Hemis number: 630975
Number of words 1500
Percentage from Turnitin Report: 25%
The technologies used in security in online payments
The purpose of this review is to critically review what has been published so far and look for
ways research could be improved in the future.
To do this I have researched previous publications from across the world to find out how
research is being carried out and what is being discovered.
From what I have found there seems to be a glaring void in reputable publication of findings.
The main research comes from companies with a vested interest in selling their service in
these matters. From my research there seems to be a real lack in user information available
for the general public. They are expected to understand the technology behind it and trust
what the guidelines say without any real evidentiary material being freely available.
The technologies used in online payments is an important area of research. With ever
increasing online transactions throughout the world "Us eCommerce and online retail sales
projected to reach $197 billion in 2011, an increase of 12% over 2010." (Andrew Bartels,
Forrester Research, 01/04/2011), there is also an increasing amount of fraudulant activity
although overall losses are down .For online transactions to continue to grow the consumers
must feel safe making the transaction. To sustain growth in the area the technologies used
must be constantly checked.
I will look at some of the different types of technologies used and how effective the research
carried out deems them.
Security Socket Layer Protocol (SSL):
SSL was developed by Netscape to provide a level of protection when transferring payment
online. Standard SSL protects these details using 40-bit encryption. During the process the
browser requests that the web server identify itself, the server then sends a copy of its SSL
certificate. This certificate is checked to see whether it is trustworthy, if so it returns a
message to the server. The server then starts a SSL encrypted session. Encypted data is then
shared between the server and browser. The user is made aware of the use of SSL by the
padlock symbol in the bottom left corner of their browser. This encryption is considered
weak by many and as put by Dhirendra Pandey and Dr A Rastogi(2010. p. 12) " Though the
E-commerce development is accumulated by credit payment under base of SSL, yet more
advanced technology of payment system should be adopted to make the E-commerce spread
its area more broadly".
Davis Wagner and Bruce Sneier (1997) note in their paper that "In summary, the protection
of application data by the SSL record layer is, on the whole, quite good. The preceding
section indicated a few small areas of concern, but they should be considered minor and
the exception to the rule". The paper published in 1997 highlights, although minor, problems
in the protocol that have been there since inception.
SSL is the most common forms of online payment detail protection but as has been noted it is
not considered to be sufficient by all.
There are ever growing commercially available forms of SSL the current highest utilises 128-
bit encryption and is employed by, amongst other, PayPal.
Secure Electronic Transaction (SET):
SET was originally developed by Visa and Mastercard in conjunction with leading
technology providers to provide security when using cards to purchase online. This
technology encrypts and verifies data so that both parties are genuine. This is considered
safer than SSL by many as it requires the card companies to validate the authenticity of the
payment. Pandey, D et al, (2010, p. 13)"Currently, SET is widely applied as the public
standard of safety payment of E-commerce. SET an enable the information of the cardholder
to be reached, read and verified only by the bank, while supplier has the right to extend
payment request and accept the payments"
There has been research into slimming down the electronic footprint of SET by many.
Hanaoka et al, (2001, p. 2042) states "While SET has a number of advantages over other
protocols in terms of simplicity and openness, there seems to be a consensus regarding the
relative inefficiency of the protocol".
Mastercard and Visa two of the main developers of SET have since moved to 3-D Secure.
They both call it by a different name, “Mastercard SecureCode” and “Verified by Visa”, but
essentially it is the same. The technology involves authentication between all three parties,
the vendor, the acquiring bank and Visa or Mastercard.
This new technology has itself has been berated by reviewers. Murdoch, J., & Anderson, R.
(2010) surmise “But 3DS ignores the other lessons learnt from earlier systems. The result is
that customers receive little benefit in security, while suffering a huge increase in their
liability for fraud. They are also trained in unsafe behaviour online. Now our experience in
recent years is that when attacks can be profitably industrialised, they will be; the growth of
man-in-the-middle attacks and malware will ensure that 3DS is not sustainable in its present
In conclusion the technologies used are on the face of it adequate but continuing and more
specialised research should be carried out by governing bodies. As stated by Murdoch et al
(2010) “What is needed now is for regulators to intervene on behalf of the consumer”.
There seems to be a failing in general from all governing bodies involved in these
technologies to regulate and push for better quality technologies to be used.
This research and investigation should be made more publically available. The UK
government does not deal specifically with the technologies in any published paper that
during my research phase I could find. I believe that there must have been some research
done, but the simple fact I was unable to find it leads me to the conclusion that it is hidden
from general view.
Bartels, A (2011, April 1).Forrester Projects *% Growth In US IT Retrieved from
Pandey, D., & Rastogi, Dr A.(2010). A critical Research on threats and security technology
related to Payment System on E-commerce Network. International Journal of Computer
Applications, Volume 8- No 3, Page 11 to 14.
Wagner, D., & Schneier, B (1997). Analysis of the SSL 3.0 Protocol.
Hanoaka et al (2001) Improving the Secure Electronic Transaction Protocol by Using
Signcryption. IECE trans. Fundamentals, Volume E84-A, No 8, Page 2042 to 2051.
Murdoch, J., & Anderson, R. (2010). Verified by Visa and Mastercard SecureCode: or, How
Not to Design Authentication.