 |
 |
 |
 |
|
 |
 |
|
 |
232 Internet Payment Mechanisms
3. Transaction Integrity: Both the merchant and customer want to know: are the
payment data complete, unchanged, and confidential? Did the merchant receive all
of the order and for correct amounts? Both consumer and merchant want to know
that sensitive customer data, such as credit card number, PIN and telephone number
are protected.
Payment mechanisms directly affect Authentication and Authorization, but
other e-commerce software (e.g., order entry, order fulfillment, and customer
elationship management software) are primarily responsible for protecting Trans-
action integrity. Hence, we describe how each type of payment mechanisms ad-
dresses key control issues of Authentication and Authorization. This discussion is
summarized in Figure 2.
Authentication:
Question 1: Are you (the merchant) who you say you are?
Digital certificates, used with the SET protocol, verify merchant and customer
identities. Digital certificates are issued by trusted certificate authorities. When
transaction software encounters a certificate, it “knows”
that at one point in time the
certificate-holder proved their identity to the authority.
Public key cryptography, which is used in SSL, offers a lower level of assur-
ance of identity than a digital certificate. When merchant software opens an en-
crypted message (using the consumer’s public key) it “knows”
that the message
has not been tampered with during transmission, but without a digital certificate,
the merchant software only knows that someone claims to be this customer.
The InstaBuy icon on a merchant’s web site assures customers that the merchant
has established a relationship with InstaBuy. When customers see their own shipping
address, preferred payment method, etc., on the merchant’s order form, they can feel
confident that the data was just provided by InstaBuy.
When using CheckFree’s Web BillPay, a consumer provides (or selects)
such information as the merchant name. The consumer already has a history of
dealing with that merchant. The CheckFree payments, using EFT or paper check,
provide no more assurance than these mechanisms would traditionally provide.
When paying bills using CyberCash’s PayNow service, consumers connect to
each merchant’s web site to receive their bill and initiate payment. The consumer’s review of
the bill determines its validity and, indirectly, the validity of the merchant’s site. Similarly,
the Trivnet Wisp customer will review the bill from their lSP to determine
transaction validity.
Authorization:
Question 2: Are you authorized to make this payment? Will this payment
subsequently be repudiated?
 |