OnlineCredit Cards Transactions

Online Shopping
Electronic Business
Automatic Teller Machines

L1F09MSCS0023
Sumaira Anwar
Over the years, credit cards have become one of
the most common forms of payment for online
transactions
1. A transaction begins when a credit card account number is entered
into the system manually by either the merchant or the cardholder.
This enters the transaction information into the Processor’s network.
2. An “Authorization Request” is generated.
3. The Processor links up with the Visa/MasterCard network in order
to transmit the Authorization Request to the Issuing Bank’s computer
network.
4. The Issuing Bank verifies that a valid credit card number has been
received and that the Cardholder has enough money available to fund
the transaction.
5. A “hold” for that amount is placed against the Cardholder’s Open
To Buy thereby reducing the amount of his or her Open To Buy for
future transactions.
6. Once the approval is received a “Deposit Transaction” is
transmitted which finalizes the transaction. The merchant then
releases the items purchased by the Cardholder.
7. The Net Settlement Amount is deposited to the Merchant’s account
usually by the end of the same business day.
 First Virtual was one of the first Internet payment systems to be
available to the public, becoming fully operational in October of
1994. A main goal of this company was to create an Internet
payment system that was easy to use. Neither buyers nor sellers are
required to install new software, (though automated sale processing
software is available). If you have access to Internet email, you can
sell or buy over the Internet using the First Virtual System.

 The First Virtual payment system is unique in that it does not use
encryption. A fundamental philosophy of their payment system is
that certain information should not travel over the Internet because
it is an open network. This includes credit card numbers. Instead of
using credit card numbers, transactions are done using a First
VirtualPIN which references the buyer's First Virtual account. These
PIN numbers can be sent over the Internet because even if they are
intercepted, they cannot be used to charge purchases to the buyer's
account. A person's account is never charged without email
verification from them accepting the charge.
 CyberCash has been servicing credit card transactions over the
Internet since April 1995. It has strong ties to the current credit card
processing infrastructure, through Bill Melton, a founder of Verifone,
as one of its fathers. The use of their payment system has grown
tremendously over a year. CyberCash claims that they process
thousands of transactions a day, they can send payment transactions
to 80% of the banks in America, and to have distributed over 400,000
copies of CyberCash Wallet software to buyers who use their system.

 It is important to note that CyberCash is not a credit card processing

company. Unlike First Virtual, they do not transfer funds into the
merchant's account. CyberCash sells safe passage over the Internet
for credit card transaction data. They take the data that is sent to
them from the merchant, and pass it to the merchant's acquiring
bank for processing. Except for dealing with the merchant through
CyberCash's server, the acquiring bank processes the credit card
transaction as they would process transactions received through a
point of sale (POS) terminal in a retail store.
 Secure Electronic Transactions (SET) is an open protocol which
has the potential to emerge as a dominant force in the securing of
electronic transactions. Jointly developed by Visa and
MasterCard,SET is an open standard for protecting the privacy, and
ensuring the authenticity, of electronic transactions. without
privacy, consumer protection cannot be guaranteed, and without
authentication, neither the merchant nor the consumer can be sure
that valid transactions are being made.
 The SET protocol relies on two different encryption mechanisms, as
well as an authentication mechanism. SET uses symmetric
encryption, in the form of the Data Encryption Standard (DES), as
well as asymmetric, or public-key, encryption to transmit session
keys for DES transactions
 In the SET protocol, two different encryption algorithms are used –
DES and RSA.
 Authentication is an important issue. Consumers must
have faith in the authenticity of the merchant, and
merchants must have faith in the authenticity of the
consumer. Authentication is critical to achieving trust in
electronic commerce.
 Authentication is achieved through the use of digital
signatures. Using a hashing algorithm, SET can sign a
transaction using the sender’s private key. This
produces a small message digest, which is a series of
values that "sign" a message. By comparing the
transaction message and the message digest, along with
the sender’s public key, the authenticity of the
transaction can be verified. Digital signatures are aimed
at achieving the same level of trust as a written
signature has in real life. This helps achieve non-
repudiation, as the consumer cannot later establish that
the message wasn't sent using his private key.
 Credit Card Fraud Payment
The use of credit card with the increase in electronic
commerce on the Internet for the purchase has become
convenient and necessary. However, frauds in credit card
payments are also on the increase, which is a worrying trend.
The credit card transaction provides more opportunities for
thieves to steal credit card numbers and commit fraud. Due
to the fraud the genuine customer incurs loss of money.Pro
active business owners are seized with this problem and are
actively educating their customers on card credit detection
fraud payment.
The credit card fraud is one of the major risks that are faced
by businesses now days. The recent survey says that there is
increase in online crime or the Internet fraud.The hardest hits
are the mid size and the lower size companies that have lost
over 2.5 % of online sales due to fraud.
The fraud payment can be easily detected by
the recent improvements in the electronics
commerce. Thus thanks to the increased
sophisticated
 encryption systems
 verification services
 transaction processing technology.
 Address Verification Service

The “AVS”, or address verification service, is

used to determine that the address provided
by a customer matches the address
associated with a credit card account.
 Card Verification Value

The “CVV”, or card verification value, sometimes referred

to as the CVV-2 is a three to four digit number found on
the back of , MasterCard and Visa cards. It’s on the card
but not on any statements, so that if an individual has
found a credit card statement in the trash, they aren’t
able to complete a sale that requires the CVV code for
verification purposes. Knowing the CVV usually means that
the cardholder is in physical possession of the credit card
and not just using a stolen number that they got from
somewhere.
Online shopping is the process whereby consumers
directly buy goods or services from a seller in real-time,
without an intermediary service, over the Internet. If an
intermediary service is present the process is called
electronic commerce.
 Convenience
Online stores are usually available 24 hours a day, and many consumers
have Internet access both at work and at home.
 Information and reviews
Online stores must describe products for sale with text, photos, and
multimedia files
 Price and selection
One advantage of shopping online is being able to quickly seek out deals
for items or services with many different vendors and you can make
online price comparisons.
Fraud and security concerns
Given the lack of ability to inspect
merchandise before purchase, consumers are
at higher risk of fraud on the part of the
merchant than in a physical store.
 Merchants also risk fraudulent purchases
using stolen credit cards or fraudulent
repudiation of the online purchase.
 Identity theft is still a concern for consumers
when hackers break into a merchant's web
site and steal names, addresses and credit
card numbers.
 Use identity theft protection services and keep
criminals away from sending you into financial
ruin.
 LifeLock
 ProtectMyID
 IDENTITY GUARD
 TrustedID
 IdentityTruth
 Debix
 ID Watchdog
 Equifax ID Patrol
 Intelius IDWatch
 IDarmor
 Phishing is another danger, where consumers
are fooled into thinking they are dealing with
a reputable retailer, when they have actually
been manipulated into feeding private
information to a system operated by a
malicious party. Denial of service attacks are
a minor risk for merchants, as are server and
network outages.
 A solution to phishing attacks of any kind is purchase
'password-protection software.' Software like
RoboForm stores all your login information on your
computer, in a file protected by a master password.
Once you log in to RoboForm, it takes one click to log
in to a password-protected website. The software
generates them randomly and you can be certain you
have a different password for every site.
Looks like while tabnabbing can be exploited by
hackers, there are preventative forces at work to
catch them before they can take tabnabbing to
another level. Now, that's the kind of preemptive
strike that works in our favor - catching the phisher
before he catches you!
 Sticking with known stores, or attempting to find independent
consumer reviews of their experiences; also ensuring that
there is comprehensive contact information on the website
before using the service, and noting if the retailer has
enrolled in industry oversight programs such as trust mark or
trust seal.
 Before buying from a new company, evaluate the website by
considering issues such as: the professionalism and user-
friendliness of the site; whether or not the company lists a
telephone number and/or street address along with e-contact
information; whether a fair and reasonable refund and return
policy is clearly stated; and whether there are hidden price
inflators, such as excessive shipping and handling charges.
 Ensuring that the retailer has an acceptable privacy policy
posted. For example note if the retailer does not explicitly
state that it will not share private information with others
without consent.
 Electronic business

 The most basic definition of e-business is

simply this: using the internet to connect
with customers, partners, and suppliers.
 To engage in e-business, companies need to
be able to unlock data in their back-end
computer systems, so they can share
information and conduct electronic
transactions with customers, partners, and
suppliers via the internet.
 E-Business systems naturally have greater
security risks than traditional business
systems, therefore it is important for e-
business systems to be fully protected
against these risks. A far greater number of
people have access to e-businesses through
the internet than would have access to a
traditional business. Customers, suppliers,
employees, and numerous other people use
any particular e-business system daily and
expect their confidential information to stay
secure.
 Privacy and confidentiality
 Authenticity
 Data integrity
 Non-repudiation
 Access control
 Availability
 Many different forms of security exist for e-
businesses. Some general security guidelines
include areas in physical security, data storage,
data transmission, application development, and
system administration.
 Despite e-business being business done
online, there are still physical security
measures that can be taken to protect the
business as a whole. Even though business is
done online, the building that houses the
servers and computers must be protected
and have limited access to employees and
other persons. For example, this room should
only allow authorized users to enter, and
should ensure that “windows, dropped
ceilings, large air ducts, and raised floors”
do not allow easy access to unauthorized
persons
 Storing data in a secure manner is very
important to all businesses, but especially to
e-businesses where most of the data is stored
in an electronic manner. Data that is
confidential should not be stored on the e-
business' server, but instead moved to
another physical machine to be stored. If
possible this machine should not be directly
connected to the internet, and should also
be stored in a safe location. The information
should be stored in an encrypted format
 All sensitive information being transmitted
should be encrypted. Businesses can opt to
refuse clients who can't accept this level of
encryption. Confidential and sensitive
information should also never be sent
through e-mail. If it must be, then it should
also be encrypted.
 Transferring and displaying secure
information should be kept to a minimum.
This can be done by never displaying a full
credit card number for example.
 Security on default operating systems should
be increased immediately.All system
configuration changes should be kept in a log
and promptly updated.
 System administrators should keep watch for
suspicious activity within the business by
inspecting log files and researching repeated
logon failures. They can also audit their e-
business system and look for any holes in the
security measures.It is important to make
sure plans for security are in place but also
to test the security measures to make sure
they actually work.
 When it comes to security solutions, there
are some main goals that are to be met.
These goals are data integrity, strong
authentication, and privacy.
 To protect themselves against attacks, organizations have
traditionally implemented a variety of technologies at the network
boundary. These include:
 Firewalls
aimed at excluding attackers by admitting only certain types of
network traffic
 Intrusion detection systems
that monitor the network or specific resources for anomalies such
as the presence of unauthorized traffic
 Filters
to remove viruses before they spread to thousands of desktops
 Encryption
transforming texts or messages into a code which is unreadable.
 Digital certificates
The point of a digital certificate is to identify the
owner of a document. This way the receiver knows that
it is an authentic document.
Digital signatures
If a document has a digital signature on it, no
one else is able to edit the information without
being detected.
In order to use a digital signature, one must use
a combination of cryptography and a message
digest
 An automated teller machine (ATM), also known as a
automated banking machine (ABM) or Cash Machine, is a
computerised telecommunications device that provides
the clients of a financial institution with access to
financial transactions in a public space without the
need for a cashier, human clerk or bank teller.
 On most modern ATMs, the customer is identified by
inserting a plastic ATM card with a magnetic stripe or a
plastic smart card with a chip, that contains a unique
card number and some security information such as an
expiration date or CVVC (CVV). Authentication is
provided by the customer entering a personal
identification number (PIN).
 Security,as it relates to ATMs, has several
dimensions. ATMs also provide a practical
demonstration of a number of security
systems and concepts operating together and
how various security concerns are dealt with.
 Early ATM security focused on making the
ATMs invulnerable to physical attack; they
were effectively safes with dispenser
mechanisms. A number of attacks on ATMs
resulted, with thieves attempting to steal
entire ATMs
 Another attack method, plofkraak, is to seal
all openings of the ATM with silicone and fill
the vault with a combustible gas or to place
an explosive inside, attached, or near the
ATM.This gas or explosive is ignited and the
vault is opened or distorted by the force of
the resulting explosion and the criminals can
break in.
 The security of ATM transactions relies
mostly on the integrity of the secure
cryptoprocessor: the ATM often uses
commodity components that are not
considered to be "trusted systems".
 Encryption of personal information, required
by law in many jurisdictions, is used to
prevent fraud. Sensitive data in ATM
transactions are usually encrypted with DES,
but transaction processors now usually
require the use of Triple DES
 Message Authentication Code (MAC) or
Partial MAC may also be used to ensure
messages have not been tampered with while
in transit between the ATM and the financial
network.
 There have also been a number of incidents
of fraud by Man-in-the-middle attacks, where
criminals have attached fake keypads or card
readers to existing machines. These have
then been used to record customers' PINs and
bank card information in order to gain
unauthorized access to their accounts.
Various ATM manufacturers have put in place
countermeasures to protect the equipment
they manufacture from these threats
 Openings on the customer-side of ATMs are often
covered by mechanical shutters to prevent tampering
with the mechanisms when they are not in use. Alarm
sensors are placed inside the ATM and in ATM servicing
areas to alert their operators when doors have been
opened by unauthorized personnel.
 Rules are usually set by the government or ATM
operating body that dictate what happens when
integrity systems fail. Depending on the jurisdiction, a
bank may or may not be liable when an attempt is made
to dispense a customer's money from an ATM and the
money either gets outside of the ATM's vault, or was
exposed in a non-secure fashion, or they are unable to
determine the state of the money after a failed
transaction.