, RSA, Terisa Systems, and Verisign, have
endorsed the SET standard. The goal is
to develop a single technical standard for safeguarding payment card purchases
made over open or unsecured networks like the Internet. The authors of SET designed the standard to
make cyberspace a safe place for conducting business and to promote consumer
confidence in the e-commerce marketplace.
The focus of SET is to maintain confidentiality of information, ensure
message integrity, and to authenticate the parties involved in an e-commerce
transaction.
Step By Step eCommerce Guide
1.
Getting Started - Involves planning; deciding on your must have store
features; deciding on how to receive payment; knowing that you have to fulfill
on goods and how to accommodate this process smoothly; and knowing that your
site needs to continue to grow and change daily.
2.
Planning – the best thing a merchant can do large or small is build a
plan around their eCommerce initiative.
This involves forming a team that involves all departments of the
organization. This is very key in order
to scale your eCommerce initiative as it grows. The planning phase should also include looking at the “how to”
of eCommerce - for instance building
the site, receiving payment, and fulfilling an order.
3.
Online Store – Must decide to build the store you, or outsource the
whole process.
4.
Must Have Features – When building the store you must make the first
timer felt at home. The online store
must fully disclose as much information as possible. Leaving things out can lose a sale. Time is of the essence both in loading pages as well as
fulfilling orders. The key to must have
features is COMMUNICATION with your buyers.
5.
Receive Payment – Credit card processing is the most used payment type
on the Internet. Setting this type of
payment up takes time. As a merchant
you must allow 3-6 weeks to establish a merchant account. This should be done as soon as its decided
that you are going to embark on an eCommerce initiative. Once this is taken care of the merchant must
decide whether to host their own payment engine or outsource it to a payment
host.
6.
Shipping Your Goods – A merchant must set up a shipping account and
integrate this into their fulfillment system as it exists today or create a
specific one for web orders. Shipping
is where merchants new to order fulfillment seem to lose the most money. Merchants must be aware that putting your
good on the Internet opens your store up to the world literally and that you
could have to ship these goods all over the world.
7.
Keep Your Site Growing – Continuously redesign your site. This will enhance the customer’s
experience. Use your online store not
only to sell goods but also to strengthen relationships already in place with
customers.
Wrap Up
No one moves until everyone moves. This is very true when it comes to eCommerce. While customers can buy just about anything these
days on the Web, they still don’t have the choice and variety that they do in
the real world. That’s because the
majority of businesses still aren’t offering their goods and services for sales
over the Internet. Some companies are
reluctant to sell online because they think its expensive, the technology is
too complicated, making financial transactions is risky, or their customers
simple aren’t interested in shopping online.
One by one these excuses are being challenged by advances in
the field of eCommerce, which are making the process more and more inexpensive,
easy and safe. And as far as the notion
that people don’t want to shop online goes, all you have to do is look at the
numbers.
Beyond the numbers, the excitement over eCommerce is unmistakable. Everyday there are articles in the media
predicting great things for business on the Internet. More and more companies are taking the plunge and selling their
products online. And technological
advancements in the field are coming fast and furiously. If there’s one thing that’s certain about
eCommerce, is that it won’t stay the same for long….everyone will be moving
soon.