Securing Online Payments

From the early days of the Internet, credit and charge card companies recognised the enormous opportunities presented to them – but they also saw challenges ahead. Credit cards are easily the best way to pay for products and services online and some 90% of all online transactions are made by credit or debit cards compared to only 28% of purchases made in person. These figures are based on research by Datamonitor who also forecast that the value of Internet transactions will reach $3.9 billion by 2005 in the US and Europe alone.

However, online shopping also has the highest levels of fraud and proving that the cardholder actually conducted the authorised transaction over the Internet cost Visa member banks $250m to resolve disputed charges in 2000. The problem is that ‘card not present’ transactions only require the card number and expiry date, so there is no way to be sure that it is the actual cardholder providing the details.

It’s not surprising then that the card companies have been focusing their minds on the problem of online fraud. The challenge for them is to reduce the cost of fraud while at the same time increasing consumer confidence and encouraging more of us to buy online – whether that is through the Internet or other emerging channels including mobile phones and interactive digital TV.

Where the buck stops…
From the moment we decide to make a purchase using a credit card, there is a complex sequence of processes and organisations that handle the transaction. But in short, the key players are the card associations, the card issuers, merchants and acquirers. The card associations, also known as ‘the brands’, are the likes of Visa, MasterCard and Discover. The issuers are the banks who provide us with our credit cards and the acquirers are the financial services companies that process transactions on behalf of the merchants. Some large merchants will do this for themselves but most outsource to an acquirer that may also provide merchant hosting facilities.

The question of which of these parties bears the cost of online fraud is a complex one. While in most cases the cardholder is liable for his or her cards being stolen and used, the actual cost to is capped and prevented from exceeding a modest limit. The card issuer bares most of the costs associated with investigating the details of a disputed charge, which may be considerably higher if the dispute is not resolved quickly and always has the potential to damage customer relationships. However, it is the merchant that is liable for the value of the items purchased if the cardholder disputes the purchase ever happened or just refuses to pay the bill.

If it were possible for the cardholder to be authenticated before a purchase, to a reasonable level of certainty, it should be possible to reduce the likelihood of a stolen credit card number being used. Obviously the merchants and banks would benefit directly, but so would the cardholder. The process of proving identity provides a greater feeling of security and should encourage more cardholders to shop online.

The question of authentication
3D Secure is a payment authentication mechanism defined by Visa for use on all non-traditional networks such as the Internet, mobile and Interactive TV. The system puts an extra step into the checkout process that requests that the bank that issued the card verifies the online user and the legitimate cardholder. Once completed, the merchant can process the transaction as normal but is now guaranteed payment, even if the transaction is disputed. So in this case, liability shifts to the card issuer.

The consumer branding for this initiative is called Verified by Visa and Visa has stated that by 2005, issuing banks must support 3D Secure for their cardholders in order to conduct authenticated online transactions. Verified by Visa is already up and running in the US and was recently launched in Europe, where Visa, in agreement with BT Ignite, now provides a hosted service for issuing banks. Barclaycard Merchant Services and The Royal Bank of Scotland – two of the largest issuing banks – have announced that they will support Verified by Visa, while leading merchants that already support it include Dell, Blockbuster Video, Petsmart.com and United Airlines.

Visa estimates that the shift in liability away from the online retailers in the UK alone could save them up to £55 million a year. Overall Visa expects that the arrival of authentication initiatives like 3D Secure will reduce the level of Internet fraud by as much as 80%.

The importance of cryptography
To meet the new levels of security that customers, credit card associations and financial institutions require, the new generation of online payment services need to meet best practice security standards and address a wide range of threat scenarios. One of the key tools for this is cryptography that dates back to Egyptian hieroglyphics circa 1900 BC.

Today, cryptography is widely used in a variety of applications such as securing electronic documents and discouraging the copying of valuable material such as digital movies. But increasingly, cryptography is used to verify the identity of someone or something and to prove that an event actually happened.

The de-facto security standard used for Internet based transactions is SSL (Secure Sockets Layer). Originally developed in 1994 by the creators of the Netscape browser, SSL is commonly used to encrypt Internet communications and prove that you’re connected to the right Web site and not a fake. Sites that support SSL are clearly identified, usually by a padlock icon at the bottom right hand corner of the browser screen.

However, although the use of SSL can keep credit card numbers secret as they cross the Internet, this does not provide proof that the person typing in the card number is actually the card holder. With Visa 3D Secure and MasterCard’s implementation called SecureCode, cryptography is used to validate legitimate card users by asking them to prove their identity. Assuming this process is completed successfully the merchant in question is given approval to complete the transaction through the use of a secure message sent from the cardholder’s bank. This message becomes the merchant’s primary piece of evidence if at some later stage the transaction is disputed.

For consumers, the process is very simple. In the case of the Verified by Visa initiative, existing cardholders can visit their bank’s Web site and enrol in the system, by providing some basic personal information and a password which is stored by the bank. To make a purchase from an online merchant that supports the Verified by Visa system they will be presented with an extra screen in their browser to enter this information. Hidden from the merchant, this is provided directly to the issuing bank that authenticates the cardholder and authorises the transaction with the merchant.

Simple in practice, but the secure generation, storage and management of the cryptographic keys that underpin the core encryption, digital signature and cardholder validation processes, relies on sophisticated technology. Because of the severe security and branding implications of a successful attack, stringent measures have been defined by the card associations. To meet these challenges, software companies developing cardholder authentication solutions for the online payments market such as Arcot Systems and Cyota, are turning to specialists like nCipher to provide this additional level of security and functionality.

For example, Arcot’s TransFort system uses cryptography in a variety of ways to protect sensitive information and to create digital signatures to provide a record of authenticity for transactions and payment authorisation. The integration of nCipher’s new payShield hardware security module (HSM) establishes a safe, tamper-resistant hardware environment that overcomes the inherent security and performance problems associated with handling sensitive information or performing complex secure processes on unprotected server platforms.

Ensuring that the processing of encrypted customer data is performed within the boundaries of the payShield (HSM) helps to ensure that sensitive data is never exposed to potential attackers where it could be stolen or manipulated to create fraudulent authorisation of illegitimate transactions.

A Safer Future
Previous initiatives by the card industry to increase the security of online transactions have failed to be widely adopted because they were too cumbersome for consumers and expensive for the banks. SET (Secure Electronic Transactions) for example, required consumers to download a 5Mbyte ‘wallet’ and digital certificates. The difference with Verified by Visa and MasterCard SecureCode is their simplicity. Consumers only need to remember a password. The main pressure is on the issuing banks that become liable for Verified by Visa transactions whether they have implemented the system or not – so long as the merchants and acquirers have taken the necessary measures.

In addition to these online systems, there are other industry initiatives to reduce payment fraud in general and deliver a wider range of cardholder services. For example, the card associations expect that next generation chip based credit cards, or “smart cards’ rather than traditional cards with magnetic strips will be used by about two-thirds of all credit card users before the end of 2006.

The good news is that through industry collaboration and initiatives such as Verified by Visa and MasterCard SecureCode, there will be a high level of interoperability and standardisation. The end result should be a dramatic reduction in credit card fraud and should also accelerate the use of the Internet and other online channels for e-commerce by increasing consumer confidence.

Infosecurity Europe is Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003. www.infosec.co.uk