E-commerce & Internet Payment Gateway
[ From chapter-14 of the book "Information Technology in Banking" written by Abul Kashem Md. Shirin and Nusrat Tamanna Prianka and published by Institute of Bankers, Bangladesh (IBB) ]
1. E-commerce
Buying
and selling of goods and services over internet is called e-commerce. The
e-merchants do not require to establish shops at the prominent locations of a
city. They will have only warehouses in the locations from where they can
deliver the goods to the customer’s addresses easily. The customers will place
order on-line and pay the bills on-line. The merchant will deliver the goods
within a time period declared in the website for the respective items. The requirements
for a good e-commerce website are given below:
·
The site should
display clear pictures of all the items to be sold
·
The pictures
should be associated with detailed specifications, size, capacity etc.
·
Price of each
items
·
Warranty, if
applicable
·
Delivery period
(may vary location-wise)
·
Quantity
available at this moment
·
Facility for
registration of the customers
·
The site should
be highly secured.
The
Internet has created a new economic ecosystem, the e-commerce marketplace, and
it has become the virtual main street of the world. Providing a quick and
convenient way of exchanging goods and services both regionally and globally,
e-commerce has boomed. Today, e-commerce has grown into a huge industry with US
online retail generating $175B in revenues in 2007, with consumer-driven (B2C)
online transactions impacting industries from travel services to consumer
electronics, from books and media distribution to sports & fitness.
It
is important to note that most e-commerce players are at a competitive
advantage to retailers. They have lower operating expenses and better inventory
management due to operating in a virtual commerce environment. For example,
amazon.com has revenue per employee of nearly $850k while its retail
counterpart, Best Buy, generates revenue per employee of only $270k.
2. Internet
Payment Gateway
An
e-commerce has life cycle as under:
1. Merchants (sellers) will provide the information in
detail of their companies, products and delivery commitments so that the customer
can be aware of their products. This can be done through web site.
2. Customer chooses the products and order through the
web pages.
3. Payment is made through credit/Debit card through
Bank’s Payment Gateway.
4. Products is delivered to the customer either through
home service or by postal / courier service. The seller should ensure the
delivery in time and the quality of the products.
5. Delivery of services during warranty period (if
applicable).
Bank
comes into picture at stage-3 above. For transferring payment amount from the
customer’s card account (with bank-A) to the merchant’s bank account (with
Bank-B or A), bank is involved. For effecting such transfer of fund, Bank
installs a special software at it’s data center. This software has a link with
the merchant’s website, Bank’s Core Banking System, Credit Card System and the
card associations (like Visa and MasterCard).
Therefore
an internet payment gateway may be defined as a software installed by a bank at
its data center for processing the payments to be made by the cardholders to
the e-merchants.
3. How
Internet Payment Gateway works?
After
selection of items to be purchased from a website, the customer clicks at the
“Check out” or “Pay” button on the merchant’s website. This button contains a
computer code called API supplied by the bank which when clicked call a bank’s
page. In this page, the customer needs to provide his card information such as
card number, PIN/CVV/CVC, date of expiry etc. The PIN stands for Personal
Identification Number, CVV stands for Card Verification Value & used by
Visa and CVC stands for Card Verification Code & used by MasterCard. The
price will be shown automatically on the page. This information will be passed
on to the Internet Payment gateway software of the bank in a secured way.
The
Internet Payment Gateway checks the information for correctness. If the
information supplied is found correct, the system debits the buyers bank
account or debits card account, and credit the merchant’s account. Then the
system informs both the parties about the action.
If
the card does not belong to the same bank, the payment gateway send the
information to the payment association (network of MasterCard, Visa, Amex, JBC,
Dinar, Discover etc) where the card belongs to. The payment association then
sends the card information to the Issuing Bank. Issuing Bank is a bank which
issues the card to the customer.
Now
the issuing bank verifies the card information and if found correct, debit the
buyer’s bank account or card account, and thus authorize the transaction. The
authorization message goes to the acquiring bank which then credits the
merchant’s account and informs both the parties about the action.
The
way by which the acquiring bank gets money from the issuing bank, if these are
different, is called settlement. The settlement is made daily by the payment
associations by debiting the nostro account of issuing bank and crediting the
nostro account of the acquiring bank.
Depending
on the information obtained from the acquiring bank regarding the action taken,
the merchant delivers the goods and services to the buyers address.
The
security of the above transaction flow depends on the card information and/or
PIN. To make the transaction more secured, some bank introduces 2-factor
authentication using a 2nd PIN to be inserted by the customer using
his Mobile Device (which is already registered in the system) or inserting into
the payment gateway page a variable secure code displayed on a USB Token
delivered to the customer by the bank. The 2-factor authentication using an USB
Token is described at 5(d) below.
Picture - ?
The
2-factor authentication using mobile device is shown in the figure above.
Before debiting the customer’s account and credit the merchant’s account, the
Payment Gateway will send a request to an Authorization Server for verifying
the customer’s authenticity. The Authorization Server, through an IVR,
initiates a voice call to the customer’s mobile (registered earlier) and
requests for PIN. The customer listens to the amount to be deducted from his
account and the name of the merchant, and if found correct, type his PIN at the
keypad of the mobile device and press send button. The authentication server
verify the PIN and if found correct, send the debit and credit request to own
host (if on-us transaction) or to the payment association’s network (if off-us
transaction).
4. PayPal
as payment gateway:
PayPal
has grown in recent years to be one of the most popular methods of online
payment. Thousands of businesses accept PayPal payments. If a customer
purchases goods and services from such a merchant website linked to PayPal, he
can pay using card of any payment association. If the customer is registered
earlier, he does not require to give out card or bank account related
information to the merchant website, but he will insert only the PayPal account
number. Thus the customer’s card or bank information will not be exposed to
many unknown places.
Because
it is not mandatory that the customers be members of PayPal in order to
complete transactions, it is possible for the merchant to serve just about
anyone. The versatility is one of the reasons that PayPal is so popular as a
payment provider. Transactions are secure, and it is generally easy to set-up
and integrate PayPal payment options.
One
of the main complaints that PayPal users have has to do with the way disputes
are settled. There is generally some dissatisfaction with this. Also, with some
of the PayPal payment solutions, it is difficult to issue a refund.
5. Fraud
& remedy during e-commerce transactions
All
the transactions of e-commerce are dependent on internet. Internet is a public
site. The transfer of card information using interest is not secure. Thus Bank
must take adequate measures to secure flow of transaction from customer’s
computer to Bank server. These measures are described below in brief.
a) Capture
of card information during transmission to the bank server
While
the card information is travelling through internet from customer’s computer to
the Bank’s server, a Fraudster can easily capture it and use the information to
buy valuable goods in the internet or may create a fake card using the captured
information, and withdraw money from an ATM. As such while capturing card
information from the customer, the bank’ system must encrypt them instantly and
bring into the server and decrypt them before further processing. If a Fraudster
capture encrypted information on the way, it is not possible for him to decrypt
and find the real information. As such the information on the way is safe.
b) Phishing
Phishing
is collection of user information by presenting a fake web-site address to the
internet user. For example, let us consider that the website address of Agora
(a merchant) is www.agorabd.com. Hacker
will develop a fake website exactly similar to the website of Agora, but with a
different address such as www.agora-bd.com
and place in the internet. Now if a buyer searches for “Agora” in the Google,
address of this fake website will be shown in the search result. Now if the
buyer clicks on this link, he will go to the fake website. If he does not look at
the website address carefully or address is not known to him, he will select
goods and enter card information & PIN into the fake bank web-page. The
hacker will record all such attempts made by different users and collect card
information.
The
false website address may also be send to various users through email where
many lucrative offers in the name of Agora may also be communicated. The users,
who are not aware of phishing attracts, may login into the false website using
the link provided with the email, select goods from lucrative offers, and
provide his card information including PIN. All such information will be
captures into the hacker’s database.
The
hacker can now use the collected card information to buy valuable goods in the
internet or may create fake cards using the captured information, or withdraw
money from an ATM.
It
is not possible for customers to know the exact website address of all the
merchants. It is also not possible to know the address of the bank to which the
merchant is linked as the merchant can be linked to any bank of the world
whereas the customer may be using card of a different bank.
It
is therefore devised that the website of a bank which collects card information
may be certified by a certifying authority such as VeriSign. The page of the
bank which collects card information will display seal of the certifying
authority. If a customer clicks on the seal, the website of the certifying
authority will appears. All the customers must know the web address of the
established certifying authority and thus should be able to verify its
correctness. If the website address of the certifying authority is correct, the
website page of the bank is also correct. As such the customer can insert the
card information safely into this webpage.
c) Repudiation
and Digital Signature
Sometimes
some customers do some activity in the internet through e-commerce or internet
banking system and refuse that he has not done this, rather blame the bank
officers saying that they could know his PIN from the system and do the
transactions to transfer money from his account. This is for sure that the bank
officer has no access to the customer’s PIN as all the PIN are logically
recorded into a system where no bank officer even the administrator has access.
Moreover there are electronic records in the system which can easily generate a
history of the transactions including name and address of the final beneficiary
which will clearly indicates that the bank officer is not a beneficiary.
However it becomes very difficult to make this understand to the customers.
Digital Signature is a solution to this.
Digital
Signature is signing (or encrypting) a message or transaction by sender
electronically using his private key which can only be read (or decrypt) by the
receiver using the sender’s public key. The pair of public and private key is
issued by an Issuing Authority (normally a Government Authority, in Bangladesh
it is Bangladesh Computer Council) to a user. The user then sends his public
key to other users or institutions with whom he wants to exchange electronic
information (like email or banking transaction) and keep his private key with
him (at his computer or pen drive). Now he will encrypt or sign all the
sensitive information using his private key and send to other party. Other
party will only be able to open the email or decrypt the information using his
public key. This ensures that the transaction is made by the user himself. If
the user refuse such transaction, the court can verdict on the issue based on
the ICT Act 2006.
Bank
can develop a system which will only receive transaction request from the customer
which will be encrypted using a private key. All customer desires to do
transactions using e-commerce may be asked to buy public and private key from
the Issuing Authority and submit his public key to the bank. This can be made
mandatory for transactions above a predefined amount say Tk.50,000.00.
d) Two-factor
authentication
Card
PIN can be hacked by a hacker and used for making unauthorized transactions in
e-commerce and internet banking systems. To secure such transaction over the,
banks can introduce 2-factor authentication which means that a customer must
authenticate a transaction using two factors – one is PIN and another may be a
Token which is called Cryptographic or USB or Hardware TOKEN.
A token is a small hardware issued by bank to a
customer. The algorithm of the token device and that in the authentication
server which records all the token information are same, as such both the
server and the token generate same number after every specified time period
(say one minute). After submitting the PIN, the user is asked to enter his
token number displayed on his token at that particular time. He collects the
number from his token and inputs into the system. The e-commerce system or the
internet banking system passes this token number and the token ID into the
authentication server which checks for the correctness of the number. If the
number is correct the transaction is passed, otherwise rejected.
As
the token is a physical device belongs to the user and generates random number,
the hacker can capture it but will become invalid in the following minute. Thus
the two-factor authentication provides more security for the customers and also
protect bank from refusing a transaction by a customer as the token belongs to
the customer himself.
realy its blog is informative and bussiness man needs to every thing to discribe.
উত্তরমুছুন"e banking
"