Electronic Payment Gateway System

Published Date: 02 Nov 2017

ABSTRACT - In this paper we review a secure electronic payment system for Internet transaction. An online payment system allows a customer to make a payment to an online merchant or a service provider. Payment gateways, a channel between customers and payment processors, use various security tools to secure a customer’s payment information, usually debit or credit card information, during an online payment. However, the security provided by a payment gateway cannot completely protect a customer’s payment information when a merchant also has the ability to obtain the payment information in some form. Consumers’ trust in their online transactions is vital for the sustained progress and development of electronic commerce.Our paper proposes that in addition to known factors of consumers’ perception of privacy and security influence their trust in online transactions.

Keywords:Online Payment Systems, Payment Gateways, Secure Electronic Transaction, Dual Signatures, electronic commerce,online trust.

INTRODUCTION

Online transactions are considered one of the reliable and convenient means of doing financial transactions nowadays. E-commerce industry plays a major and key role in revamping online sale and purchase of products and services over the internet. Internet has given a descent platform for the makeover of E-commerce Industry which involves flow of money in electronic form for goods and services to be procured. On contrary to above internet is also considered to be an untrustworthy and insecure mode of communication for the financial transactions. With the drastic increase in e-payment scams and frauds on the internet a significant requirement for secure and reliable payment gateways over the internet have come into picture. Due to the involvement of critical issues in transaction security all around the globe methods of securing a financial transaction are being imparted at various stages of a transaction. Banking and other financial institutions are considerably trying to provide a secure and efficient platform to motivate people to opt for online sale & purchase.

To handle each e-commerce and e-payment transaction a robust and efficient payment system is required which can guarantee the authenticity and authorization of payments and users. To initiate an online sale or purchase of a product or a service mandates user to have an online account, a legitimate credit/debit card etc. While undertaking an online financial transaction there seems to be a sense of insecurity at the time of giving account related information to the carrier. To tackle such scenarios a viable online payment system should guarantee proper authentication of users and delivery channels at respective levels along with privacy of customer and transaction details.

Overall development in online payment systems over the decades has helped users to make the process more suitable and easy to use. With the placement of secure payment gateways in the process an online financial transaction over the internet and transaction data can be ensured to be protected and private which can deliver a sense of safety to users for their financial transaction.

A secure payment gateway technology uses various methods available for encrypting and decrypting the transaction data being exchanged between users and financial institutes via a valid merchant. For an online transaction through a secure payment gateway overall scenario would include three parties a user who is going to pay, a merchant to whom money is paid and a financial institute like a bank or a payment processing subsidiaries such as paypal etc where all are connected through a secured mean of communication.

Anybody who can interfere between network traffic could gain access to sensitive transaction data such as card holder numbers, customer identification numbers and other account related information. To attain privacy and authentication of an online transaction data and customer information Secure Payment gateways uses different cryptographic techniques and encryption algorithms.

2. BACKGROUND

In the spirit of the instant transactions that online shopping enables, you will need to set up a payment gateway on your e-commerce site that enables customers to pay by credit or debit card. One of the most important decisions you'll face is to choose the payment gateway. The gateway takes the submitted billing information from your customer’s computer, through your secure server, and on to your merchant account at a processing bank. The gateway transaction is seamless and invisible to the customer, but to those concerned about security, it is anything but invisible.

A payment gateway is an e-commerce application service provider service that authorizes payments for  e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor.

2.1 How payment gateways work

A payment gateway facilitates the transfer of information between a payment portal (such as a website, mobile phone or IVR service) and the Front End Processor or acquiring bank. When a customer orders a product from a payment gateway-enabled merchant, the payment gateway performs a variety of tasks to process the transaction.

2.1.1 A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service.

2.1.2 If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's web server. In between other methods, this may be done via SSL (Secure Socket Layer) encryption.

2.1.3 The payment gateway may allow transaction data to be sent directly from the customer's browser to the gateway, bypassing the merchant's systems. This reduces the merchant's PCI-DSS compliance obligations without redirecting the customer away from the website.

2.1.4 The merchant then forwards the transaction details to their payment gateway. This is another (SSL) encrypted connection to the payment server hosted by the payment gateway.

2.1.5 The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank.

2.1.6 The payment processor forwards the transaction information to the card association (e.g., Visa/MasterCard)

If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.

Otherwise [eg: a Mastercard or Visa card was used], the card association routes the transaction to the correct card issuing bank.

The credit card issuing bank receives the authorization request and does fraud and credit or debit checks and then sends a response back to the processor (via the same process as the request for authorization) with a response code [eg: approved, denied].

In addition to communicating the fate of the authorization request, the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available). Meanwhile, the credit card issuer holds an authorization associated with that merchant and consumer for the approved amount. This can impact the consumer's ability to further spend (eg: because it reduces the line of credit available or because it puts a hold on a portion of the funds in a debit account).

The processor forwards the authorization response to the payment gateway.

The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the merchant and cardholder. This is known as the Authorization or "Auth"

The entire process typically takes 2–3 seconds.

The merchant then fulfills the order and the above process is repeated but this time to "Clear" the authorization by consummating the transaction. Typically the "Clear" is initiated only after the merchant has fulfilled the transaction (eg: shipped the order). This results in the issuing bank 'clearing' the 'auth' (ie: moves auth-hold to a debit) and prepares them to settle with the merchant acquiring bank.

The merchant submits all their approved authorizations, in a "batch" (eg: end of day), to their acquiring bank for settlement via its processor.

The acquiring bank makes the batch settlement request of the credit card issuer.

The credit card issuer makes a settlement payment to the acquiring bank (eg: the next day)

The acquiring bank subsequently deposits the total of the approved funds in to the merchant's nominated account (eg: the day after). This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.

The entire process from authorization to settlement to funding typically takes 3 days.

Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior to the authorization request being sent to the processor. Tools to detect fraud include geolocation, velocity pattern analysis, OFAC list lookups, 'black-list' lookups, delivery address verification, computer finger printing technology, identity morphing detection, and basic AVS checks.

SECURE PAYMENT GATEWAY SYSTEM INFRASTRUCTURE: REUIREMENT ISSUES

Issues of trust and acceptance play a more significant role in the e-commerce world as payment systems(ONLINE TRANSACTIONS) are concerned.In the e-commerce world, in most cases the customer does not actually see the concrete product at the time of transaction,and the method of payment is performed electronically.EPSs enable a customer to pay for the goods and services online by using integrated hardware and software systems. The main objectives of EPS are to increase efficiency, improve security, and enhance customer convenience and ease of use. Although these systems are in their immaturity, some significant development has been made. There are several methods and tools that can be used to enable EPS implementation.

Figure 3.2 Electronic payment scheme

3.1 EPS SECURITY MODEL

A simple but widely-applicable security model is the CIA triad; Confidentiality, Integrity and Availability; three key principles which should be guaranteed in any kind of secure system. This principle is applicable across the whole subject of Security Analysis, from access to a user's internet history to security of encrypted data across the internet. If any one of the three can be breached it can have serious consequences for the parties concerned. Secure electronic funds transfer is crucial to e-commerce. In order to ensure the integrity and security of each electronic transaction and other EPSs utilize some or all of the following security measures and technologies directly related to EPSs: Authentication, public key cryptography, digital signatures, certificate etc.

3.1.1 Confidentiality

Confidentiality is the ability to hide information from those people unauthorized to view it. It is perhaps the most obvious aspect of the CIA triad when it comes to security; but correspondingly, it is also the one which is attacked most often. Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of data transferred from one computer to another.

3.1.2 Integrity

The ability to ensure that data is an accurate and unchanged representation of the original secure information. One type of security attack is to intercept some important data and make changes to it before sending it on to the intended receiver.

3.1.3 Availability

It is important to ensure that the information concerned is readily accessible to the authorized viewer at all times. Some types of security attack attempt to deny access to the appropriate user, either for the sake of inconveniencing them, or because there is some secondary effect. For example, by breaking the web site for a particular search engine, a rival may become more popular.

3.1.4 Public Key Cryptography

Public key cryptography uses two keys, one public and one private, to encrypt and decrypt data, respectively. Cryptography is the process of protecting the integrity and accuracy of information by encrypting data into

an unreadable format, called cipher text. Only those who possess a private key can decrypt the message into plain text.

Public key cryptography uses a pair of keys, one private and one public. In contrast, private key cryptography uses only one key for encryption. The advantage of the dual-key technique is that it allows the businesses to give

away their public key to anyone who wants to send a message. The sender can then encrypt the message with the public key and send it to the intended businessman over the Internet or any other public network; the businessman can then use the private key to decrypt the message. Obviously, the private key is not publicly known.

3.1.5 Digital Signature

Rather than a written signature that can be used by an individual to authenticate the identity of the sender of a message or of the signer of a document; a digital signature is an electronic one. E-check technology also allows digital signatures to be applied to document blocks, rather than to

the entire document. This lets part of a document to be separated from the original, without compromising the integrity of the digital signature. This technology would also be very useful for business contracts and other legal

Documents transferred over the Web. A digital signature includes any type of electronic message encrypted with a

private key that is able to identify the origin of the message. The followings are some functions of digital signature.

3.1.5.1 The authentication function: The term digital signature in general is relevant to the practice of adding a string of characters to an electronic message that serves to identify the sender or the originator of a message.

3.1.5.2The seal function: Some digital signature techniques also serve to provide a check against any alteration of the text of the message after the digital signature was appended.

3.1.5.3 The integrity function: This function is of great interest in cases where legal documents are created using such digital signatures.

3.1.5.4 The privacy function: Privacy and confidentiality are of significant concerns in many instances where the sender wishes to keep the contents of the message private from all hut the intended recipient.

KEY THREATS TO INSECURE ONLINE TRANSACTION SYSTEM

Any organization/government/personal computers are affected by the broad range of security threats. The security threats considered while designing the authentication requirements are as follows:

4.1 Online Guessing: In an online guessing attack, an unauthorized party connects to the verifier via network and attempts to guess a secret token (e.g., password) with the goal of affectation as the legal user.

4.2 Eavesdropping: An eavesdropping attack occurs when an unauthorized party listens to conversations between authorized parties (e.g., users and verifiers) and collects their data. Eavesdroppers may listen passively to the authentication protocol exchange and then attempt to learn secrets (e.g., passwords or keys) to pose as legal users.

4.3 Session Hijacking: Session hijacking is a security attack on a user session where an attacker attempts to take over application user sessions. Session hijacking works by taking advantage of the fact that communications may be protected through an initial authentication transaction at session setup, but not thereafter.

4.4 Phishing: In a verifier impersonation attack, an attacker poses as the verifier in an attempt to fool a user into exposing secrets.

4.5 Man-in-the-Middle: In a man-in-the-middle attack, an attacker places itself in the communication channel between the user and verifier such that all communications go through it. An attacker may operate in passive mode (collecting information as it relays the data as intended) or may play an active role (communicating with both user and verifier or relying party and impersonating one to the other) to gain access to sensitive user data.

4.6 Replay: A replay attack is a specific form of man-in-the-middle attack in which an attacker records and replays some part of a previous successful authentication protocol transaction to the verifier in order to gain access to sensitive user data.

4.7 Exploit attack: In this type of attack, the attacker knows of a security problem within an operating system or a piece of software and leverages that knowledge by exploiting the vulnerability.

4.8 Buffer overflow: A buffer overflow attack is when the attacker sends more data to an application than is expected. A buffer overflow attack usually results in the attacker gaining administrative access to the system in a command prompt or shell.

4.9 Cryptographic Attack Methods: There are six related cryptographic attack methods, including three plaintext-based methods and three ciphertext-based methods:

4.9.1 Known Plaintext and Ciphertext-Only Attacks

A known plaintext attack is an attack where a cryptanalyst has access to a plaintext and the corresponding ciphertext and seeks to discover a correlation between the two.

A ciphertext-only attack is an attack where a cryptanalyst has access to a ciphertext but does not have access to corresponding plaintext. With simple ciphers, such as the Caesar Cipher, frequency analysis can be used to break the cipher.

4.9.2 Chosen Plaintext and Chosen Ciphertext Attacks

A chosen plaintext attack is an attack where a cryptanalyst can encrypt a plaintext of his choosing and study the resulting ciphertext. This is most common against asymmetric cryptography, where a cryptanalyst has access to a public key.

A chosen ciphertext attack is an attack where a cryptanalyst chooses a ciphertext and attempts to find a matching plaintext. This can be done with a decryption oracle (a machine that decrypts without exposing the key). This is also often performed on attacks versus public key encryption; it begins with a ciphertext and searches for matching publicly-posted plaintext data.

4.9.3 Adaptive Chosen Plaintext & Adaptive Chosen Cipher text Attacks

In both adaptive attacks, a cryptanalyst chooses further plaintexts or cipher texts (adapts the attack) based on prior results.

EMRGING ISSUES WHILE ERFORMING ONLINE TRANSACTIONS

5.1 Do I need to upgrade my online accounts to use Extended Validation (EV) certificates?

No, you never need to update your online account or information to use EV certificates. Some phishing e-mails try to trick you into giving personal or financial information by claiming that you need to upgrade your account for better security with an EV certificate.Internet Explorer supports EV certificates natively and you do not have to do anything other than visit a website. If your bank is using an EV certificate, your Address bar will be green. If you don't see a green Address bar, then the website does not use an Extended Validation certificate.

5.2 If a website has secure transactions, does that mean the website is safe to use?

Not necessarily. The secure (encrypted) connection is not a guarantee that it is safe to use. A secure connection only assures you of the identity of the website, based on the information provided by the certifying organization. You should only consider giving personal information to a website that you know and trust

5.3 How can I increase the safety of my online transactions?

While there is no guarantee of safety on the web, you can minimize online privacy or security problems by using websites you know and trust. Internet Explorer cannot tell if a website owner is trustworthy. Try to use sites you've used previously or that are recommended by trusted friends or family. You should also turn on Internet Explorer's Phishing Filter to help identify fraudulent websites

5.4 What does it mean when I have both secure and non-secure (mixed) content?

Secure and non-secure content, or mixed content, means that a webpage is trying to display elements using both secure (HTTPS/SSL) and non-secure (HTTP) web server connections. This often happens with online stores or financial sites that display images, banners, or scripts that are coming from a server that is not secured.The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content.

BENEFITS

Online Transaction Processing has two key benefits:

6.1 Simplicity

6.2 Efficiency

Reduced paper trails and the faster, more accurate forecasts for revenues and expenses are both examples of how OLTP makes things simpler for businesses.

CONCLUSION

When it comes to choosing a payment gateway provider for online transaction, you need to examine their security measures because your business’ reputation will depend on it. The provider should be effectively managing all facets of security on an ongoing basis. The data should be secured via a 128-bit Digital Certificate. The data center where the payment gateway servers are housed requires ongoing requirements regarding physical security as well as information security. The provider should have firewall and intrusion detection systems installed at the operating system and application layers, as well as have database security and transaction security in place.Main advantages of Payment Sys tem for online Trans action are: it us es s trong cryptography and authenticity checking models ; the me rchant is prevented from se eeing payment informat ion; the customer can eas y to use the system, since.he is not required to ins tall additional s oftware for s ecure payments or to have a digital cert ificate.

ACKNOWLEDGEMENT

We would like to express our sincere gratitude to our seniors,research fellows,committee members, Mr.Pankaj Singh(AREA MANAGER CashLink Global Systems Pvt Ltd). It would not have been possible for us to successfully complete this paper without the guidance and expertise of our advisor Mr.Pankaj Singh. He inspired and motivated us all along with regular input and constant support.Last but not the least, we thank god for showering his kind blessings on us.