Chapter Electronic Payment Systems 10.1 Traditional Electronic Payment Systems for Electronic Commerce In electronic commerce, the challenges of payment transactions were initially underestimated Business via the internet and mobile telephony has so far been dominated by the methods of payment customary in traditional business. However, in light of technological progress and stricter legislation, traditional business models are coming up against their limits more and more often Secure, user-friendly and low-priced innovative payment solutions are urgently required to boost internationally oriented e-commerce. Value-creating market players from payment system providers, service providers, network operators and producers of terminals to financial institutions pin great hopes on the rapid progress with new payment systems. Security is a key criterion for electronic payment systems. Critical issues are authorisation, authentication, privacy, integrity, theft and the corruption of data. Unauthorised access by third parties, misuse and manipulation must be ruled out. It has to be ensured that information on the volume, execution date and purpose of a transaction is consistent Sellers are reluctant to invest in the infrastructure of payment systems which are so far used by only a small number of buyers. Only a few buyers choose solutions used by just a small number of sellers. Only a system which far exceeds the critical mass and spreads rapidly in the short run has a chance of succeeding in the market in the long term. On a short-term horizon micro-payments offer good opportunities for innovative payment schemes. Mobile payment systems can be regarded as the most promising solutions; starting virtually from scratch, their market share will probably rise to 5% in Western Europe in the next five years. In view of the expansion of already established applications, however, the new schemes will decline in importance over the long term. Fewer than three of the currently over 100 innovative systems will be able to survive Electronic payment systems are becoming more attractive for large financial institutions. The systems already used in traditional offline business and which have been adapted to meet the new demands of e-business(credit cards and, especially in Germany debit cards, and smart cards) have very good prospects of convincing online customers. In the medium term mobile phone-based payment systems will be an even more valuable channel for e-business than internet-based systems. Nevertheless, the innovative systems will be pushed aside by expanded traditional solutions in the longer term 10.1.1Cash E-cash: the digital equivalent of paper currency and coins, which enables secure and anonymous purchase of low-priced items Micropayments: small payments, usually under $10 Wireless payments: Vodafone "m-pay bill"system that enables wireless subscribers to use their mobile phones to make micropayments Qpass(qpass. com): Charges to account, are charged to a specified credit card on a monthly basis 10.1.2 Note Items in some categories(e. g, Tickets) might lose their value if they are not sold by a particular date. For time-sensitive(or perishable) items, eBay gives sellers the ability to specify that if the buyer pays the Buy It Now price or Fixed Price for the item, the payment must be made immediately through Pay Pal. Normally, eBay ends an item and creates a transaction when a buyer agrees to purchase the item. If the seller chooses to require immediate payment, e Bay ends the item(or decrements the quantity in a multi-item listing) and creates a transaction after the
Chapter10 Electronic Payment Systems 10.1 Traditional Electronic Payment Systems for Electronic Commerce In electronic commerce, the challenges of payment transactions were initially underestimated. Business via the internet and mobile telephony has so far been dominated by the methods of payment customary in traditional business. However, in light of technological progress and stricter legislation, traditional business models are coming up against their limits more and more often. Secure, user-friendly and low-priced innovative payment solutions are urgently required to boost internationally oriented e-commerce. Value-creating market players – from payment system providers, service providers, network operators and producers of terminals to financial institutions – pin great hopes on the rapid progress with new payment systems. Security is a key criterion for electronic payment systems. Critical issues are authorisation, authentication, privacy, integrity, theft and the corruption of data. Unauthorised access by third parties, misuse and manipulation must be ruled out. It has to be ensured that information on the volume, execution date and purpose of a transaction is consistent. Sellers are reluctant to invest in the infrastructure of payment systems which are so far used by only a small number of buyers. Only a few buyers choose solutions used by just a small number of sellers. Only a system which far exceeds the critical mass and spreads rapidly in the short run has a chance of succeeding in the market in the long term. On a short-term horizon, micro-payments offer good opportunities for innovative payment schemes. Mobile payment systems can be regarded as the most promising solutions; starting virtually from scratch, their market share will probably rise to 5% in Western Europe in the next five years. In view of the expansion of already established applications, however, the new schemes will decline in importance over the long term. Fewer than three of the currently over 100 innovative systems will be able to survive. Electronic payment systems are becoming more attractive for large financial institutions. The systems already used in traditional offline business and which have been adapted to meet the new demands of e-business (credit cards and, especially in Germany debit cards, and smart cards) have very good prospects of convincing online customers. In the medium term mobile phone-based payment systems will be an even more valuable channel for e-business than internet-based systems. Nevertheless, the innovative systems will be pushed aside by expanded traditional solutions in the longer term. 10.1.1 Cash ▪ E-cash: the digital equivalent of paper currency and coins, which enables secure and anonymous purchase of low-priced items ▪ Micropayments: small payments, usually under $10 ▪ Wireless payments: Vodafone “m-pay bill” system that enables wireless subscribers to use their mobile phones to make micropayments ▪ Qpass (qpass.com): Charges to qpass account, are charged to a specified credit card on a monthly basis 10.1.2 Note Items in some categories (e.g., Tickets) might lose their value if they are not sold by a particular date. For time-sensitive (or perishable) items, eBay gives sellers the ability to specify that if the buyer pays the Buy It Now price or Fixed Price for the item, the payment must be made immediately through PayPal. Normally, eBay ends an item and creates a transaction when a buyer agrees to purchase the item. If the seller chooses to require immediate payment, eBay ends the item (or decrements the quantity in a multi-item listing) and creates a transaction after the
payment has been processed When testing this feature in the Sandbox, do not complete testing of Pay Pal payments. The Sandbox is not integrated with any Pay Pal test environment and therefore does not support end-to-end testing for PayPal payment processing. " Test"payments you make via PayPal in th Sandbox may go to the production PayPal site, which may result in real payments being made A seller can choose to require immediate payment for Fixed Price and Buy It Now items, including eBay Stores Inventory items, in categories that support immediate payment (If an item is listed in two categories, both categories must support immediate payment. )If a Buy It Now item ends as an auction, the immediate payment requirement does not apply 10.1.3Credit Card Look out for credit card companies spreading holiday cheer. Their"gifts"of higher credit limits and deferred payments look good, but only for the short term A five-minute phone call to your credit card issuer could save you hundreds, even thousands, of dollars in interest charges. " There's no incentive for them to lower your rate unless you call The squeaky wheel gets the oil, " says Brad Dakake, a consumer advocate with Massachusetts Public Interest Research Group. Not convinced that a credit card company will give you a lower Interest rate Just ecause vou ca all and ask nicely? Check out the results of a national survey conducted by the U.s. Public Interest Research Group in March 2002. Fifty consumers of all credit backgrounds called credit card issuers and asked for lower rates. More than half, 56 percent scored lower rates. How low did the rates go? The 28 consumers who landed lower rates saw the APRs on their cards drop from an average of 16 percent to 10. 47 percent Slicing interest rates by more than one-third by making a quick phone call is pretty impressive. A handful of consumers did exceptionally well One cardholder from Colorado saw his 14.99 percent rate reduced to zero for six months Thats quite a deal Another cardholder from New Mexico saw the APR on her credit card drop from 31. 12 percent to 14.65 percent Until she called, she had no idea she'd been paying a penalty interest rate She didn't realize that for six months she was paying this outrageous 31 percent interest rate, says Dakake, the principal author of the rate reduction survey and study 10.2 Electronic Check systems 10. 2. 1 Define and Characterics of Electriconic Payment The e-check system is basically an electronic implementation of the paper check system Leverage check payment systems Fit within current business practices, eliminate need for process reengineering Work like paper check with fewer manual steps Designed to meet needs of businesses and consumers(state of the art security systems) Used by all bank customers with checking accounts Enhance existing bank accounts with new EC features Benefits of e-checking for industry-wide savings Online check collection process Online notices of check returns Truncating paper checks at bank of first deposit 10.2.2 Tools of Electronic Payment 1)Payment cards electronic cards that contain information that can be used for payment purposes. There are three common types of payment cards Credit cards: provides holder with credit to make purchases up to a limit fixed by the card Charge cards: balance on a charge card is supposed to be paid in full upo monthly statement
payment has been processed. When testing this feature in the Sandbox, do not complete testing of PayPal payments. The Sandbox is not integrated with any PayPal test environment and therefore does not support end-to-end testing for PayPal payment processing. "Test" payments you make via PayPal in the Sandbox may go to the production PayPal site, which may result in real payments being made. A seller can choose to require immediate payment for Fixed Price and Buy It Now items, including eBay Stores Inventory items, in categories that support immediate payment. (If an item is listed in two categories, both categories must support immediate payment.) If a Buy It Now item ends as an auction, the immediate payment requirement does not apply. 10.1.3Credit Card Look out for credit card companies spreading holiday cheer. Their ''gifts" of higher credit limits and deferred payments look good, but only for the short term. A five-minute phone call to your credit card issuer could save you hundreds, even thousands, of dollars in interest charges. "There's no incentive for them to lower your rate unless you call. The squeaky wheel gets the oil," says Brad Dakake, a consumer advocate with Massachusetts Public Interest Research Group. Not convinced that a credit card company will give you a lower interest rate just because you call and ask nicely? Check out the results of a national survey conducted by the U.S. Public Interest Research Group in March 2002. Fifty consumers of all credit backgrounds called credit card issuers and asked for lower rates. More than half, 56 percent, scored lower rates. How low did the rates go? The 28 consumers who landed lower rates saw the APRs on their cards drop from an average of 16 percent to 10.47 percent. Slicing interest rates by more than one-third by making a quick phone call is pretty impressive. A handful of consumers did exceptionally well. One cardholder from Colorado saw his 14.99 percent rate reduced to zero for six months. That's quite a deal. Another cardholder from New Mexico saw the APR on her credit card drop from 31.12 percent to 14.65 percent. Until she called, she had no idea she'd been paying a penalty interest rate. "She didn't realize that for six months she was paying this outrageous 31 percent interest rate," says Dakake, the principal author of the rate reduction survey and study. 10.2 Electronic Check systems 10.2.1 Define and Characterics of Electriconic Payment The e-check system is basically an electronic implementation of the paper check system. ▪ Leverage check payment systems ▪ Fit within current business practices, eliminate need for process reengineering ▪ Work like paper check with fewer manual steps ▪ Designed to meet needs of businesses and consumers (state of the art security systems) ▪ Used by all bank customers with checking accounts ▪ Enhance existing bank accounts with new EC features Benefits of e-checking for industry-wide savings ▪ Online check collection process ▪ Online notices of check returns ▪ Truncating paper checks at bank of first deposit ▪ Creating new cash management product opportunitie. 10.2.2 Tools of Electronic Payment 1. Payment Cards 1)Payment cards electronic cards that contain information that can be used for payment purposes. There are three common types of payment cards: ▪ Credit cards: provides holder with credit to make purchases up to a limit fixed by the card issuer. ▪ Charge cards: balance on a charge card is supposed to be paid in full upon receipt of monthly statement
Debit card: cost of a purchase drawn directly from holders checking account 2) The Players in the credit card system The cardholder: a consumer or a corporate purchaser who uses credit cards to pay merchants The merchant: the entity that accepts credit cards and offers goods or services in exchange The cared issuer: a financial institution(usually a bank) that establishes accounts for cardholders and issues credit cards The acquirer: a financial institution(usually a bank) that establishes an account for enchants and acquires the vouchers of authorized sales shi The card brand: bank card associations of issuers and acquirers (like Visa and Master Card), which are created to protect and advertise the card brand, establish and enforce rules for use and acceptance of their bank cards, and provide networks to connect the involved financial institutions. The brand authorizes the credit-based transaction and guarantees the payment to merchants. Sometimes, the issuing bank performs the business of the brand 3)The process of using credit cards Issuer s100 s250 Authorization Shipment s134 Merchant Figure 10-1 The process of using credit card Credit card gateway: an online connection that ties a merchants systems to the back-end processing systems of the credit card issuer Virtual credit card: an e-payment system in which a credit card issuer gives a special transaction number that can be used online in place of regular credit card numbers Electronic wallets(e-wallets): a software component in which a user stores credit card numbers and other personal information; when shopping online, the user simply clicks the e-wallet to automatically fill in information needed to make a purchase 4)Security risks with credit cards Stolen cards Reneging by the customer-authorizes a payment and later denies it Theft of card details stored on merchants computer computer storing information so it cannot be accessed directly from the Web 2. Purchasing Cards Purchasing cards: special-purpose payment cards issued to a companys employees to be used solely for purchasing nonstrategic materials and services up to a preset dollar limit 1)Benefits of using purchasing cards
▪ Debit card: cost of a purchase drawn directly from holder’s checking account (demand-deposit account). 2)The Players in the credit card system ▪ The cardholder: a consumer or a corporate purchaser who uses credit cards to pay merchants. ▪ The merchant: the entity that accepts credit cards and offers goods or services in exchange for payments. ▪ The cared issuer: a financial institution (usually a bank) that establishes accounts for cardholders and issues credit cards. ▪ The acquirer: a financial institution (usually a bank) that establishes an account for merchants and acquires the vouchers of authorized sales slips. ▪ The card brand: bank card associations of issuers and acquirers (like Visa and MasterCard), which are created to protect and advertise the card brand, establish and enforce rules for use and acceptance of their bank cards, and provide networks to connect the involved financial institutions. The brand authorizes the credit-based transaction and guarantees the payment to merchants. Sometimes, the issuing bank performs the business of the brand. 3)The process of using credit cards Figure 10-1 The process of using credit cards ▪ Credit card gateway: an online connection that ties a merchant’s systems to the back-end processing systems of the credit card issuer. ▪ Virtual credit card: an e-payment system in which a credit card issuer gives a special transaction number that can be used online in place of regular credit card numbers. ▪ Electronic wallets (e-wallets): a software component in which a user stores credit card numbers and other personal information; when shopping online; the user simply clicks the e-wallet to automatically fill in information needed to make a purchase. 4)Security risks with credit cards ▪ Stolen cards. ▪ Reneging by the customer—authorizes a payment and later denies it. ▪ Theft of card details stored on merchant’s computer—isolate computer storing information so it cannot be accessed directly from the Web. 2. Purchasing Cards Purchasing cards: special-purpose payment cards issued to a company’s employees to be used solely for purchasing nonstrategic materials and services up to a preset dollar limit. 1)Benefits of using purchasing cards
Productivity gains Bill consolidation aym Preferred pricing 2)Participants Process of using a Purchasing Card Place Orde Provide Data Receive Payment Make Payment Provide Cards Submit Transaction Request Cards Request Authorization Process Payment Processor Processo Request Authorization Request Authorization Figure 10-2 The participants and the process of using a purchasing card 3. Smart Card Smart card: an electronic card containing an embedded microchip that enables predefined ations or Card bod Source: Gemplus-All About Smart Cards
▪ Productivity gains. ▪ Bill consolidation. ▪ Payment reconciliation. ▪ Preferred pricing. ▪ Management reports. ▪ Control. 2)Participants & Process of Using a Purchasing Card Figure 10-2 The participants and the process of using a purchasing card 3.Smart Cards Smart card: an electronic card containing an embedded microchip that enables predefined operations or the addition, deletion, or manipulation of information on the card
Figure 10-3 Smart card 4. Securing smart cards Theoretically, it is possible to"hack" "into a smart card Most cards can now store the information in encrypted form Same cards can also encrypt and decrypt data that is downloaded or read from the card Cost to the attacker of doing so far exceeds the benefit Important applications of smart cards use Information techno Health and social welfare Transportation ■ Identification Stores cash downloaded from bank or credit card account Visa cash-a stored-value card designed to handle small purchases or micropayments, sponsored by Visa. Mondex--a stored-value card designed to handle small purchases or micropayments by Mondex, a subsidiary of Master Card 10.2.3 E-Check mode e CHECK SECURE PROCESS DIAGRAM eOECK Secure waNt a off. yatren fata eCHECK s Figure 10-4 E-Check Mode 10.3. International Security Schemes in Electronic Payment Systems 10.3.1 Secure Sockets Layer(SSL) Protocol Digital certificates encrypt data using Secure Sockets Layer (SSL) technology, the industry-standard method for protecting web communications developed by Netscape
Figure 10-3 Smart card 4.Securing smart cards ▪ Theoretically, it is possible to “hack” into a smart card ▪ Most cards can now store the information in encrypted form ▪ Same cards can also encrypt and decrypt data that is downloaded or read from the card ▪ Cost to the attacker of doing so far exceeds the benefits Important applications of smart cards use: ▪ Loyalty ▪ Financial ▪ Information technology ▪ Health and social welfare ▪ Transportation ▪ Identification 5.Stored-Value Cards Stores cash downloaded from bank or credit card account ▪ Visa cash—a stored-value card designed to handle small purchases or micropayments; sponsored by Visa. ▪ Mondex—a stored-value card designed to handle small purchases or micropayments; sponsored by Mondex, a subsidiary of MasterCard. 10.2.3 E-Check Mode Figure 10-4 E-Check Mode 10.3. International Security Schemes in Electronic Payment Systems 10.3.1 Secure Sockets Layer (SSL) Protocol Digital certificates encrypt data using Secure Sockets Layer (SSL) technology, the industry-standard method for protecting web communications developed by Netscape
Communications Corporation. The SsL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection Because SSl is built into all major browsers and web servers, simply installing a digital certificate turns on their SsL capabilities SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the"session key generated by every encrypted transaction. The longer the key, the more difficult it is to break the Net yption code. Most browsers support 40-bit SSL sessions, and the latest browsers, including Netscape Communicator 4.0, enable users to encrypt transactions in 128-bit sessions- trillions of times stronger than 40-bit sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers Security Center by VeriSign gives you access to a wealth of security resources, products technologies, and news. Visit often for the latest infomation -because when it comes to protecting yourself on the Web, you cant be too careful 10.3.2 Secure Electronic Transaction(SET) Protocol SSL makes it possible to encrypt credit card numbers that are sent from a consumers browser to a merchant's Web site. However, there is more to making a purchase on the Web than simply passing a credit card number to a merchant. The number must be checked for validity, the consumer's bank must authorize the cared, and the purchase must be processed. SSL is not designed to handle any of the steps beyond the transmission of the card number. A cryptographic protocol that is designed to handle the complete transaction is the secure electronic transaction (SET protocol. Visa and Master Card were instrumental in developing SET. Today, they manage the specifications for SET through a joint venture---SET Secure Electronic Transaction LLC setco. org) In a SeT transaction there are three entities: the customer, the merchant, and the payment processing company. SET utilizes Set digital certificates for each of these entities to ensure mutual authentication. When a customer is ready to make a purchase, he or she uses an electronic wallet. An e-wallet is a helper application used to store information about the customers credit cards and the set digital certificates for each of the cards. The e-wallet sends both the order information and the payment. The former is encrypted with the merchant's public key and latter with payment processing company's public key. In this way, the payment processing company cant see the order information and the merchant can t see the payment information. In addition to securing orders and payments, SET also supports the following features(Stein 1998) Cardholder registration Merchant registration Purchase requests Payment authorizations Payment capture Chargebacks Credits credit reversal Debit card transactions o Set has received a lukewarm reception in the United States and, so for, has not attracted a large number of merchants and consumers. According to Art Kranzley, senior vice president of electronic commerce at Master Card, 80% of SET activities are in Asian and European nations Part of the problem with the acceptance of set is that apparently it is not as easy to implement nor as inexpensive as most banks and merchants had expected. The typical reaction of many banks to SET is that of the British bank Barclays, whose information technology director, Alex Stevenson, says that SET is"rather clumsy, not tried and tested, and we simply don't need it " The future might prove brighter for SET, though. After a few years of testing and trials, SETs supporters believe it is ready for widespread deployment. Whether it achieves its goal will be determined in the next few years As the volume of EC becomes larger, the role of secure and economical online payments on the Internet will, accordingly, become more important. At the moment, the credit card payment for B2C trades with SSL protocol is the most widely adopted. However, SET protocol tailored to credit card payment may become one of the next-generation standards. For micropayment, smart-card-based e-cash will become more popular and will be recharged through the Internet from the cyberbanks, which will revitalize the benefit of cyberbanks
Communications Corporation. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on their SSL capabilities. SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. Most browsers support 40-bit SSL sessions, and the latest browsers, including Netscape Communicator 4.0, enable users to encrypt transactions in 128-bit sessions - trillions of times stronger than 40-bit sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers. Security Center by VeriSign gives you access to a wealth of security resources, products, technologies, and news. Visit often for the latest information – because when it comes to protecting yourself on the Web, you can't be too careful. 10.3.2 Secure Electronic Transaction (SET) Protocol SSL makes it possible to encrypt credit card numbers that are sent from a consumer’s browser to a merchant’s Web site. However, there is more to making a purchase on the Web than simply passing a credit card number to a merchant. The number must be checked for validity, the consumer’s bank must authorize the cared, and the purchase must be processed. SSL is not designed to handle any of the steps beyond the transmission of the card number. A cryptographic protocol that is designed to handle the complete transaction is the secure electronic transaction (SET) protocol. Visa and MasterCard were instrumental in developing SET. Today, they manage the specifications for SET through a joint venture----SET Secure Electronic Transaction LLC (setco.org). In a SET transaction there are three entities: the customer, the merchant, and the payment processing company. SET utilizes SET digital certificates for each of these entities to ensure mutual authentication. When a customer is ready to make a purchase, he or she uses an electronic wallet. An e-wallet is a helper application used to store information about the customer’s credit cards and the SET digital certificates for each of the cards. The e-wallet sends both the order information and the payment. The former is encrypted with the merchant’s public key and the latter with payment processing company’s public key. In this way, the payment processing company can’t see the order information and the merchant can’t see the payment information. In addition to securing orders and payments, SET also supports the following features (Stein 1998): ▪ Cardholder registration. ▪ Merchant registration. ▪ Purchase requests. ▪ Payment authorizations. ▪ Payment capture. ▪ Chargebacks. ▪ Credits Credit reversal. ▪ Debit card transactions. SET has received a lukewarm reception in the United States and , so for, has not attracted a large number of merchants and consumers. According to Art Kranzley, senior vice president of electronic commerce at Master Card, 80% of SET activities are in Asian and European nations. Part of the problem with the acceptance of SET is that apparently it is not as easy to implement nor as inexpensive as most banks and merchants had expected. The typical reaction of many banks to SET is that of the British bank Barclays, whose information technology director, Alex Stevenson, says that SET is “rather clumsy, not tried and tested, and we simply don’t need it.” The future might prove brighter for SET, though. After a few years of testing and trials, SET’s supporters believe it is ready for widespread deployment. Whether it achieves its goal will be determined in the next few years. As the volume of EC becomes larger, the role of secure and economical online payments on the Internet will, accordingly, become more important. At the moment, the credit card payment for B2C trades with SSL protocol is the most widely adopted. However, SET protocol tailored to credit card payment may become one of the next-generation standards. For micropayment, smart-card-based e-cash will become more popular and will be recharged through the Internet from the cyberbanks, which will revitalize the benefit of cyberbanks
As B2B occupies the major portion of EC, more economical payment methods like Internet-based funds transfer equipped with the benefit of check systems will become the major medium for large-amount payments. The credit card fee seems too high to transfer large amounts among credible corporations. This prospective trend should envision opportunities to payment businesses and corporate finance managers 10.4 Internet Banking 10.4.1 Characteristic and Main Business of Internet banking ande echnology is changing the business of banking. The Internet has opened up new strategies processes across the value chain of banking, including service delivery, customer relationship management, payment and settlement, and risk management. These innovations can significantly benefit banks and consumers by improving efficiency, and enhancing competition, price transparency, and convenience to customers Two broad business models have emerged in Internet banking: first, Internet banking within existing banks. either as an additional channel for its traditional core services or in the form of a specialised division; second, standalone entities, such as Internet-only Banks(IOBs), owned either by existing banks or by new players entering the banking industry MAS has completed the review of its current framework for licensing, and for prudential regulation and supervision of banks, to ensure its relevance in the light of developments in Internet banking. MAS existing policy already allows all banks licensed in Singapore to use the Internet to provide their banking services. Going forward, MAS will maintain a broad and flexible prudential framework to allow for continued innovation in technology and new business models, as well as the licensing of new players The risk considerations inherent in Internet banking are not new or fundamentally different from those posed in other forms of banking. MAs will therefore subject Internet banking including IOBs, to the same prudential standards as traditional banking. MAS admission criteria for new licence applicants, and its regulatory and supervisory approach, will apply across the balm Mas is prepared to grant new licences to Singapore-incorporated banking groups to set up banking subsidiaries if they wish to pursue new business models outside their existing banking entities. This will give banks the flexibility to decide whether to engage in activities such as Internet banking through a subsidiary, or within the bank(in which case no additional licence being required). MAS is also prepared to admit branches of foreign-incorporated 1OBs, within the existing framework of admission of foreign banks. The details of these licensing changes are set out in Section 2 The current framework for prudential regulation and supervision already provides flexibility for innovation in new business models. We do not require a new framework to facilitate innovations in Internet banking or to mitigate its risks. However, as certain types of risk will be ccentuated in Internet banking, banks will have to emphasise different aspects of risk management,and the focus of MAS supervision will match this 10.4.2 Reason of Internet Banking Emerge MAS current admission framework for branches of foreign banks allows admission of new or non-traditional players. Such banks may be owned either by existing banks or by non-bank players who have ventured into the banking business New or non-traditional foreign banks will have to meet the same entry requirements as traditional banks as set out in paragraph 2. 1. New banking players who lack a long-enough track record will still be considered, provided they have strong compensating factors in respect of the other criteria set out. However, in all cases MAs will require new players to be incorporated in jurisdictions with a strong regulatory environment, and to have a home supervisor able and willing to co-operate in MAS supervision of the bank. MAs will continue to issue offshore banking licences to foreign banks which meet its mission standards. New players applying for full or restricted banking licences will have to compete with other foreign banks for licences awarded under the MAS liberalisation programme for the domestic banking sector. The types of risk inherent in Internet banking, whether offered within existing banks or
As B2B occupies the major portion of EC, more economical payment methods like Internet-based funds transfer equipped with the benefit of check systems will become the major medium for large-amount payments. The credit card fee seems too high to transfer large amounts among credible corporations. This prospective trend should envision opportunities to payment businesses and corporate finance managers. 10.4 Internet Banking 10.4.1 Characteristic and Main Business of Internet Banking Technology is changing the business of banking. The Internet has opened up new strategies and processes across the value chain of banking, including service delivery, customer relationship management, payment and settlement, and risk management. These innovations can significantly benefit banks and consumers by improving efficiency, and enhancing competition, price transparency, and convenience to customers. Two broad business models have emerged in Internet banking: first, Internet banking within existing banks, either as an additional channel for its traditional core services or in the form of a specialised division; second, standalone entities, such as Internet-only Banks (IOBs), owned either by existing banks or by new players entering the banking industry. MAS has completed the review of its current framework for licensing, and for prudential regulation and supervision of banks, to ensure its relevance in the light of developments in Internet banking. MAS' existing policy already allows all banks licensed in Singapore to use the Internet to provide their banking services. Going forward, MAS will maintain a broad and flexible prudential framework to allow for continued innovation in technology and new business models, as well as the licensing of new players. The risk considerations inherent in Internet banking are not new or fundamentally different from those posed in other forms of banking. MAS will therefore subject Internet banking, including IOBs, to the same prudential standards as traditional banking. MAS' admission criteria for new licence applicants, and its regulatory and supervisory approach, will apply across the board. MAS is prepared to grant new licences to Singapore-incorporated banking groups to set up banking subsidiaries if they wish to pursue new business models outside their existing banking entities. This will give banks the flexibility to decide whether to engage in activities such as Internet banking through a subsidiary, or within the bank (in which case no additional licence being required). MAS is also prepared to admit branches of foreign-incorporated IOBs, within the existing framework of admission of foreign banks. The details of these licensing changes are set out in Section 2. The current framework for prudential regulation and supervision already provides flexibility for innovation in new business models. We do not require a new framework to facilitate innovations in Internet banking or to mitigate its risks. However, as certain types of risk will be accentuated in Internet banking, banks will have to emphasise different aspects of risk management, and the focus of MAS supervision will match this. 10.4.2 Reason of Internet Banking Emerge MAS' current admission framework for branches of foreign banks allows admission of new or non-traditional players. Such banks may be owned either by existing banks or by non-bank players who have ventured into the banking business. New or non-traditional foreign banks will have to meet the same entry requirements as traditional banks as set out in paragraph 2.1. New banking players who lack a long-enough track record will still be considered, provided they have strong compensating factors in respect of the other criteria set out. However, in all cases MAS will require new players to be incorporated in jurisdictions with a strong regulatory environment, and to have a home supervisor able and willing to co-operate in MAS' supervision of the bank. MAS will continue to issue offshore banking licences to foreign banks which meet its admission standards. New players applying for full or restricted banking licences will have to compete with other foreign banks for licences awarded under the MAS' liberalisation programme for the domestic banking sector. The types of risk inherent in Internet banking, whether offered within existing banks or in
standalone entities such as IOBs, do not fundamentally differ from those in traditional banking However, some of these risks will be accentuated in Internet banking, and will require greater attention by the banks and by MAs when it supervises them. Given that there may be different models of Internet banking in play, a risk-focused supervisory approach to individual banks is more suitable than"one-size-fits-all"regulation It is the responsibility of bank management to have in place, on an ongoing basis, cle strategies and processes to manage the risks of Internet banking operations. MAS will require public disclosure of such undertakings, as part of its requirement for all banks to enhance disclosure of their risk management system Methods and tools of risk management and supervision will continue to evolve, in step with innovation in technologies and business strategies. MAS will maintain a continuing dialogue with banks on best practices in risk management sy stems and processes. MAS will soon issue a consultative document on Internet banking security and technology risk management. MAS will and co-operate with them to ensure effective cross-border supervision of banks herg also work with other major regulators to develop supervisory perspectives on emerging risk issi 10.4.3 Payment Gateway One of the most important e-commerce decisions you'll make is your choice of a payment gateway, the bridge or gateway between your e-commerce website and your bank's credit card processor. A number of factors go into the decision, and you can't afford to make the wrong choice n this e-book I'll share my conclusions after 60+ hours of research, feedback from my world-wide network of readers about their experiences-- both good and bad- with the payment gateways they've tried, and sound recommendations to guide your decisions If you just don't know where to start with a merchant account and payment gateway --know if your really need either-- you need to read this Merchant's Guide. It includes information on 90 payment gateways- such as VeriSign, Authorize net, and WorldPay -- from 27 countries, with candid user comments from 72 readers in 15 countries. The report also includes a chapter entitled "At what point is a merchant 10.4.sUpervision for Internet Banking Bank managements must pay special attention to the security, technology-related, liquidity and operational risks which may be accentuated in their Internet banking operations With regard to security and technology-related risks, banks should implement appropriate workflow, authentication, and process and control procedures develop, test, implement and maintain disaster recovery and business contingency plans; appoint an independent third-party specialist to assess its security and operations; and communicate clearly to customers their policies with regard to the rights and responsibilities of the bank and customer on all matters to do with online transactions, in particular issues arising from breaches and errors in security, systems and related procedures International experience suggests that Internet banking customers tend to be more price sensitive, and hence more likely to move their deposits from one bank to another. This tendency is reinforced by the convenience of conducting Internet transactions. Technology failures that disrupt or impair services may also trigger abnormal transactions by customers. This potential for more volatile transactions could increase liquidity risk. Banks, especially IOBs, should therefore establish robust liquidity contingency plans, and appropriate asset-liability management systems Banks may also face greater operational risk if they extensively outsource processing operations in Internet banking. Banks should carefully manage such outsourcing of operations They should maintain comprehensive audit trails of all such operations, and provide Mas with unrestricted access to such information. as in traditional banking IOBS, in addition may face higher business risk arising from their new business models anage business risk, IOBs must maintain and continually update a detailed system of performance measurement. Efforts to build market share through pricing strategies and advertising must be tested against robust market assumptions. Unlike other Internet ventures, banks can ill-afford to incur losses for long start-up periods 10.4.5 Construction and Development of Internet Banking As in traditional banking, arisk-focused supervisory approach, tailored to individual banks
standalone entities such as IOBs, do not fundamentally differ from those in traditional banking. However, some of these risks will be accentuated in Internet banking, and will require greater attention by the banks and by MAS when it supervises them. Given that there may be different models of Internet banking in play, a risk-focused supervisory approach to individual banks is more suitable than "one-size-fits-all" regulation. It is the responsibility of bank management to have in place, on an ongoing basis, clear strategies and processes to manage the risks of Internet banking operations. MAS will require public disclosure of such undertakings, as part of its requirement for all banks to enhance disclosure of their risk management systems. Methods and tools of risk management and supervision will continue to evolve, in step with innovation in technologies and business strategies. MAS will maintain a continuing dialogue with banks on best practices in risk management systems and processes. MAS will soon issue a consultative document on Internet banking security and technology risk management. MAS will also work with other major regulators to develop supervisory perspectives on emerging risk issues, and co-operate with them to ensure effective cross-border supervision of banks. 10.4.3 Payment Gateway One of the most important e-commerce decisions you'll make is your choice of a payment gateway, the bridge or gateway between your e-commerce website and your bank's credit card processor. A number of factors go into the decision, and you can't afford to make the wrong choice. In this e-book I'll share my conclusions after 60+ hours of research, feedback from my world-wide network of readers about their experiences -- both good and bad -- with the payment gateways they've tried, and sound recommendations to guide your decisions. If you just don't know where to start with a merchant account and payment gateway -- know if your really need either -- you need to read this Merchant's Guide. It includes information on 90 payment gateways -- such as VeriSign, Authorize.net, and WorldPay -- from 27 countries, with candid user comments from 72 readers in 15 countries. The report also includes a chapter entitled, "At What Point Is a Merchant 10.4.4Supervision for Internet Banking Bank managements must pay special attention to the security, technology-related, liquidity and operational risks which may be accentuated in their Internet banking operations. With regard to security and technology-related risks, banks should: ▪ implement appropriate workflow, authentication, and process and control procedures surrounding physical and system access: ▪ develop, test, implement and maintain disaster recovery and business contingency plans; ▪ appoint an independent third-party specialist to assess its security and operations; and ▪ communicate clearly to customers their policies with regard to the rights and responsibilities of the bank and customer on all matters to do with online transactions, in particular issues arising from breaches and errors in security, systems and related procedures. International experience suggests that Internet banking customers tend to be more price sensitive, and hence more likely to move their deposits from one bank to another. This tendency is reinforced by the convenience of conducting Internet transactions. Technology failures that disrupt or impair services may also trigger abnormal transactions by customers. This potential for more volatile transactions could increase liquidity risk. Banks, especially IOBs, should therefore establish robust liquidity contingency plans, and appropriate asset-liability management systems. Banks may also face greater operational risk if they extensively outsource processing operations in Internet banking. Banks should carefully manage such outsourcing of operations. They should maintain comprehensive audit trails of all such operations, and provide MAS with unrestricted access to such information, as in traditional banking. IOBs, in addition, may face higher business risk arising from their new business models. To manage business risk, IOBs must maintain and continually update a detailed system of performance measurement. Efforts to build market share through pricing strategies and advertising must be tested against robust market assumptions. Unlike other Internet ventures, banks can ill-afford to incur losses for long start-up periods. 10.4.5 Construction and Development of Internet Banking As in traditional banking, arisk-focused supervisory approach, tailored to individual banks
circumstances and strategies, will be more appropriate than " one-size-fits-all"regulation Depending on the overall risk profile of the individual bank, MAS may in specific cases require the bank to take additional prudential measures to mitigate these risks. The key risk management issues to be addressed through MAS supervision are dealt with in Section 3 MAS will continue to stay abreast of developments in the financial industry and continue its dialogue with market participants so as to keep its licensing, regulatory and supervisory approaches effective and up-to-date. We will maintain a sound but flexible prudential framework, hich seeks to preserve public confidence in the financial system, and encourage banks to uphold high standards of risk management. It will also seek to enable institutions to take full advantage of new technologies to innovate, compete and improve efficiency Banks are responsible for assessing and managing the risks associated with their operations, including the adoption of new technologies and business models. Financial institutions should inform consumers of both the benefits and risks of the financial products and services they offer MAS encourages financial institutions and industry associations such as the Association of Banks in Singapore(ABS) to play a proactive role in educating consumers on these benefits and risks MAS is also requiring financial institutions to disclose more information about themselves, so that the market and consumers can assess them more easily and accurately Internet banking has the potential to improve services for the public. However, consumers must still not neglect to assess for themselves the institution that they bank with, and the services they use, whether over the Internet or in traditional banking 10.5 Problems of Electronic Payment Systems 10.5.sEcurity Problems There are four essential security requirements for safe electronic payments The key security schemes adopAuthentication: a method to verify the buyers identity before payment is authorized Encryption: a process of making messages indecipherable except by those who have an authorized decryption key Integrity: ensuring that information will not be accidentally or maliciously altered or destroyed during transmission Nonrepudiation: protection against customers' denial of orders placed and against merchants'denited for electronic payment systems are encryption, digital signature, message digest, and use of certificates and certifying authorities There are two types of encryption: private key and public key encryption 1. Private Key Cryptography Private Key Private Key g Plain Encryption Cipher Decryption Sender Receiver igure 10-5 Private Key Cryptography 2. Public Key Cryptography Also known as asymmetric encryption, uses two different keys: a public key and a private key. The public key is known to all authorized users, but private key is known only to one
circumstances and strategies, will be more appropriate than "one-size-fits-all" regulation. Depending on the overall risk profile of the individual bank, MAS may in specific cases require the bank to take additional prudential measures to mitigate these risks. The key risk management issues to be addressed through MAS supervision are dealt with in Section 3. MAS will continue to stay abreast of developments in the financial industry and continue its dialogue with market participants so as to keep its licensing, regulatory and supervisory approaches effective and up-to-date. We will maintain a sound but flexible prudential framework, which seeks to preserve public confidence in the financial system, and encourage banks to uphold high standards of risk management. It will also seek to enable institutions to take full advantage of new technologies to innovate, compete and improve efficiency. Banks are responsible for assessing and managing the risks associated with their operations, including the adoption of new technologies and business models. Financial institutions should inform consumers of both the benefits and risks of the financial products and services they offer. MAS encourages financial institutions and industry associations such as the Association of Banks in Singapore (ABS) to play a proactive role in educating consumers on these benefits and risks. MAS is also requiring financial institutions to disclose more information about themselves, so that the market and consumers can assess them more easily and accurately. Internet banking has the potential to improve services for the public. However, consumers must still not neglect to assess for themselves the institution that they bank with, and the services they use, whether over the Internet or in traditional banking. 10.5 Problems of Electronic Payment Systems 10.5.1Security Problems There are four essential security requirements for safe electronic payments: ▪ The key security schemes adopAuthentication: a method to verify the buyer’s identity before payment is authorized. ▪ Encryption: a process of making messages indecipherable except by those who have an authorized decryption key. ▪ Integrity: ensuring that information will not be accidentally or maliciously altered or destroyed during transmission. ▪ Nonrepudiation: protection against customers’ denial of orders placed and against merchants’ denited for electronic payment systems are encryption, digital signature, message digest, and use of certificates and certifying authorities. There are two types of encryption: private key and public key encryption. 1. Private Key Cryptography Figure 10-5 Private Key Cryptography 2. Public Key Cryptography Also known as asymmetric encryption, uses two different keys: a public key and a private key. The public key is known to all authorized users, but private key is known only to one
person----its owner. The private key is generated at the owner's computer and is not sent to anyone To send a message safely using public key cryptography, the sender encrypts the message with the eceiver's public key. This requires that receivers public key be delivered in advance. The message encrypted in this manner can only be decrypted with the receivers private key 3. Digital Signature Digital signature is used for the authentication of senders by applying public key cryptography in reverse. To make a digital signature, a sender encrypts a message with her private key. In this case, any receivers with her public key can read it, but the receiver can be sure that the sender is really the author of the message. a digital signature is usually attached to the sent message, just like the handwritten signature Pubhc Key Private Key of Rec pient of Recipient Encryption Cipher Decryption Plain essage Sender Private Key Public Key of Sender Figure 10-6 Digital Signature Message Digest To make a digital signature, the base message needs to be normalized to a predetermined length of 160 bits, regardless of the length of the original message. This normalization process can be achieved by hashing the original message. This hashed message is called a message digest rtificates A certificate usually implies an identifying certificate that is issued by a trusted third-party certificate authority(CA). A certificate includes records such as a serial number, name of owner, owner's public keys(one for secret key exchange as receiver and one for digital signature as sender) an algorithm that uses these key, certificate type(cardholder, merchant, or payment gateway), name of CA, and CA's digital signature
person----its owner. The private key is generated at the owner’s computer and is not sent to anyone. To send a message safely using public key cryptography, the sender encrypts the message with the receiver’s public key. This requires that receiver’s public key be delivered in advance. The message encrypted in this manner can only be decrypted with the receiver’s private key. 3. Digital Signature Digital signature is used for the authentication of senders by applying public key cryptography in reverse. To make a digital signature, a sender encrypts a message with her private key. In this case, any receivers with her public key can read it, but the receiver can be sure that the sender is really the author of the message. A digital signature is usually attached to the sent message, just like the handwritten signature. Figure 10-6 Digital Signature 4. Message Digest To make a digital signature, the base message needs to be normalized to a predetermined length of 160 bits, regardless of the length of the original message. This normalization process can be achieved by hashing the original message. This hashed message is called a message digest. 5. Certificates A certificate usually implies an identifying certificate that is issued by a trusted third-party certificate authority (CA). A certificate includes records such as a serial number, name of owner, owner’s public keys (one for secret key exchange as receiver and one for digital signature as sender) an algorithm that uses these key, certificate type (cardholder, merchant, or payment gateway), name of CA, and CA’s digital signature